hp-security-research-cyber-risk-report-pdf-2-w-1408

HP Security Research | Cyber Risk Report 2015Remediation of static issuesFor the purpose of analyzing remediation patterns of vulnerabilities in Web applications, asubset of the overall sample set in previous analyses was taken. This selection was done basedon the following criteria:• Only automated scans that performed static code analysis were considered.• All vulnerabilities considered were detected and fixed within the past year.The typical process between the first scan on an application and the following remediation scanis as follows.1. User requests a scan of an application.2. Automated static code analysis of the application is performed.3. HP auditors audit the results of the scan.4. HP operators publish the audited results.5. User reviews the results. The user may request a re-audit of certain issues based on thebusiness criticality of certain applications.6. User triages the results and assigns to developers. In some cases, developers may directlytriage the issues.7. Developers fix the issues.8. QA validates the fix. This may involve several iterations depending on the quality of the fix.9. The organization may submit the new version immediately or batch many fixes togetherbefore sending a newer version for assessment.10. HP performs the remediation scan and validates the fix. The entire cycle may be repeated forissues that weren’t fixed in this round.In order to better understand when most of the vulnerabilities in a given kingdom or severitywere fixed, the statistical median value was considered to plot the graph below:Figure 33. Median number of scans to remediate critical vulnerabilities12Median per Kingdom Critical High1210108864576654Critical average: 6High average: 42233230API abuseCode qualityEncapsulationEnvironmentKingdomsErrorsInput validationand representationSecurity featuresTime and state63