1 / 0

Software Security Common Vulnerabilities Encoded During Development

Software Security Common Vulnerabilities Encoded During Development. Chris Wysopal, CTO & Co-Founder, Veracode. ISACA Luncheon, 11:30am Tuesday, February 5, 2013. http://www.veracode.com/reports. The Data Set. Applications from over 300 commercial and US government customers

osborn
Télécharger la présentation

Software Security Common Vulnerabilities Encoded During Development

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Software SecurityCommon Vulnerabilities Encoded During Development

    Chris Wysopal, CTO & Co-Founder, Veracode.ISACA Luncheon, 11:30am Tuesday, February 5, 2013
  2. http://www.veracode.com/reports
  3. The Data Set Applications from over 300 commercial and US government customers Scanned 9,910 applications over past 18 months Ranged in size from 100KB to 6GB Software was pre-release and in production Internally built, outsourced, open source, and commercial ISV code
  4. Application Security Metrics Industry vertical Application supplier (internal, third-party, etc.) Application type Assurance level Language Platform Flaw counts Flaw percentages Application count Risk-adjusted rating First scan acceptance rate Time between scans Days to remediation Scans to remediation CWE/SANS Top25 (pass/fail) OWASP Top Ten (pass/fail) Custom policies Application Metadata Scan Data Scan number Scan date Lines of code Flaw type
  5. Top 5 Attacked Web Application Vulnerabilities
  6. Top 3 Vulnerabilities by Language
  7. Top 3 Vulnerabilities by Language
  8. Different developers deliver different vulns
  9. Different industries accept different vulns Vulnerability distribution by industry
  10. How about mobile apps?
  11. Distribution by industry Distribution by supplier type
  12. Percentage of Android Apps Affected
  13. Percentage of iOS Apps Affected
  14. Study of Enterprise Testing of the Software Supply Chain Feature Supplement of Veracode’s State of Software Security Report
  15. Vendor Applications Are Proliferating Today’s business pressures require software and development outsourcing. Average enterprise has 600 mission critical apps. 65% or 390 apps are externally developed. Explosive growth in outsourced, commercial, SaaS, mobile and open source. Most enterprises understand the risk, not how to manage it. Source: Outsourcing Software SecurityQuocirca Research - April, 2012 Veracode Confidential
  16. Dataset Overview Data from 939 application builds from Jan 2011 to Jun 2012
  17. Testing Vendor Applications is a Growing Trend
  18. Testing Vendor Applications a Growing Trend Enterprises in many more industries request vendor application security tests Aug 2011 – Jun 2012 Mar 2010 – Jul 2011 Dominated by 2 industries Broader distribution of industries
  19. Why is Vendor Application Testing a Growing Trend? “Over the past 24 months, the number of security incidents attributed to customers, partners, and suppliers has nearly doubled.” PwC 2012 Global State of Information Security Survey
  20. * Slight differences between the total percentages in figures are due to rounding
  21. * Slight differences between the total percentages in figures are due to rounding
  22. Questions? Chris Wysopalcwysopal@veracode.com @weldpond
More Related