With a goal of helping people understand the overall state of application security, Chris Wysopal, Veracode’s CTO and Co-Founder, recently gave a webinar, “Data Mining a Mountain of Zero-Day Vulnerabilities.” Chris examined the anonymized vulnerability data set produced by Veracode over the course of our analysis of thousands of applications submitted to us by large enterprises, commercial software vendors, open source projects, and software outsourcers. This data set generated interesting observations about application security in various industry verticals, and common mistakes developers make when coding software. The webinar enjoyed ample audience participation and response, including a few questions submitted by attendees which did not get addressed live on the webinar due to time constraints. Below we highlight a few of those.
Q: Of the software development houses that are producing these "vulnerable" applications, how many of them have a security assessment phase in their development life-cycle? Wysopal: The software developers do not disclose to us what security they perform in the SDLC. It is likely that those who have robust programs are the ones passing our test and the ones with no programs are failing but that is just a hypothesis. We would need to ask each customer what application security processes they are performing. Q: Did you study look at the platform or Operating System upon which the application executes as a factor? Wysopal: No it does not. For most application layer vulnerabilities this does not matter however. Q: Can you define the "information leakage" vulnerability? Is there a catalog describing all the vulnerabilities commented in this presentation? Wysopal: Information leakage happens when sensitive information is displayed to the user inadvertently. An example would be pathnames or database IP addresses returned within an error message to a user. An attacker can use this information to attack the system. The MITRE CWE website catalogs application vulnerabilities. Here is an example: http://cwe.mitre.org/data/definitions/209.htmlQ: Of all of the vulnerabilities you find in these applications, which is the most easily exploited ? Wysopal: The top 4 exploited as determined by the Web Hacking Incident Database are : 1. SQL Injection2. Cross site scripting3. Information leakage4. Command injections Other reports have ranked directory traversal as another often exploited vulnerability. Q: Once you complete your testing for a company, what is the usual request/reaction from the business and do you provide them a solution regarding how to make their environment more secure? Wysopal: Veracode provides a remediation roadmap which includes prioritization and information on how to remediate each specific issue. Some organizations remediate and others choose not to. It depends on the severity of the issues and the businesses tolerance for risk. Q: The total of Percentage of Hacks seems to be low in the below slide. What methods of attack make up the other 64%? Wysopal: According to the Web Hacking Incident Database, the other top attack methods are the following: Less than 1%:
- Forceful Browsing
- Remote File Inclusion (RFI)
- Domain Hijacking
- Hidden Parameter Manipulation
- Local File Inclusion (LFI)
If you have any additional questions for Chris Wysopal on this subject, feel free to send them over. To get a recorded video of the webinar with slides, click here.