hp-security-research-cyber-risk-report-pdf-2-w-1408

Recommendations

Info

HP Security Research | Cyber Risk Report 2015Denial of service is the most commonly reported category; however, it is not the most critical.OGNL expression injection is the most commonly reported critical category; however, at 7percent it affects only a small fraction of applications reviewed. The majority of projects inheritdenial of service, cross-site scripting, and insecure SSL issues from third-party libraries.Figure 29. Top 10 popular libraries and unique CVE distribution6Unique CVE count% project30%Unique CVE count543228%25%2 2519% 19%417%316%14%5412% 12%310%25%20%15%10%% project count (library usage)11 15%0commons-file-upload :commons-fileuploadcommons-httpclient :commons-httpclientstruts : strutsorg.springframework :springwebaxis : axisxerces : xerceslmplorg.springframework :spring-webvmcorg.apache.santuario :xmlsecxalan : xalanorg.apache.httpcomponents :httpclient0%Popular libraries have on average three issues, while most have fewer than five issues.Libraries with the most vulnerabilities are less popular. They also produce fewer releases.Figure 30. Top 10 vulnerable libraries by unique CVE and severity distribution60Unique CVE count20181614121086420187%org.apache.struts :struts2-coreUnique CVE count Component version count % project616org.apache.struts.xwork :xwork-core15152 2 22% 2% 1%org.apache.tomcat :tomcat-catalinaorg.apache.tomcat :catalina145%com.opensymphony :xwork212opensymphony :xwork1 161% 1%19%org.mortbay.jetty :struts : struts54719%145 412%org.apache.santuario :xmlsecorg.springframework :spring-web25%20%15%10%5%0%% project count (library usage)
HP Security Research | Cyber Risk Report 2015The Heartbleed effectOur analysis in the section above shows that the use of open-source libraries is extensive.Two-thirds of all applications built today rely on open-source components. Once a component isintegrated, vulnerabilities in those components are inherited in the software. The new softwarecan in turn be referenced to further, creating a multiplicity factor for pre-existing securityissues. The Heartbleed bug is an example of such a scenario.To analyze this situation, we selected a group of components that integrate the OpenSSL libraryand could be present in the server environment in some form. Researchers at the University ofMichigan performed a detailed analysis 147 of the Heartbleed bug, which is CVE-2014-0160. Aspart of their cyber security research, they surveyed components that integrated the OpenSSLlibrary and were affected by Heartbleed bug. The list of components we have selected is anextension to the list provided in their research; we added three additional categories (appliance,operating system, and programming language/dev environment) that are an essential part ofan IT environment. We then examined data on vendor response and remediation efforts aroundthe Heartbleed vulnerability. We compared vendors’ response to Heartbleed with response toan OpenSSL vulnerability (CVE-2013-4353) that was reported before Heartbleed, and anotherone (CVE-2014-0224) that was reported after Heartbleed.The objective of this comparison was to analyze the response to various OpenSSL issues bydependent vendors in 2014.Our research looked at response time for various vendors based on publicly availableinformation. It should be noted that some vendors might have notified their users privately. Inaddition, “No information” could mean that either the vendor ignored the issue and thus failedto notify users or that the vendor did not depend on a vulnerable version of OpenSSL and hencewas not affected.Figure 31. Dependent vendor remediation trend for OpenSSL security issues% vendors that announced remediation100%90%80%70%60%50%40%30%20%10%DoS SSIv3_take_mac(CVE-2013-4353)Heartbleed(CVE-2014-0160)CCCS MITM injection(CVE-2014-0224)No information0%Web server Mail server Operating system Appliance Programminglanguage/DevenvironmentDatabase147https://zmap.io/heartbleed/.61
Page 1 and 2:
BrochureHP SecurityResearchCyber Ri
Page 3 and 4:
HP Security Research | Cyber Risk R
Page 5 and 6:
Page 7 and 8:
Page 9 and 10: HP Security Research | Cyber Risk R
Page 74: HP Security Research | Cyber Risk R
show all

hp-security-research-cyber-risk-report-pdf-2-w-1408

Create successful ePaper yourself

Delete template?

Save as template?