6. • All application security tool vendors’ claims put
together cover only 45% of the known vulnerability
types (over 600 in CWE).
• They also found very little overlap between tools, so
to get 45% you need them all (assuming their
claims are true)
MITRE Claims
8. Risk Vulnerability
Critical CROSS-SITE REQUEST FORGERY (CSRF)
CROSS-SITE SCRIPTING (STORED)
High SESSION TOKEN DOES NOT CHANGE AFTER LOGIN
Medium USERLOGINID ENUMERATION
WEAK PASSWORD REQUIREMENTS
NO LOGOUT FUNCTION IMPLEMENTED
ACCOUNT ENUMERATION
IMPROPER ACCESS CONTROL
STUDENT CAN REVEAL TEACHERS LOGIN FROM SERVER RESPONSE
Low
ERROR MESSAGES REVEAL SENSITIVE INFORMATION
INTERNAL IP ADDRESS DISCLOSURE
INSUFFICIENT PASSWORD HISTORY MANAGEMENT
Remediation Status
PARTIALLY FIXED
NEED IMPROVEMENT
FIXED
FIXED
FIXED
FIXED
FIXED
FIXED
NOT FIXED
FIXED
FIXED
FIXED
Security Test Results
15. Ensure that root cause analysis is used
Remove as many vulnerabilities of this type as is possible within
the prescribed time frame or budget
Involve Security Expert
Recommendations
16. Use Fast Fix Methods - WAFs
A security solution on the
web application level which
does not depend on the
application itself