hp-security-research-cyber-risk-report-pdf-2-w-1408

Recommendations

Info

HP Security Research | Cyber Risk Report 2015A significant number of vendors did not openly acknowledge and remediate weaknessesinherited from OpenSSL before Heartbleed, whereas the trend seemed to change post-Heartbleed.Fewer disclosures were noted for mail server libraries using OpenSSL. Most of these librariesrely on dynamic binding of OpenSSL, which shifted the onus to users to keep their installedOpenSSL packages updated.The “Heartbleed effect” has resulted in not only more vendors opting to remediate OpenSSLissues, but also in improved response time to remediate these issues. The figure belowshows the maximum number of days taken to remediate OpenSSL issues, as measured bynotifications made public. We have averaged across all three OpenSSL issues, adjusting for thecorresponding type of vendor.Figure 32. Maximum days to announce remediation by categoryDatabaseProgramming language/Dev environment030827245687AverageDoS SSIv3_take_mac(CVE-2013-4353)Heartbleed(CVE-2014-0160)CCCS MITM injection(CVE-2014-0224)Appliance76475190Operating system21114Mail server42422562226Web server 7980 20 40 60 80 100 120 140 160 180 200Days to remediationBased on the data above, operating systems have stellar performance when it comes toremediating dependent vulnerabilities. This could be because they are most critical to providingindirect dependence to installed applications via dynamic binding. A slow response fromappliances can be attributed to various reasons:• Often users do not have information about software components that run on their appliances.• Appliances may not be embedded further to create a multi-level dependency, reducing userawareness of the vulnerability and demanding a fix from appliance manufacturer.• Appliances may not be updated easily.• While the worst maximum fix times show up in the Appliance category, in that category thatwas the only appliance that actually pushed a fix for a pre-Heartbleed OpenSSL issue.Most vendors do not maintain and provide a list of all third-party components that theirsoftware depends on, resulting in an incomplete <strong>risk</strong> profile for users of the components.Furthermore, most licenses, while requiring embedding software to disclose usage of thelibrary, don’t impose version number disclosure on the vendor. We as the software industryneed to make including a list of third-party components along with version number insoftware specification an essential part of the software disclosure for adequate <strong>risk</strong>assessment for organizations.62
HP Security Research | Cyber Risk Report 2015Remediation of static issuesFor the purpose of analyzing remediation patterns of vulnerabilities in Web applications, asubset of the overall sample set in previous analyses was taken. This selection was done basedon the following criteria:• Only automated scans that performed static code analysis were considered.• All vulnerabilities considered were detected and fixed within the past year.The typical process between the first scan on an application and the following remediation scanis as follows.1. User requests a scan of an application.2. Automated static code analysis of the application is performed.3. HP auditors audit the results of the scan.4. HP operators publish the audited results.5. User reviews the results. The user may request a re-audit of certain issues based on thebusiness criticality of certain applications.6. User triages the results and assigns to developers. In some cases, developers may directlytriage the issues.7. Developers fix the issues.8. QA validates the fix. This may involve several iterations depending on the quality of the fix.9. The organization may submit the new version immediately or batch many fixes togetherbefore sending a newer version for assessment.10. HP performs the remediation scan and validates the fix. The entire cycle may be repeated forissues that weren’t fixed in this round.In order to better understand when most of the vulnerabilities in a given kingdom or severitywere fixed, the statistical median value was considered to plot the graph below:Figure 33. Median number of scans to remediate critical vulnerabilities12Median per Kingdom Critical High1210108864576654Critical average: 6High average: 42233230API abuseCode qualityEncapsulationEnvironmentKingdomsErrorsInput validationand representationSecurity featuresTime and state63
Page 1 and 2:
BrochureHP SecurityResearchCyber Ri
Page 3 and 4:
HP Security Research | Cyber Risk R
Page 5 and 6:
Page 7 and 8:
Page 9 and 10:
Page 11 and 12: HP Security Research | Cyber Risk R
Page 74: HP Security Research | Cyber Risk R
show all

hp-security-research-cyber-risk-report-pdf-2-w-1408

Create successful ePaper yourself

Delete template?

Save as template?