hp-security-research-cyber-risk-report-pdf-2-w-1408

Recommendations

Info

HP Security Research | Cyber Risk Report 2015Open source software dependenciesOrganizations have relied on open-source components to build their software since thebeginning, and more so since the late 90s when the Open Source Initiative (OSI) was formallyestablished. However, little or no attention was paid to the increase in attack surfaces due tointegrated open-source components. As mentioned earlier, manifestation of several criticalvulnerabilities (such as Heartbleed, Shellshock, and Poodle) in prevalent libraries (suchas OpenSSL and Bash) has brought renewed attention to software dependencies. Thereis an increased interest in accounting for these components in overall risk assessment foran organization. The information in this section is intended to help organizations to reallyunderstand how and if they are likely to be affected by integrated open source components.ApproachHP Security Research analyzed Sonatype third-party library security data for over 100randomly selected real-world Java applications provided by the HP Fortify on Demand managedservice. The reported data contains name, version, and a list of CVEs associated with opensourcecomponents referenced in each application. Furthermore, the data also contains thefraction of open source components referenced by each application.Figure 26. Distribution of open-source components referenced by application6%5%% of projects drawn from sample4%3%2%1%0%6%–39%open source40%–49%open source50%–59%open source60%–69%open source70%–79%open source80%–89%open source90%–100%open source% of open source components in app34% use no open source components(these data points were excluded from the chart)The graph above shows the percentage of open-source components referenced in the projectswe examined. We excluded the 34 percent of projects we examined that contained no opensourcecomponents, and ranged the remaining projects along the X axis, from just a bit of opensourcepresence on the left to nearly 100 percent open source at the far right. We noted thatover 55 percent of the projects we examined were over 50 percent open source—that is, over50 percent of their components are distributed as open source. Over 10 percent of the projectswe examined were 90 percent open source or greater.58
HP Security Research | Cyber Risk Report 2015Issues inherited from open-source librariesNext we investigated the type of issues that are inherited from open-source libraries. To betterunderstand the type of risks associated with these CVEs from the data, we mapped each CVE tothe HP Software Security Taxonomy.One hundred thirty-two unique CVEs were reported across 88 unique components; 228unique components when different versions are considered. These were distributed across sixkingdoms of categories related to problems in the code and one kingdom related to problemsoutside the code, such as environment. It is interesting to note the absence of code qualityissues in the publicly disclosed list of CVEs. One perceived reason could be that most criticalcode-quality issues such as double-free or memory leak are related to C, as opposed to theJava-based libraries referenced in the projects we evaluated. Although such issues need to beaddressed to ensure the desired functionality from the application, apparently they are notoften reported to the National Vulnerability Database.Figure 27. Unique CVE distribution across kingdoms20%Security featureEncapsulation3%1%2%API abuseErrorsInput validation and representation68%12%Other5%1%EnvironmentTime and stateSixty-eight percent of vulnerabilities are due to inadequate input validation. Within the InputValidation and Representation kingdom, Denial of Service and XML External Entity Injection arethe most frequently reported categories. All issues reported were spread across 33 categoriesand most were concentrated in the top 10.Figure 28. Top 10 vulnerability categories by unique CVE and severity distribution25Critical High Medium Low% project count50%245%2040%32% 32%Unique CVE count151050Denial of service27%191 141113%9 97%72 2XML external entity injectionOGNL expression injectionAccess controlCross-site scriptingInsecure SSL22%15% 15%2617325%432Dynamic code evaluationSession fixationClassloader manipulationWeak cryptographic signature30%20%10%0%% of projects59
Page 1 and 2:
BrochureHP SecurityResearchCyber Ri
Page 3 and 4:
HP Security Research | Cyber Risk R
Page 5 and 6:
HP Security Research | Cyber Risk R
Page 7 and 8: HP Security Research | Cyber Risk R
Page 74: HP Security Research | Cyber Risk R
show all

hp-security-research-cyber-risk-report-pdf-2-w-1408

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?