hp-security-research-cyber-risk-report-pdf-2-w-1408

Recommendations

Info

HP Security Research | Cyber Risk Report 2015It is interesting that the numbers for the Environment and Encapsulation kingdoms arereversed, but this can be easily explained as well. One of the biggest differentiators of themobile ecosystem, compared to Web applications, is the fact that different mobile applicationsrun side by side on the same device within the same environment and are able to communicatewith each other. Therefore, there are more opportunities for data to cross trust boundaries inmobile applications, which explains the higher percentage of mobile applications that containEncapsulation issues (80 percent vs. 72 percent). On the other hand, there are a lot moreways to deploy Web applications, a lot more Web servers to run the applications on, and a lotmore opportunity for misconfiguration, which is why Web applications (82 percent) are moresusceptible to Environment issues than mobile applications are (70 percent). This also explainswhy the number of Web applications that contain defects in the Errors kingdom is much higherthan that of mobile applications (47 percent vs. 8 percent), because many of the categoriesin the Errors kingdom are about misconfiguring an application or a Web server in terms ofhandling exceptions or providing a custom error page.As for the differences in Code Quality numbers, our data indicates that a much higherpercentage of mobile applications—compared to Web applications—contains instances of nulldereferences. The ability of mobile applications to communicate with each other is one of thereasons behind this. In the mobile world, developers do not always check the data coming fromanother application against null, because a lot of the time they are expecting the data to becoming from another component of the same application (rather than from an entirely differentapp) and thus assume they can trust it to be in the expected format. Second, our mobileapplication dataset includes both Android and iOS applications. Many of the Code Quality issuesare related to C- (and therefore iOS-) specific problems, such as type mismatches, which simplydon’t exist in Web applications. This explains why the percentage of mobile applications (38percent) that contain Code Quality issues is higher than that of Web applications (17 percent).Breakdown of top five Web application vulnerabilitiesAt a high level, all vulnerabilities can be represented within a category of the HP SoftwareSecurity Taxonomy. Some categories can be solely represented by a single vulnerability (e.g.,cross-frame scripting), while others could be a grouping of multiple vulnerabilities (e.g., Webserver misconfiguration). Below is a quick look at five categories that affected the greatestnumber of applications.Figure 20. Top five vulnerability categories across applications evaluated in 201480%70%68%60%50%60%58%53%48%40%30%20%10%0%Web servermisconfigurationCookie securitySysteminformation leakPrivacy violationCross-framescripting52
HP Security Research | Cyber Risk Report 2015Cookie security and system information leakage continue to be prominent issues whencompared to 2013’s trends. Due to recent changes to the HP Software Security Taxonomy,access control issues have now been merged into the greater Web Server Misconfigurationgroup. With this in mind, misconfiguration issues gained the top spot based on 2014 data.Interestingly, Transport Layer Protection (now called Insecure Transport) and Cross-SiteScripting moved down to seventh and eighth places respectively. These were replaced byPrivacy Violation and Cross-Frame Scripting. The HP Cyber Risk Report released in 2013performed a detailed analysis of defenses against cross-frame scripting. Two years later, HPSRcontinues to find this to be a prevalent issue across Web applications.Top 10 Web application vulnerabilitiesEach category within the taxonomy may be further refined based on specific characteristics ofthe vulnerability. The chart below represents the most prevalent Web application vulnerabilitiesseen in 2014.Figure 21. Top 10 common vulnerabilities discovered in Web applications in 2014Cross-frame scripting 48%Web server misconfiguration: Unprotected filePrivacy violation: AutocompleteWeb server misconfiguration: Unprotected directoryCookie security: HTTPOnly not set47%46%46%45%Cookie security: Not sent over SSLPoor error handling: Server messageHidden fieldCross-site scripting: Reflected40%40%38%37%System information leak: Filename found in comment0% 10% 20% 30% 40% 50%33%It is interesting to note that nine of the top 10 vulnerabilities are represented within the top fivecategories shown in Figure 20. Based on the above chart, we can see that cross-frame scriptingaffects the most applications.53
Page 1 and 2: BrochureHP SecurityResearchCyber Ri
Page 3 and 4: HP Security Research | Cyber Risk R
Page 74: HP Security Research | Cyber Risk R

hp-security-research-cyber-risk-report-pdf-2-w-1408

Create successful ePaper yourself

Delete template?

Save as template?