hp-security-research-cyber-risk-report-pdf-2-w-1408

HP Security Research | Cyber Risk Report 2015Distribution by kingdomThe HP Software Security Taxonomy is organized into kingdoms, which are collections ofvulnerability categories that share a common theme. One of the metrics that gives us moreinsight into vulnerability trends is the distribution of kingdoms discovered in applications,and especially how those change over time. The following graph compares the distribution ofvulnerabilities discovered in Web applications across kingdoms in 2014 (using a sample size ofover 6,500 apps) against those spotted in 2013 (using a sample size of over 2,200 apps).Figure 18. Web app vulnerability category distributions by kingdom in 2013 and 20142014rankKingdom2013 percentages2014 percentages1Security features72% 86%2Environment80% 82%3Encapsulation56% 72%4Input validationand representation53% 52%5Errors31% 47%6Time and state8% 22%7Code quality16% 17%8API abuse2% 16%In general, in 2014 more Web applications contained vulnerabilities in each kingdom thanthey did last year, with the exception of Input Validation and Representation kingdom (whichdecreased by just 1 percent).In 2013, Environment was the kingdom represented in the greatest percentage of applications(80 percent), while Security Features took second place with 72 percent. This year the twokingdoms switched places. Even though the percentage of applications that containedEnvironment issues stayed relatively similar between 2013 and 2014 (80 percent vs. 82percent), the percentage of applications that contain problems related to Security Features—including access control, privacy violation, password management, insecure transport,and security of cryptographic primitives—jumped from 72 percent in 2013 to 86 percentin 2014. Unfortunately, this statistic is once again consistent with the recent rash of privacyand confidentiality breaches, ranging from stolen personal data (Snapchat, 142 University ofMaryland 143 ), to credit card numbers (Neiman Marcus, 144 Home Depot 145 ), to personal healthinformation (Los Angeles Department of Health Services 147 ).142http://gibsonsec.org/snapchat/fulldisclosure/.143http://www.umd.edu/datasecurity/.144http://www.neimanmarcus.com/NM/Security-Info/cat49570732/c.cat.145http://bits.blogs.nytimes.com/2014/09/18/home-depot-says-data-from-56-millioncards-taken-in-breach/?_r=0.146http://healthitsecurity.com/2014/03/07/losangeles-county-dhs-reveals-168000-patientdata-breach/.The same rise in breach reports explains jumps in other kingdoms. The percentage ofapplications that have API Abuse problems, many of which are related to misuse of SSLcertificates, jumped from 2 percent to 16 percent. The percentage for the Encapsulationkingdom, whose categories delineate ways in which an application might leak system data to apotential attacker who can use this information to mount a bigger attack on the system, wentup by 16 percent (from 56 percent to 72 percent). The Errors kingdom, whose categories arevery much related to leaking system information in the form of error messages resulting fromimproperly handled exceptions, exhibited a similar jump from 32 percent to 47 percent. Andmany of the categories in Time and State kingdom that relate to improper session and accountmanagement contributed to the increase in the percentage of applications susceptible to suchproblems, from 8 percent to 22 percent.50