hp-security-research-cyber-risk-report-pdf-2-w-1408

HP Security Research | Cyber Risk Report 2015It is interesting that the numbers for the Environment and Encapsulation kingdoms arereversed, but this can be easily explained as well. One of the biggest differentiators of themobile ecosystem, compared to Web applications, is the fact that different mobile applicationsrun side by side on the same device within the same environment and are able to communicatewith each other. Therefore, there are more opportunities for data to cross trust boundaries inmobile applications, which explains the higher percentage of mobile applications that containEncapsulation issues (80 percent vs. 72 percent). On the other hand, there are a lot moreways to deploy Web applications, a lot more Web servers to run the applications on, and a lotmore opportunity for misconfiguration, which is why Web applications (82 percent) are moresusceptible to Environment issues than mobile applications are (70 percent). This also explainswhy the number of Web applications that contain defects in the Errors kingdom is much higherthan that of mobile applications (47 percent vs. 8 percent), because many of the categoriesin the Errors kingdom are about misconfiguring an application or a Web server in terms ofhandling exceptions or providing a custom error page.As for the differences in Code Quality numbers, our data indicates that a much higherpercentage of mobile applications—compared to Web applications—contains instances of nulldereferences. The ability of mobile applications to communicate with each other is one of thereasons behind this. In the mobile world, developers do not always check the data coming fromanother application against null, because a lot of the time they are expecting the data to becoming from another component of the same application (rather than from an entirely differentapp) and thus assume they can trust it to be in the expected format. Second, our mobileapplication dataset includes both Android and iOS applications. Many of the Code Quality issuesare related to C- (and therefore iOS-) specific problems, such as type mismatches, which simplydon’t exist in Web applications. This explains why the percentage of mobile applications (38percent) that contain Code Quality issues is higher than that of Web applications (17 percent).Breakdown of top five Web application vulnerabilitiesAt a high level, all vulnerabilities can be represented within a category of the HP SoftwareSecurity Taxonomy. Some categories can be solely represented by a single vulnerability (e.g.,cross-frame scripting), while others could be a grouping of multiple vulnerabilities (e.g., Webserver misconfiguration). Below is a quick look at five categories that affected the greatestnumber of applications.Figure 20. Top five vulnerability categories across applications evaluated in 201480%70%68%60%50%60%58%53%48%40%30%20%10%0%Web servermisconfigurationCookie securitySysteminformation leakPrivacy violationCross-framescripting52