It has taken me a few days to wade through all the data and information in this year’s Verizon Data Breach Investigations Report, but I’ve finally found the time to read it all the way to the end. As always, the report is full of interesting statistics about breach and incident trends. While each section of the report offered valuable insights and information, I found the section on vulnerabilities most interesting. Not really surprising given CA Veracode’s area of focus.
The first stat that stands out is that web app attacks far outpace all other forms of attack. As this graph shows, application-layer breaches are impacting businesses. A separate study indicates that attacks on the application layer in general are growing by more than 25 percent annually (Akamai Q3 2015 State of the Internet - Security Report).
Yet, despite this large number of attacks against web applications – application security (AppSec) makes up 1% of security spend. According to Gartner, in 2015, organizations spent $86 billion securing networks and endpoints – but only $700 million securing applications. Perhaps this could account for the significant increase in successful web app attacks. The application layer continues to grow, yet the amount of money invested in reducing this risk remains inadequate.
The report also calls out some eye-opening stats around finding and fixing disclosed vulnerabilities. We’ve been talking about this topic a lot recently, especially in relation to understanding your software component landscape. When a vulnerability is disclosed in an open source software component, most organizations find it difficult, or impossible, to find the instances of a component in all applications, unless they have a component inventory. Just ask Community Health – the healthcare organization was breached through the already-disclosed Heartbleed vulnerability. Despite its best efforts, the organization was not able to find all the instances of the OpenSSL component.
In addition, cybercriminals don’t have to act immediately to breach a known vulnerability. The Verizon report found that half of all exploitations take place between 10 and 100 days after the vulnerability is published, with the median around 30 days. Meaning older vulnerabilities are still targeted. It is also significant that the top 10 vulnerabilities account for 85 percent of successful attacks. In the end, it is crucial that enterprises have a plan for dealing with vulnerability disclosures. As the report points out, it seems logical to focus on the top 10 vulnerabilities, as they make up the majority of successful attacks. However, the other 15 percent of vulnerabilities consists of over 900 CVEs that are also being “actively exploited in the wild.” So it is worth paying attention to those as well.
Verizon recommends establishing “a process for vulnerability remediation that targets vulnerabilities that attackers are exploiting in the wild, followed by vulnerabilities with known exploits or proof-of-concept code.” This is consistent with our own advice.
The report also states that, contrary to popular belief, actors in breaches are predominantly external. Given the data from the report, this conclusion makes sense. Internal actors would focus on other means of exfiltrating data; cybercriminals need to rely on software vulnerabilities. The report states that most of these “external actors” are motivated by monetary gain rather than supporting a cause or cyber-warfare. These can be the most dangerous cybercriminals, as they aren’t typically targeting a single organization; they are looking for the path of least resistance. And too often that path is through the application layer. The question remains; where are all these vulnerabilities coming from, and why are we still seeing so many SQLi vulnerabilities, a class of vulnerabilities that are both easy to detect, and simple to exploit?
Once again, the Verizon Data Breach Investigations Report provides a comprehensive view of the current threat landscape. It also highlights why application security is such an important part of the security ecosystem.
With the number of successful breaches targeting web apps growing and the spend on AppSec remaining static, clearly something has to change. Applications are an increasing source of value for enterprises, but they are also a growing source of risk. Information security must transform to meet
the needs of today’s digital-based economy, and to do so we need a new approach to application security. Otherwise, we run the risk of not being able to confidently innovate with the web and mobile applications we build, buy and deploy as well as the components we integrate into our environments.