hp-security-research-cyber-risk-report-pdf-2-w-1408

HP Security Research | Cyber Risk Report 2015Ironically, misused securityfeatures continue to be the trouble areafor both Web and mobile apps.In a typical security development lifecycle, it is recommended that corporations have practicesin place for identifying weaknesses in their applications. As part of that lifecycle, it is theresponsibility of the team to verify that known vulnerabilities and any close variants have beenmitigated. In studying the data from the past year, we have observed that for those applicationsthat are following a security development lifecycle, where applications are analyzed more thanonce, over 68 percent of vulnerabilities are being resolved.Overall, the percentage of issues fixed in the Security Features, Encapsulation, and CodeQuality kingdoms are relatively high. It is also interesting to note that in the Input Validation andRepresentation kingdom, where the more well-known vulnerabilities such as cross-site scriptingand SQL injection reside, the percentage of critical and high issues fixed are similar. This couldimply that such injection issues are prioritized and fixed together during implementation.ConclusionKnowledge is power; being aware of the specific circumstances that give rise to vulnerabilities letssecurity practitioners address their root causes—even, if healthy secure development practicesare followed, before they are committed to code and released to an unsuspecting world.For a snapshot of the state of application security in 2014, we analyzed a sample set of securityaudits performed by HP Fortify on Demand on 378 mobile apps, 6,504 Web apps, and 138Sonatype reports from 113 projects. These audits include results from static, dynamic, andmanual analysis. All identified issues were classified according to the HP Software SecurityTaxonomy (originally the “Seven Pernicious Kingdoms”), updated and refined in mid-2014 andunder continued expansion in 2015.The good news, if there is good news to be had, is that the uproar around such high-profileincidents as Heartbleed and Shellshock may yet lead software developers and architectsto tackle security issues, particularly those in foundational or legacy code, more effectively.We saw that repeated scans lead to better software, and that the open-source developmentcommunity seems to be selecting for healthier, better componentry—components with moresecurity issues simply aren’t used as often by other developers.That said, vulnerabilities are still pervasive. Sorting the vulnerabilities we discovered intothe categories of our taxonomy, we found every indication that more Web and mobile appscontained discoverable vulnerabilities. Ironically, misused security features continue to be thetrouble area for both Web and mobile apps. There were a few differences endemic to each typeof application; the nature of mobile apps means they’re particularly prone to code quality issuesrarely found in Web apps, while Web apps suffer from the types of problems covered in theerrors section of our taxonomy.Progress is possible. Despite the rise in detected vulnerabilities, the very fact that they aredaylighted means that they can be analyzed and addressed. Our research indicates that criticalclassvulnerabilities are taken seriously and given patch-development priority—not a surprisingfind, when one remembers that post-release patching remains part of a healthy developmentlifecycle, but perhaps a sign that smart practices truly do take hold and crowd out lesser habitsin the security ecosystem.65