IT Harvest’s Richard Stiennon talks with Cenzic CMO Bala Venkat about application security current events and Cenzic’s business strategy.
Two major studies find that vulnerabilities are prevalent and persistent
By Bala Venkat
For years now, security experts have been singing the same song: that security must be “baked” into the development process, and that the most common vulnerabilities are usually not the new and scary ones, but those that have been around for a long time.
The song remains the same. But it appears that many developers still aren’t listening.
In the last few weeks, major research reports have revealed strikingly similar conclusions: that security vulnerabilities in applications are the norm, and that they are usually the same flaws that have been found and exploited for years.
Here at Cenzic, our newly-published Cenzic Application Vulnerability Trends Report 2013 shows that security flaws are prevalent not only in most applications, but in nearly all of them. Of the applications we tested last year, 99 percent of all applications contained one or more serious bug. The median number of bugs per app was 13 in 2012 — down from 16 in 2011, but still remarkably high.
What’s even more remarkable is that these vulnerabilities are not the product of some great leap in technology – they are the same bugs we have been finding for years. Cross-site scripting (XSS) vulnerabilities – which have been around for years and are frequently exploited — appear in 61% of applications, followed by Authentication and Authorization (45%), Web Server Configuration (28%), CSRF (22%), Information Leakage (17%), SQL Injection (16%), Web Server Version (10%), Unauthorized Directory Access (8%) and Remote Code Execution (3%).
While most vulnerabilities have declined slightly in the last year, the pace of improvement is glacial. Vulnerabilities still exist in almost all legacy applications and new applications. And emerging cloud and mobile applications increase the complexity of the problem. Moreover, the threats from these vulnerabilities continue to evolve as bad actors experiment with new and different attack strategies. While a great deal of time and money has been spent on secure software development over the last few years, the situation simply is not getting better.
This week, application security firm Veracode published its State of Software Security Report Volume 5, and although the numbers were different, it confirms our own findings. Veracode found that 70 percent of enterprise applications failed to comply with the organization’s security policies on their first submission to scanning – very similar to the frequency of failure it has recorded in past years.
Also similar to our Trends Report, Veracode found that most of the vulnerabilities found were those that have been known for years. For example, nearly a third (32 percent) of Web applications presented SQL injection flaws from the first quarter of 2011 to the second quarter of 2012, according to the study.
Both of these reports point to a sad truth about application development: despite increasing threats posed by attackers and an increasing frequency of reported breaches, secure software development processes still have not improved radically over the past several years. Today’s enterprises face many of the same vulnerabilities, with approximately the same frequency, as they did two or three years ago.
If there’s a takeaway from these results, it’s that application development processes are in need of a radical change. Our existing methods of identifying flaws in the pre-development phase are only partially effective, and it’s time to rethink these processes from the ground up.
There are many ways to do this rethinking, but one of the most fundamental is the need to shift the application scanning process from a strictly pre-deployment approach to a continuous, consistent process that also scans applications post-deployment and in production.
The fact is that vulnerabilities don’t just happen during original code development. New flaws can be introduced during the patching process, in upgrades, and in customization of code. An application that has been running for a year is as likely – perhaps even more likely – to contain vulnerabilities as an application that is being rolled out for the first time. And many of those flaws will not be new or particularly interesting – they will be the same flaws that have been occurring for years, including XSS, SQL injection, buffer overflows and the like.
It’s time for application developers – and the security auditors who support and scan for vulnerabilities – to really rethink the application testing process. Only through real change will we change the repetitive pattern of vulnerabilities that we continue to see in the industry.
99% of Tested Applications Have Vulnerabilities
Cenzic’s analysis finds that in 2013 application vulnerabilities are all too common. 99% of tested applications have one or more vulnerabilities. And with a median number of vulnerabilities per app of 13, it’s no wonder that application-level attacks are a focus for bad actors. The full report is available for download at no charge.
Vulnerabilities come in many different forms. The chart below shows that Cross Site Scripting (XSS) continues to be most common class of application vulnerability.
The chart also shows that many classes of vulnerabilities exist in current applications and pose risks to companies along with their customers, employees and supply chain partners. While the distribution of specific vulnerability classes for 2013 is different than previous years, multiple variants of all classes continue to be detected in production apps.
Based on data collected by the Cenzic Managed Security team, the Cenzic Application Vulnerability Trends Report 2013 shares details about the kind, frequency and severity of vulnerabilities that will be found in production applications in 2013.
The time to act is now. Download the report today and learn about the current application vulnerabilities and risk landscape. And more importantly, use the report and its shocking findings as a motivation to improve your application security posture.
Cenzic’s goal is to provide customers with solutions that reduce application security vulnerabilities and risks. Over the years, Cenzic has succeeded at this mission and earned industry awards. The most recent recognition came at RSA Conference 2013 where Cenzic earned not one, not two, but three Info Security Global Excellence Awards.
CENZIC MANAGED CLOUD
Best Cloud Security Service
Best Overall Security Company of the Year
Best Web Application Security Product
Visit the Info Security Products Guide Awards page to see the list of honorees in all categories.
Info Security Product Guide runs a tough competition. More than 50 judges from a broad spectrum of industry voices from around the world participated and their average scores determined the 2013 Global Excellence Awards Finalists and Winners.
Cenzic is honored to be recognized by Info Security Products Guide with 3 awards at RSA Conference 2013.
On Tuesday, February 12, President Obama signed a long-awaited cybersecurity executive order. The full text of the order is posted to the White House web site.The executive order underscores the importance of protecting the United States’ critical infrastructure and systems from serious cyber risks:
“It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.”
The Department of Homeland Security, the Attorney General, the Director of National Intelligence and others are ordered to improve information sharing about cyber threats between government and industry and establish a framework of cybersecurity best practices that industry would elect to follow. Specific initiatives include:
- Increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats.
- Develop a framework of cybersecurity best practices. The National Institute of Standards and Technology (NIST) will head up the process of defining a technology-neutral framework which will be aimed at addressing security gaps faced by both the public and private sectors.
- Establish a voluntary program to support the adoption of the cybersecurity framework by owners and operators of critical infrastructure and any other interested entities.
The policies outlined in the executive order arose from failed efforts to pass cyber-security legislation last spring. Executive orders do not grant additional powers to federal agencies—that requires legislation. They do, however, define and mobilize how the federal government should act within current legal parameters. In other words, the executive order “describes and encourages” secure practices rather than “legally requires minimum requirements.”
Media coverage by The Hill, The New York Times and and InformationWeek show a mixed opinion about the cybersecurity provisions in the executive order. Many view it as an important step towards securing critical infrastructure from cyber attack. Others point out that outdated practices and insecure systems are allowed to remain in place. What is clear is there is more work ahead for public and private sector organizations to address current cybersecurity weaknesses.
Some bad actors focus on attacking national infrastructure while others target any web application for profit or just to create havoc. Many attacks are independent of an organization’s brand, size, industry and location. To ensure reliable functioning of your systems and protect your assets, you must take decisive action.
Cenzic specializes in helping businesses improve their security posture, from providing focused assessments of individual applications to comprehensive security monitoring services. Contact Cenzic to speak with a security professional about how you can take important steps to reduce your organization’s cyber risk.
After two attempts earlier this year by the US Congress to pass the Cybersecurity Act of 2012 (CSA 2012), the Executive Branch is taking steps toward a Presidential Cybersecurity Order to protect the country’s digital systems from hackers and spies.
According to The Hill, the Order could be issued as early as January 2013. Politico reported that the White House held meetings with representatives from tech trade associations, the U.S. Chamber of Commerce, privacy groups and think tanks throughout the Fall to hear their recommendations for the Executive Order.
So what might be in the Executive Order? It’s not entirely clear as the Obama Administration has not released a draft at this time. Parties close to the negotiations suggest that the following is possible:
- The Executive Order will likely resemble the failed CSA 2012
- The Department of Homeland Security (DHS) will be tasked with identifying the critical infrastructure where a cyber-attack could result in a “debilitating impact on the nation.”
- DHS and the Office of Management and Budget (OMB) will review the DHS’s report and recommend a “prioritized, risk based, efficient and coordinated set of actions to mitigate or remediate identified cyber risks to critical infrastructure.”
- A new real-time information sharing program involving the DHS, National Security Administration, and Attorney General.
The Cenzic Web Application Security Blog will continue to track the progress and details of the probable cybersecurity Executive Order.
If you know there is more you should be doing to protect against hacking, you’re never going to get a better reason to bring this up than Zappos, the reigning customer service monarch, just gave you.
When was the last time you, or anyone handling digital security at your company, was invited to a meeting about customer service? How many times have you been asked how you can improve the customer experience? How often are your anti-hacking efforts cited as one of the ways your company is customer-first?
If your company isn’t truly customer-centric, the answers are likely never, zero and not ever. Even companies who live and breathe customer service don’t always equate anti-hacking measures with happy, returning customers.
But that might have changed after online shoe store Zappos’ was hacked last week, resulting in a data breach affecting 23 million of its customers. The CEO sums it up well. “We’ve spent over 12 years building our reputation, brand and trust with our customers,” CEO Tony Hsieh said in a blog statement. “It’s painful to see us take so many steps back due to a single incident.”
Could they have prevented it? Were they lax? Was security part of their culture, just not publicly discussed so as not to become a target? I don’t know. We may never know. But if your company hasn’t asked your security team these questions, they should. And if you know there is more you should be doing to protect against hacking, you’re never going to get a better reason to bring this up than Zappos, the reigning customer service monarch, just gave you.
Sure, they’ll survive; after a more than a decade of fabulous customer service – purportedly 75%+ of their sales are from returning customers – they should have enough goodwill to not lose much for long. But what about your company? How many of your sales are from returning customers? What would a customer data breach do to their loyalty?
How we treat customer data is part of how we treat the customer. It isn’t the first thing your CEO might ordinarily think of, or the CMO or the head of the call center. But it might be in their top 10 for the next few days. Take advantage of it.
Cyber security awareness month award winner: Richard Stiennon
As you may have read from yesterday’s press release, Cenzic honored Richard Stiennon, a veteran of the security industry and a well-respected analyst, as the recipient of the company’s second annual Cenzic Cyber Security Leadership award.
The award recognizes Stiennon as the industry expert that has made the biggest strides in furthering the values exemplified by Cyber Security Awareness Month (October 2011). The award was judged on the level of commitment Mr. Stiennon has shown for the cause as well as his willingness to educate others on cyber security issues.
Mr. Stiennon has over a decade of experience advising enterprises, vendors, and government agencies on their security strategies. Other cyber security accomplishments of his include:
- Author of Surviving Cyberwar (Government Institutes, 2010) and the soon to be published Cyber Defense: Countering Targeted Attacks
- Most followed IT security analyst on Twitter
- Moderator of the Security Leaders Group on LinkedIn
- Writer of the Cyber Defense Weekly newsletter
- Keynote presenter at the October 2011 National Cyber Security Awareness Month kick-off event at the University of Virginia
Universities look to improve website security with comprehensive approach
With website security threats on the rise, several innovative university research programs promise to change the security field by combining web application and browser security in order to provide the safest environment for the end user.
For many years now, the security industry has not placed enough importance on these two entities (browers and web apps) working together for a comprehensive security approach.
Web browser companies like Mozilla, IE, and Google are now focusing on security, as they see it as a competitive advantage in the marketplace.
However, while the browser companies’ (not entirely altruistic) efforts might better protect consumers (using the latest browser version, configuring some of the plug-ins etc.), the comprehensive vision of website security is lost, as little attention is paid to the web application security side. So, ultimately, the end user pays the price.
On the web application security front, stealth threats are increasing due to emerging web app frameworks and the boom of HTML5. Instead of spending research and time on hardening the server side frameworks which affects the masses through a single perfect injection, more emphasis is currently being placed on browser security.
Though browser security is a much-needed vitamin to keep the website security immune system functioning, without considering the server side security, that vitamin alone will not suffice.
Get the latest Ponemon report on the cost of a data breach
Ponemon Institute just issued their latest March 2011 report on the cost of a data breach and the number just got even bigger and scarier: from $6.75 million to $7.2 million. That breaks down to an average of $214 per compromised record, markedly higher when compared to $204 in 2009.
The sixth annual Ponemon Cost of a Data Breach report is based on the actual data breach experiences of 51 U.S. companies from 15 different industry sectors.
Download the 39 page PDF report today and read all the details.