Your SlideShare is downloading. ×
  • Like
  • Save
Owasp  Ireland - The State of Software Security
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Owasp Ireland - The State of Software Security

  • 144 views
Published

 

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
144
On SlideShare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
0
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Intelligence on the IntractableProblem of Insecure SoftwareThe Security Scoreboard In The SkyOWASP Ireland ConferenceSeptember 17, 2010
  • 2. Bio Tyler Shields – Senior Security Researcher at Veracode – Responsible for researching and incorporating security intelligence into Veracode’s offerings Previously – Security Consultant Symantec (through acquisition) – Security Consultant at @stake – Incident Response and Forensics Handler U.S. Government Industry Involvement – Frequent speaker at security conferences – Author of numerous security advisories and open source tools – Creator of txsBBSpy - Blackberry Mobile Spyware
  • 3. Application Risk Management Services Platform:Automating Security Acceptance Testing Static Binary Dynamic Manual ACHIEVESET SECURITY SCAN COMPLIANCE POLICY APPLICATION WITH POLICY 1 2 3 4 UPLOAD BINARY REMEDIATE MAKE INFORMED OR SPECIFY URL FLAWS DECISIONS Purchase/Deploy/Accept
  • 4. Data Set and Available Metrics  Industry vertical  Flaw counts  Application supplier  Flaw percentages (internal, purchased,  Application count outsourced, openApplication source)  Risk-adjusted rating Data  Application type  First scan acceptance rate  Assurance level Enterprise  Mean time between  Language scans  Platform Metrics  Days to remediation  Scans to remediation  PCI-DSS (pass/fail)  CWE/SANS Top25  Scan number (pass/fail)Scan Data  Scan date  OWASP Top Ten (pass/fail)  Lines of code
  • 5. State of Software Security, Volume 1
  • 6. Sample Distribution Applications by Supplier Applications by Industry 60% 32% Commercial 34% Financial Internal Software 30% 8% Open Source 32% Government Outsourced Other 2% 2% Applications by Language 22% 47% Java C/C++ 31% .NET
  • 7. Statistically Significant Sample Size Sample size this large enable us to report findings with a reasonable degree of confidence: Type I Error – Probability of stating that something is FALSE when it is in fact TRUE: < 5% Type II Error – Probability of stating that something is TRUE when it is in fact FALSE: < 20% Margins of error for estimates of various metrics: – Flaw count: 10% – First scan acceptance rate: 15% – Veracode risk-adjusted rating: 10% – Remediation time: 10%
  • 8. State of Software Security, Vol. 1: Observations1. Most software is indeed very insecure2. Third-party software is a significant percentage of the enterprise software infrastructure, and third-party components are a significant percentage of most applications3. Open source projects have comparable security, faster remediation times, and fewer Potential Backdoors than Commercial or Outsourced software4. A significant amount of Commercial and Open Source software is written in C/C++ making it disproportionately susceptible to vulnerabilities that allow attackers to gain control of systems5. The pervasiveness of easily remedied vulnerabilities indicates a lack of developer education on secure coding6. Software of all types from Finance and Government sectors was relatively more secure on first submission to Veracode for testing7. Outsourced software is assessed the least, suggesting the absence of contractual security acceptance criteria
  • 9. Most Software is Insecure 42% 58%
  • 10. Veracode Risk-Adjusted Ratings Assurance Rating Based on Level Analysis Score 90-100 (no VH, H, M) A VERY HIGH 80-89 (no VH, H) B (AL5) 70-79 (no VH) C 60-69 D 80-100 (no VH, H) A HIGH 70-79 (no VH) B (AL4) 60-69 C 50-59 D 70-100 (no VH) A MEDIUM 60-69 B (AL3) 50-59 C 40-49 D 60-100 A LOW 50-59 B (AL2) 40-49 C 30-39 D
  • 11. Most Software is Insecure
  • 12. Most Software is Insecure (2007 List) (2009 List)
  • 13. Third-Party Software Cannot Be Ignored 60% Commercial Internally Developed 30% Open Source 8% Outsourced 2%
  • 14. Third-Party Software Cannot Be IgnoredDevelopment Process Procurement Process ISV Company Employees Employees US Dev. Foreign Center A Outsource Contractors Enterprise ISV Contractor (COTS) License 3rd Open Party Libraries Source Developed Open Purchased In-house Source Outsource 3rdParty Partner A Outsourcer Enterprise Libraries Employees Employees Indian Foreign Reuse Contractor Contractors Outsource Partner B ChineseForeign Sub- ContractorContractors US Dev. Center B License 3rd Global Party Libraries
  • 15. Third-Party Software Cannot Be IgnoredDevelopment Process Procurement Process ISV Company Employees Employees US Dev. Foreign Center A Outsource Contractors Enterprise ISV Contractor (COTS) License 3rd Open Party Libraries Source Developed Open Purchased In-house Source Outsource 3rdParty Partner A Outsourcer Enterprise Libraries Employees Employees Indian Foreign Reuse Contractor Contractors Outsource Partner B ChineseForeign Sub- ContractorContractors US Dev. Center B License 3rd Global Party Libraries
  • 16. ISVs Slowest to Remediate; Open Source Fastest
  • 17. C/C++ Less Prevalent in Enterprises
  • 18. Easily Remedied Vulnerabilities Remain Pervasive
  • 19. Easily Remedied Vulnerabilities Remain Pervasive
  • 20. Finance and Government are Better
  • 21. Finance and Government are Better?!
  • 22. Outsourced Software is Assessed the LeastDevelopment Process Procurement Process ISV Company Employees Employees US Dev. Foreign Center A Outsource Contractors Enterprise ISV Contractor (COTS) License 3rd Open Party Libraries Source Developed Open Purchased In-house Source Outsource 3rdParty Partner A Outsourcer Enterprise Libraries Employees Employees Indian Foreign Reuse Contractor Contractors Outsource Partner B ChineseForeign Sub- ContractorContractors US Dev. Center B License 3rd Global Party Libraries
  • 23. State of Software Security, Vol. 2: Observations1. …2. …3. Third-party applications found to have lowest security quality.4. …5. Suppliers of Cloud/Web applications were the most requested third-party assessments.6. No single method of application security testing is adequate by itself.7. …24
  • 24. New In Volume 2 Deep dive on Financial Sector to explore differences between Banks, Insurance and Financial Services Study on multiple testing techniques (static, dynamic, manual) Language Flaw density across C/C++, .NET, Java and ColdFusion Investigation of Third-party risk assessments market (buyers, sellers, performance etc.)25
  • 25. More Resources Download the report, plus other whitepapers, webcasts, and educational resources – http://veracode.com/resources Veracode ZeroDay Labs Blog – http://veracode.com/blog Contact info – Email: tshields@veracode.com – Twitter: @txs – Phone: (USA) 304.YO.TYLER