SlideShare a Scribd company logo

IISF-March2023.pptx

Download as PPTX, PDF
Eoin Keary
Eoin Keary

The 2023 Vulnerability Stats report as delivered to the IISF. Covering: PTaaS, Pentesting, Vulnerabilty Managment, EPSS, CISA KEV, Risk, Attack Surface Management. Its based on delivering thousands of PTaaS and RBVM assessments throughout 2022. Why tools and traditional pentesting has failed.

Internet
1 of 25
Web Security Landscape 2023
ME (Eoin Keary) • OWASP Leader – 10 years • Testing Guide founder/lead • Code Review Guide founder/lead • Global Vice-Chair • Founder – Edgescan • Ireland-HQ, NY, UK • 250+ clients (Fortune 100 to SME) • Circa 100 Staff, 60% Penetration testers, 30% Prod Dev. • 15,000+ assessments/month (ASM/PTaaS/VM)
Risk – “The chance of something bad happening” This is an analysis of vulnerabilities discovered across hundreds of organizations across the full stack. From Fortune 500 to medium and small businesses the Edgescan Vulnerability Stats report 2023 attempts to provide a statistical model of the most common weaknesses faced by organisations globally.
What is Edgescan? – How do we get these statistics…. Edgescan is • Attack Surface Management, • Full stack vulnerability management, • Purpose built API Security Testing Engine • Penetration Testing as a Service (PTaaS), and • Risk prioritization on an enterprise scale. Continuously scanning of web applications, API’s, cloud and networks for vulnerabilities without sacrificing accuracy, richness or fidelity. Validation and Triage: • All discovered vulnerabilities and risks are validated via a combination of cyber-analytics and human expertise. • This is designed to ensure all reported vulnerabilities are real, prioritized and valid, helping our client save significant time in terms of remediation and response. • Vulnerabilities are mapped to CVSS, CISA KEV, EPSS, EVSS* scoring *Edgescan Validated Vulnerability Score
Breach Probability - Prioritization What is EPSS? The Exploit Prediction Scoring System (EPSS) is an open, data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild. The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited. The EPSS model produces a probability score between 0 and 1 (0 and 100%), where the higher the score, the greater the probability that a vulnerability will be exploited. https://www.first.org/epss/ What is CISA KEV? CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild: the Known Exploited Vulnerability (KEV) catalog. CISA strongly recommends all organizations review and monitor the KEV catalog and prioritize remediation of the listed vulnerabilities to reduce the likelihood of compromise by known threat actors. – https://www.cisa.gov/known-exploited- vulnerabilities EVSS (Edgescan Validated Security Score) Every vulnerability discovered by Edgescan is validated via a combination of data analytics and human expertise resulting in near false positive-free vulnerability intelligence. Once a vulnerability is validated is it mapped to both the CISA KEV and EPSS to assist with prioritization. All vulnerabilities in Edgescan (where applicable) have a CVSS, CISA KEV, EPSS and EVSS risk score. **Both the CISA KEV and EPSS don’t list unique vulnerabilities associated with a unique web application or web site.
Risk Density – Risks Across the Stack The following is a breakdown of the risks discovered across the full stack, Web applications and Network/Host It also depicts the risks associated with potential PCI (Payment Card Industry) Failures – (Not every vulnerability results in a PCI fail). Fullstack % of Total Critical Severity 9.8% High Severity 23.4% Medium Severity 27.8% Low Severity 39.0% Application % of Total Critical Severity 5.0% High Severity 7.0% Medium Severity 9.6% Low Severity 78.0% Network % of Total Critical Severity 10.5% High Severity 25.0% Medium Severity 28.8% Low Severity 35.7% PCI Failures % of Total Critical Severity 10% High Severity 35% Medium Severity 54% Low Severity 0% 54% of PCI failures were of medium Severity. “Much research indicates that such vulnerabilities will never be exploited albeit they result in a PCI DSS compliance fail” Across the full stack more than 33% of discovered vulnerabilities were of a critical or high severity Across the Web application and API layers 12% of discovered vulnerabilities were of a critical or high severity 25.5% of discovered vulnerabilities in the infrastructure/ hosting/cloud layer were of a critical or high severity
Internet Facing – Critical Severity % of all Vulns Name CVSS CVE CWE On CISA KEV CVE on CISA KEV EPSS 3.0% Apache Multiple Log4j Vulnerabilities (Log4Shell) 10 CVE-2021-44228, CVE-2021- 45046 CWE-20, CWE- 400, CWE-502 TRUE CVE-2021- 44228 0.97095 2.6% OS End Of Life Detection 10 FALSE 2.6% WordPress Elegant Themes Divi Theme 3.0 <= 4.5.2 Authenticated Arbitrary File Upload 9 CVE-2020-35945 FALSE 0.00885 2.6% MariaDB End Of Life Detection (Windows) 10 FALSE 1.9% PHP < 7.4.28, 8.0.x < 8.0.16, 8.1.x < 8.1.3 Security Update (Feb 2022) - Windows 9.8 CVE-2021-21708 CWE-416 FALSE 0.00954 1.5% Magento 2.3.3-p1 <= 2.3.7-p2, 2.4.x <= 2.4.3- p1 Multiple RCE Vulnerabilities (APSB22-12) 9.8 CVE-2022-24086, CVE-2022- 24087 CWE-20 TRUE CVE-2022- 24086 0.35544 1.5% PHP < 7.4.33, 8.0.x < 8.0.25, 8.1.x < 8.1.12 Security Update 9.8 CVE-2022-31630, CVE-2022- 37454 CWE-125, CWE- 190 FALSE 0.03806 1.5% PHP Multiple Vulnerabilities (Feb 2019) - Windows 9.8 CVE-2019-9020, CVE-2019-9021, CVE-2019-9023, CVE-2019-9024 CWE-125, CWE- 416 FALSE 0.02686 1.5% Microsoft Exchange Server 2016 / 2019 Multiple Vulnerabilities (KB5007012) 9.6 CVE-2021-26427, CVE-2021- 34453, CVE-2021-41348, CVE- 2021-41350 CWE-269 FALSE 0.02427 1.5% Microsoft Exchange Server 2013 / 2016 / 2019 Multiple Vulnerabilities (KB5008631) 9 CVE-2022-21846, CVE-2022- 21855, CVE-2022-21969 CWE-94 FALSE 0.01877 1.1% SAP Multiple Products Request Smuggling and Request Concatenation Vulnerability (ICMAD, 3123396) 10 CVE-2022-22536 CWE-444 TRUE CVE-2022- 22536 0.19548 Critical Severity vulnerabilities discovered in 2022 ordered by frequency. Note the vulnerabilities which are listed on the CISA KEV and the corresponding The mapping between CVSS, CISA KEV and EPSS CISA KEV and EPSS do not appear to be aligned 100% of the time. High CVSS scores do not necessarily mean remediation is considered high priority. Some CISA KEV vulnerabilities have a low EPSS score. – Conclusion: we need multiple viewpoints to determine priority.
API: Critical and High Severity Name Vulnerability Reference & Notes CWE/OWASP % of Critical Vulnerabilities Injection Attacks SQL, NoSQL, LDAP OS Injections Code Injections ORM based vulnerabilities Parsers such as XML Traversal based attacks. CWE-79, CWE-725, API8:2019 27.30% Lack of resources and rate limiting The API does not restrict the number or frequency of requests from a particular API client. This can be abused to make thousands of API calls per second, or request hundred or thousands of data records at once, resulting in a Denial of Service condition. This weakness also enables arbitrary scraping of other parties API's and violate fair usage agreements. CWE-770 / API4:2019 19.20% Broken authentication Weak authentication allowing compromise of authentication tokens or exploitation of common implementation flaws to assume other user’s identity or bypass authentication completely. Compromising a system’s ability to identify the client/user, compromises API security overall. API2:2019/CWE- 287 15.30% Broken object level authorization (BOLA) AKA insecure direct object reference (IDOR). As its name implies, the ability to directly access resources without privileges or authorization. CWE-639 / API1:2019 13.20% Excessive data exposure (Information disclosure) Exposure of all object properties of an API endpoint without consideration for use-case or requirement. Resulting in the reliance on API clients to perform the data filtering before displaying it to the user. CWE-22, CWE-23, CWE-200,CWE- 269, CWE-250 / API3:2019 9.70% Mass assignment API does not control which object attributes can be modified providing the potential for access to opaque data, outcomes or functions. This can be used to create new parameters that were never intended which in turn creates or overwrites new variable or objects in program code. CWE-915 / API6:2019 7.30% Broken function level authorization Admin or sensitive functions exposed in error to unauthorized clients resulting in data disclosure or privileged execution for unauthorized API clients. In effect resulting in an overly large attack surface and unintended exposure risk. CWE-285 / API5:2019 6.90% The most common High and Critical severity vulnerabilities discovered in 2022. The Occurrence % is the rate of occurrence compared to all critical & high severity vulnerabilities discovered in 2022. Edgescan validates vulnerabilities based on context of the unique issue and does not always tally with CVSS scoring CWE/OWSP: Common Weakness Enumeration/OWASP API Top 10 Reference.
Name On CISA KEV Percentage of Total CWE CVE Description SQL injection 23.4% CWE-89 SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query. Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands. Malicious File Upload 22.7% CWE-434 Uploaded viruses and malware could later be downloaded by users of the application. Such malware can cause partial or complete compromise of a network that the host resides on. Cross-site scripting (stored) 19.1% CWE-79 Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Stored XSS is also sometimes referred to as Persistent or Type-II XSS. Authorization Issue - Privilege Bypass 7.8% CWE-285 Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits. PHP Multiple Vulnerabilities 7.1% CWE-264 CVE-2012-2688,CVE- 2012-3365 Multiple vulnerabilities pertaining to PHP patching. Log4Shell (CVE- 2021-44228) Yes 5.0% CWE-917 CVE-2021-44228 A remote code execution vulnerability exists in Apache Log4j < 2.15.0 due to insufficient protections on message lookup substitutions when dealing with user controlled input. A remote, unauthenticated attacker can exploit this, via a web request to execute arbitrary code with the permission level of the running Java process. Spring4Shell Yes 4.3% CWE-94 CVE-2022-22965 The application appears to be vulnerable to CVE-2022-22965 (otherwise known as Spring4Shell) - remote code execution (RCE) via data binding. Please note the detection of this vulnerability is not possible to verify with absolute certainty from an external perspective Weak Password Policy 1.4% CWE-521 System has poor password controls. No MFA, Default Credentials etc. Database Console Exposure 1.4% CWE-200 It was noted whilst testing the application; that the Database console was accessible. The Database Console provides access to privileged functionality which should not be accessible, except by authorized users or networks. Access to the console could allow a malicious actor to execute SQL statements on the sever File path traversal 1.4% CWE-35 This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. SQL Injection is still the main contender (as was in 2021) which is interesting to note as we can easily develop code (or block vectors) to mitigate such attacks. Something which is overlooked quite frequently is malicious file uploads 22.7% or total critical vulnerabilities discovered. This can give rise to ransomware, malware and internal network breach pivot points for attackers. Log4Shell (First discovered in late 2021) contributed to 5% of all critical severity vulnerabilities discovered in 2022. Authorization issues cover privilege escalation or access to restricted functionality which would result in a data breach. Web Applications: Critical Severity
% of all vulns Name CVSS CVE CWE On CISA KEV CVE on CISA KEV EPSS 8.1% Mozilla Firefox Security Updates(mfsa2022-24) - Windows 9.8 CVE-2022-2200, CVE-2022-34468, CVE-2022- 34470, CVE-2022-34471, CVE-2022-34472, CVE- 2022-34473, CVE-2022-34474, CVE-2022-34475, CVE-2022-34476, CVE-2022-34477, .. CWE-1321, CWE-190, CWE-416, CWE-601, CWE- 617, CWE-787, CWE-79, CWE-824 FALSE 0.23331 8.0% Adobe Acrobat Various Vulnerabilities 10 CVE-2009-0193, CVE-2009-0658, CVE-2009-0927, CVE-2009-0928, CVE-2009-1061, CVE-2009- 1062CVE-2019-7140, CVE-2019-7141, CVE-2019- 7142, .., CWE-119, CWE-20 TRUE CVE-2009-0927 0.86734 7.4% Mozilla Firefox Security Update Various 9.6 CVE-2022-0511, CVE-2022-22753, CVE-2022- 22754, CVE-2022-22755, CVE-2022-22756, CVE- 2022-22757, CVE-… CWE-119, CWE-20, CWE- 209, CWE-367, CWE-672, CWE-787, CWE-863 FALSE 0.01018 5.3% Oracle Java SE Security Updates (apr2019-5072813) 01 - Windows 9 CVE-2019-2699 FALSE 0.00954 3.2% Adobe Flash Player Various Vulnerabilities 10 CVE-2014-0497CVE-2018-4877, CVE-2018- 4878CVE-2016-0964, CVE-2016-0965, CVE-2016- 0966, CVE-2016-0967, CVE-2016-0968, CVE-2016- 0969, … CWE-189 TRUE CVE-2021-21017,CVE-2021- 28550,CVE-2018-4939,CVE-2018- 15961,CVE-2018-4878 0.94050 2.7% Microsoft SQL Server Unsupported Version Detection 10 FALSE 2.6% OS End Of Life Detection 10 FALSE 2.3% SUSE: Various Security Advisories 9.8 CVE-2019-18902, CVE-2019-18903, CVE-2020- 7216, CVE-2020-7217 CWE-401, CWE-416, CWE- 772 FALSE 0.01156 1.7% Intel Active Management Technology Multiple Vulnérabilités (INTEL-SA-00295) 9.8 CVE-2020-0531, CVE-2020-0532, CVE-2020-0537, CVE-2020-0538, CVE-2020-0540, CVE-2020-0594, CVE-2020-0595, CVE-2020-0596, CVE-2020-11899, CVE-2020-11900,…. CWE-125, CWE-20, CWE- 415, CWE-416, CWE-522 TRUE CVE-2020-11899 0.00885 0.7% Apache Tomcat AJP RCE Vulnerability (Ghostcat) 9.8 CVE-2020-1938 CWE-269 TRUE CVE-2020-1938 0.96554 0.7% SUSE: Security Advisory (SUSE- SU-2022:3466-1) 9.8 CVE-2022-40674 CWE-416 FALSE 0.17166 0.6% HTTP Brute Force Logins With Default Credentials 9 FALSE Non-Internet Facing – Critical Severity Mozilla Firefox and Adobe top the list with multiple CVE’s. The Adobe vulnerabilities are listed on the CISA KEV and have an EPSS score of 86%. Adobe Flash, Apache and Intel vulnerabilities also have CISA KEV entries. The Flash vulnerability also has an EPSS score of 94% and Apache EPSS score of 96% albeit not as common a weakness.
Vulnerability Clustering Metrics relating to the average count of vulnerabilities per asset*. Most assets across the full stack have multiple vulnerabilities: Risk Cluster/Asset % of Assets 1-10 vulnerabilities 52.55% 11-100 vulnerabilities 18.60% 100+ vulnerabilities 9.35% 52.22% of all assets assessed in 2022 had between 1 and 10 vulnerabilities throughout the 12 month period. 18.6% of all assets assessed in 2022 has between 11 and 100 vulnerabilities & 9.35% of assets had 100+ vulnerabilities. *Assets are defined in Edgescan as an endpoint, API or Web application
Attack Surface Management (ASM) Port # discovered Protocol Notes 22 21910 SSH Exposed remote Access Service. There were 90 CVE’s reported relating to SSH in 2022 8443 17960 HTTP Potential Pre-production Web Service 8080 8660 HTTP Potential Pre-production port 179 8180 BGP Exposed Border Gateway Web Service. There were 17 CVE’s reported relating to BGP in 2022 222 7190 UDP UDP Service 25 6290 SMTP Exposed SMTP Email Port. 5000 6270 UPnP Exposed Universal Plug and Play Service. There were 5 CVE’s reported relating to UPnP in 2022 111 6000 SUNRPC Exposed RPC service. There were 4 CVE’s reported relating to SUNRPC in 2022 53 5680 DNS DNS Service 1720 5190 H323 Exposed SIP service. There were 8 CVE’s reported relating to H323/SIP in 2022 10000 4940 NDMP Exposed Network Data Management Protocol 264 4800 SecuRemote Checkpoint SecuRemote Service. 3389 4540 RDP Exposed Remote Login. There were 16 CVE’s reported relating to RDP in 2022 1300 4500 H323 SIP service. There were 8 CVE’s reported relating to H323/SIP in 2022 1719 4450 SMB Exposed SMB Report. There were 18 CVE’s reported relating to RDP in 2022 21 2980 FTP File Transfer Service. There were 18 CVE’s reported relating to FTP in 2022 110 2020 POP3 Plain text Email Port Service 3306 1990 MYSQL Exposed Database ‘nuff said  139 1730 SMB Server Message Block 5432 1710 PostgreSQL Exposed Database  23 1540 Telnet Exposed Remote Access Based on a sample of 500,000 continuous scans the below describes the systems discovered to be exposed on the public Internet. (Standard ports such as http 80 and https 443 are not included) We still see exposed Databases and remote access services which are easily exploited for data theft, network breach or ransomware attacks. Many of the exposed services of note have CVE’s attributed to them in 2022. SSH Exposures were relatively common (21,910 exposures discovered). SSH had circa 90 new CVE’s attributed to the protocol in 2022. Port 22 is subject to countless, unauthorized login attempts by hackers who are attempting to access unsecured servers. A highly effective deterrent is to simply turn off Port 22 and run the service on a seemingly random port above 1024 (and up to 65535). Remote Access exposures are a common attack vector for ransomware attacks as a first step of the attack chain.
Vulnerability Age CVE Year % vulnerabilities in 2022* % High or Critical Severity 2022 16.34% 83.54% 2021 21.10% 80.95% 2020 31.49% 74.18% 2019 23.60% 44.43% 2018 16.01% 54.11% 2017 5.78% 56.77% 2016 6.03% 75.55% 2015 9.10% 11.66% 2014 1.31% 36.62% 2013 5.79% 3.05% 2012 0.98% 32.10% 2011 0.79% 15.23% 2010 0.11% 73.17% 2009 0.34% 51.77% 2008 0.08% 14.74% 2007 0.11% 5.29% 2006 0.01% 57.14% 2005 0.00% 0.00% 2004 0.15% 1.79% 2003 0.08% 0.00% 0.00% 10.00% 20.00% 30.00% 40.00% 50.00% 60.00% 70.00% 80.00% 90.00% CVE’S DISCOVERED IN 2022 % discovered in 2022 % High or critical During 2022 we can see the percentages of aged CVE’s discovered. E.g. 21.1% of the vulnerabilities discovered contained CVE’s from 2021 with 80% of the CVE’s considered High or Critical Severity * The % of vulnerabilities containing a CVE from a specific year. Some assets had more than one vulnerability. Some assets have more than one CVE from multiple years.
Conclusions • We are still not getting the basics right. • In 2022 we’ve observed very basic vulnerabilities many of which are commonly leveraged by cybercrime. • Continuous assessment, validation & prioritization will make a huge difference to any organizations cybersecurity posture. • Resilience; “Internal”/Non-Internet facing vulnerability management is certainly overlooked, possibly the reason for the ease of pivot by cyber crime organisations once they breach the perimeter. • API security is still “the poor relation” to web application security possibly due to poor tooling and approaches to API security assessment. API discovery is also an important tool to leverage and keep pace with what’s deployed publicly. • Attack Surface Management (ASM) is not a “Wishlist item and aids decent vulnerability management coverage. Many exposures ASM detects are not CVE/OWASP related but rather due to poor visibility. • Reliance on “ShiftLeft” Security alone will not prevent the problem of system insecurity looking at business system risk from a “full stack” perspective. • Remediation times need to come down. This may be due to poor prioritization and lack of understanding of “what matters” when assessing a “Vulnerability Backlog”. • CISA KEV and EPSS are great tools when combined with CVSS. Validated, accurate vulnerability data has also proven to increase the speed of MTTR & manage vulnerability backlog.
Thanks March 2023 – Edgescan Vulnerability Stats Report. Download from www.edgescan.com
No, at least not as expected. Global metrics (2022) point to the fact that things are worse than ever….. Is “Shift Left” working?
Is “Shift Left” working? Observing behaviour is best when done in its living environment….” Naturalistic observation”
Shift Left? Focuses on • Application software during developed phase. • In isolation (in many cases). • In test environment - Software environment probably unsimilar to test environment. • Data “food chain” not considered – upstream/downstream
What are we securing? Software is defined as the following: applications, API, OS, firewall, cloud, load balancers, browsers, web servers, toasters, etc. …) “Secure software only does what it was designed to do. Anything else is weakness.”
“It’s the Software, Stupid…” • The method of breach, pivot and exploit is all the based on a couple of weaknesses; • # 1: Logical weaknesses which include poor authentication, poor authorization, poor business logic design; and • # 2: Technical weaknesses which are vulnerabilities in software- those weaknesses which can be exploited via tools, manual knowhow or “commercial grade” exploitation toolkits
• # 1 is due to poor design, peer review, understanding use cases and environment, and lack of awareness of potential threats/risks to the system. • We have always had to contend with this. • # 2 is all about the software, stupid. Even though we have “shift left” coursing through our veins, even the biggest and most profitable/experienced enterprises are still producing critically weak systems which are widespread, amplifying the problem. “It’s the Software, Stupid…”
It can be argued…. Shift left is static: The full stack system is being tested in an environment which does not change around it. Problem: Our environment is always changing. Even in the systems where the developer code is not subject to too much change, the landscapes in which they live are. Vulnerabilities in the browser, the web server, the cryptography, and the firewall all rely on each other and combined, deliver the system solution.
“Change gives rise to risk” • Change occurs when: • A system does not change: • Over time critical vulnerabilities are discovered. Patches are released. Yesterday I was secure, today I’ve a Critical Risk. Need to patch/Redeploy. • When a system changes: • New features deployed, new services exposed, larger attack surface, more exposed, more to attack, more headaches…
Enterprise Systems Defined by Numerous Components. Many of them open-source, third party, with various degrees of secure design and development. 1. A deployment environment developed by a third party, subject to vulnerabilities and human error. 2. A custom web application developed by the enterprise. 3. A firewall, WAF etc., also prone to vulnerabilities, coding errors. 4. A third-party client-side component 5. A B2B service to deliver a function we purchased and built. In 90% of cases, Shift-Left Security would only help assure point 2 above– the developed code. We hope this highlights our main point and have painted a landscape of castles made of sand….
Conclusion #2: We need to “get shifty…” • We Need to Shift Left, Right, and Across the Full Stack… • Shift Left makes sense - for developing secure code • NOT to effectively measure a system’s security posture in the wild, where all the components are working in tandem. • We need to focus on run-time assessment, using automation for scale and efficiency, but we need accuracy and depth also. • Shifting right addresses some of this by virtue of production safe testing of an application in its living environment. We need continuous assessment and attack surface management to continuously monitor the asset, AND the environment in which it is deployed….

Recommended

edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018) edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018)
Eoin Keary
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
Javier Santiago Vargas Paredes
 
Vulnerability manager v1.0
Vulnerability manager v1.0Vulnerability manager v1.0
Vulnerability manager v1.0
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Eoin Keary
 
CRA - overview of vulnerability handling
CRA - overview of vulnerability handlingCRA - overview of vulnerability handling
CRA - overview of vulnerability handling
Olle E Johansson
 
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...
EndgameInc
 
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Braindev Kyiv
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksOWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
Andre Van Klaveren
 

Recommended

edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018) edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018)
Eoin Keary
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
Javier Santiago Vargas Paredes
 
Vulnerability manager v1.0
Vulnerability manager v1.0Vulnerability manager v1.0
Vulnerability manager v1.0
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Eoin Keary
 
CRA - overview of vulnerability handling
CRA - overview of vulnerability handlingCRA - overview of vulnerability handling
CRA - overview of vulnerability handling
Olle E Johansson
 
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...
EndgameInc
 
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Braindev Kyiv
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksOWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
Andre Van Klaveren
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010
Aditya K Sood
 
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Yuji Kosuga
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
Black Duck by Synopsys
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
IBM Security
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Jeff Williams
 
Software Development Weaknesses - SecOSdays Sofia, 2019
Software Development Weaknesses - SecOSdays Sofia, 2019Software Development Weaknesses - SecOSdays Sofia, 2019
Software Development Weaknesses - SecOSdays Sofia, 2019
Balázs Tatár
 
OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE
Magno Logan
 
Web application security I
Web application security IWeb application security I
Web application security I
Md Syed Ahamad
 
Classification of vulnerabilities
Classification of vulnerabilitiesClassification of vulnerabilities
Classification of vulnerabilities
Mayur Mehta
 
Qg was guide
Qg was guideQg was guide
Qg was guide
nat page
 
Web Application Security Guide by Qualys 2011
Web Application Security Guide by Qualys 2011 Web Application Security Guide by Qualys 2011
Web Application Security Guide by Qualys 2011
nat page
 
Bank World 2008 Kamens 04 29 08
Bank World 2008 Kamens 04 29 08Bank World 2008 Kamens 04 29 08
Bank World 2008 Kamens 04 29 08kamensm02
 
Evaluation of Web Application Vulnerability Scanners
Evaluation of Web Application Vulnerability ScannersEvaluation of Web Application Vulnerability Scanners
Evaluation of Web Application Vulnerability Scanners
yuliana_mar
 
Fendley how secure is your e learning
Fendley how secure is your e learningFendley how secure is your e learning
Fendley how secure is your e learningBryan Fendley
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software
Shreeraj Shah
 
OWASP Top 10 Project
OWASP Top 10 ProjectOWASP Top 10 Project
OWASP Top 10 Project
Muhammad Shehata
 
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Kymberlee Price
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesMarco Morana
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Alan Kan
 
Strengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain VisibilityStrengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain Visibility
Sonatype
 
Validation of vulnerabilities.pdf
Validation of vulnerabilities.pdfValidation of vulnerabilities.pdf
Validation of vulnerabilities.pdf
Eoin Keary
 
Does a Hybrid model for vulnerability Management Make Sense.pdf
Does a Hybrid model for vulnerability Management Make Sense.pdfDoes a Hybrid model for vulnerability Management Make Sense.pdf
Does a Hybrid model for vulnerability Management Make Sense.pdf
Eoin Keary
 

More Related Content

Similar to IISF-March2023.pptx

OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010
Aditya K Sood
 
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Yuji Kosuga
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
Black Duck by Synopsys
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
IBM Security
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Jeff Williams
 
Software Development Weaknesses - SecOSdays Sofia, 2019
Software Development Weaknesses - SecOSdays Sofia, 2019Software Development Weaknesses - SecOSdays Sofia, 2019
Software Development Weaknesses - SecOSdays Sofia, 2019
Balázs Tatár
 
OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE
Magno Logan
 
Web application security I
Web application security IWeb application security I
Web application security I
Md Syed Ahamad
 
Classification of vulnerabilities
Classification of vulnerabilitiesClassification of vulnerabilities
Classification of vulnerabilities
Mayur Mehta
 
Qg was guide
Qg was guideQg was guide
Qg was guide
nat page
 
Web Application Security Guide by Qualys 2011
Web Application Security Guide by Qualys 2011 Web Application Security Guide by Qualys 2011
Web Application Security Guide by Qualys 2011
nat page
 
Bank World 2008 Kamens 04 29 08
Bank World 2008 Kamens 04 29 08Bank World 2008 Kamens 04 29 08
Bank World 2008 Kamens 04 29 08kamensm02
 
Evaluation of Web Application Vulnerability Scanners
Evaluation of Web Application Vulnerability ScannersEvaluation of Web Application Vulnerability Scanners
Evaluation of Web Application Vulnerability Scanners
yuliana_mar
 
Fendley how secure is your e learning
Fendley how secure is your e learningFendley how secure is your e learning
Fendley how secure is your e learningBryan Fendley
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software
Shreeraj Shah
 
OWASP Top 10 Project
OWASP Top 10 ProjectOWASP Top 10 Project
OWASP Top 10 Project
Muhammad Shehata
 
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Kymberlee Price
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesMarco Morana
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Alan Kan
 
Strengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain VisibilityStrengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain Visibility
Sonatype
 

Similar to IISF-March2023.pptx (20)

OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010
 
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
 
Software Development Weaknesses - SecOSdays Sofia, 2019
Software Development Weaknesses - SecOSdays Sofia, 2019Software Development Weaknesses - SecOSdays Sofia, 2019
Software Development Weaknesses - SecOSdays Sofia, 2019
 
OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE
 
Web application security I
Web application security IWeb application security I
Web application security I
 
Classification of vulnerabilities
Classification of vulnerabilitiesClassification of vulnerabilities
Classification of vulnerabilities
 
Qg was guide
Qg was guideQg was guide
Qg was guide
 
Web Application Security Guide by Qualys 2011
Web Application Security Guide by Qualys 2011 Web Application Security Guide by Qualys 2011
Web Application Security Guide by Qualys 2011
 
Bank World 2008 Kamens 04 29 08
Bank World 2008 Kamens 04 29 08Bank World 2008 Kamens 04 29 08
Bank World 2008 Kamens 04 29 08
 
Evaluation of Web Application Vulnerability Scanners
Evaluation of Web Application Vulnerability ScannersEvaluation of Web Application Vulnerability Scanners
Evaluation of Web Application Vulnerability Scanners
 
Fendley how secure is your e learning
Fendley how secure is your e learningFendley how secure is your e learning
Fendley how secure is your e learning
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software
 
OWASP Top 10 Project
OWASP Top 10 ProjectOWASP Top 10 Project
OWASP Top 10 Project
 
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
 
Strengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain VisibilityStrengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain Visibility
 

More from Eoin Keary

Validation of vulnerabilities.pdf
Validation of vulnerabilities.pdfValidation of vulnerabilities.pdf
Validation of vulnerabilities.pdf
Eoin Keary
 
Does a Hybrid model for vulnerability Management Make Sense.pdf
Does a Hybrid model for vulnerability Management Make Sense.pdfDoes a Hybrid model for vulnerability Management Make Sense.pdf
Does a Hybrid model for vulnerability Management Make Sense.pdf
Eoin Keary
 
Edgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics ReportEdgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics Report
Eoin Keary
 
Edgescan 2021 Vulnerability Stats Report
Edgescan 2021 Vulnerability Stats ReportEdgescan 2021 Vulnerability Stats Report
Edgescan 2021 Vulnerability Stats Report
Eoin Keary
 
One login enemy at the gates
One login enemy at the gatesOne login enemy at the gates
One login enemy at the gates
Eoin Keary
 
Edgescan vulnerability stats report 2020
Edgescan vulnerability stats report 2020Edgescan vulnerability stats report 2020
Edgescan vulnerability stats report 2020
Eoin Keary
 
edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019)
Eoin Keary
 
Full stack vulnerability management at scale
Full stack vulnerability management at scaleFull stack vulnerability management at scale
Full stack vulnerability management at scale
Eoin Keary
 
Vulnerability Intelligence - Standing Still in a world full of change
Vulnerability Intelligence - Standing Still in a world full of changeVulnerability Intelligence - Standing Still in a world full of change
Vulnerability Intelligence - Standing Still in a world full of change
Eoin Keary
 
Hide and seek - Attack Surface Management and continuous assessment.
Hide and seek - Attack Surface Management and continuous assessment.Hide and seek - Attack Surface Management and continuous assessment.
Hide and seek - Attack Surface Management and continuous assessment.
Eoin Keary
 
Online Gaming Cyber security and Threat Model
Online Gaming Cyber security and Threat ModelOnline Gaming Cyber security and Threat Model
Online Gaming Cyber security and Threat Model
Eoin Keary
 
Keeping the wolf from 1000 doors.
Keeping the wolf from 1000 doors.Keeping the wolf from 1000 doors.
Keeping the wolf from 1000 doors.
Eoin Keary
 
Security by the numbers
Security by the numbersSecurity by the numbers
Security by the numbers
Eoin Keary
 
Web security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud versionWeb security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud version
Eoin Keary
 
Cybersecurity by the numbers
Cybersecurity by the numbersCybersecurity by the numbers
Cybersecurity by the numbers
Eoin Keary
 
Ebu class edgescan-2017
Ebu class edgescan-2017Ebu class edgescan-2017
Ebu class edgescan-2017
Eoin Keary
 
Vulnerability management and threat detection by the numbers
Vulnerability management and threat detection by the numbersVulnerability management and threat detection by the numbers
Vulnerability management and threat detection by the numbers
Eoin Keary
 
14. html 5 security considerations
14. html 5 security considerations14. html 5 security considerations
14. html 5 security considerations
Eoin Keary
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
Eoin Keary
 
03. sql and other injection module v17
03. sql and other injection module v1703. sql and other injection module v17
03. sql and other injection module v17
Eoin Keary
 

More from Eoin Keary (20)

Validation of vulnerabilities.pdf
Validation of vulnerabilities.pdfValidation of vulnerabilities.pdf
Validation of vulnerabilities.pdf
 
Does a Hybrid model for vulnerability Management Make Sense.pdf
Does a Hybrid model for vulnerability Management Make Sense.pdfDoes a Hybrid model for vulnerability Management Make Sense.pdf
Does a Hybrid model for vulnerability Management Make Sense.pdf
 
Edgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics ReportEdgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics Report
 
Edgescan 2021 Vulnerability Stats Report
Edgescan 2021 Vulnerability Stats ReportEdgescan 2021 Vulnerability Stats Report
Edgescan 2021 Vulnerability Stats Report
 
One login enemy at the gates
One login enemy at the gatesOne login enemy at the gates
One login enemy at the gates
 
Edgescan vulnerability stats report 2020
Edgescan vulnerability stats report 2020Edgescan vulnerability stats report 2020
Edgescan vulnerability stats report 2020
 
edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019)
 
Full stack vulnerability management at scale
Full stack vulnerability management at scaleFull stack vulnerability management at scale
Full stack vulnerability management at scale
 
Vulnerability Intelligence - Standing Still in a world full of change
Vulnerability Intelligence - Standing Still in a world full of changeVulnerability Intelligence - Standing Still in a world full of change
Vulnerability Intelligence - Standing Still in a world full of change
 
Hide and seek - Attack Surface Management and continuous assessment.
Hide and seek - Attack Surface Management and continuous assessment.Hide and seek - Attack Surface Management and continuous assessment.
Hide and seek - Attack Surface Management and continuous assessment.
 
Online Gaming Cyber security and Threat Model
Online Gaming Cyber security and Threat ModelOnline Gaming Cyber security and Threat Model
Online Gaming Cyber security and Threat Model
 
Keeping the wolf from 1000 doors.
Keeping the wolf from 1000 doors.Keeping the wolf from 1000 doors.
Keeping the wolf from 1000 doors.
 
Security by the numbers
Security by the numbersSecurity by the numbers
Security by the numbers
 
Web security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud versionWeb security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud version
 
Cybersecurity by the numbers
Cybersecurity by the numbersCybersecurity by the numbers
Cybersecurity by the numbers
 
Ebu class edgescan-2017
Ebu class edgescan-2017Ebu class edgescan-2017
Ebu class edgescan-2017
 
Vulnerability management and threat detection by the numbers
Vulnerability management and threat detection by the numbersVulnerability management and threat detection by the numbers
Vulnerability management and threat detection by the numbers
 
14. html 5 security considerations
14. html 5 security considerations14. html 5 security considerations
14. html 5 security considerations
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
 
03. sql and other injection module v17
03. sql and other injection module v1703. sql and other injection module v17
03. sql and other injection module v17
 

Recently uploaded

一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
keoku
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
3ipehhoa
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
uehowe
 
Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
SEO Article Boost
 
Explore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories SecretlyExplore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories Secretly
Trending Blogers
 
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
cuobya
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
eutxy
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
Rogerio Filho
 
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
CIOWomenMagazine
 
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
cuobya
 
7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
Danica Gill
 
Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027
harveenkaur52
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Brad Spiegel Macon GA
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
3ipehhoa
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Florence Consulting
 
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
ysasp1
 
Gen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needsGen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needs
Laura Szabó
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
3ipehhoa
 
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
zyfovom
 
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
zoowe
 

Recently uploaded (20)

一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
 
Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
 
Explore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories SecretlyExplore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories Secretly
 
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
 
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
 
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
 
7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
 
Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
 
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
 
Gen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needsGen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needs
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
 
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
 
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
 

IISF-March2023.pptx

  • 2. ME (Eoin Keary) • OWASP Leader – 10 years • Testing Guide founder/lead • Code Review Guide founder/lead • Global Vice-Chair • Founder – Edgescan • Ireland-HQ, NY, UK • 250+ clients (Fortune 100 to SME) • Circa 100 Staff, 60% Penetration testers, 30% Prod Dev. • 15,000+ assessments/month (ASM/PTaaS/VM)
  • 3. Risk – “The chance of something bad happening” This is an analysis of vulnerabilities discovered across hundreds of organizations across the full stack. From Fortune 500 to medium and small businesses the Edgescan Vulnerability Stats report 2023 attempts to provide a statistical model of the most common weaknesses faced by organisations globally.
  • 4. What is Edgescan? – How do we get these statistics…. Edgescan is • Attack Surface Management, • Full stack vulnerability management, • Purpose built API Security Testing Engine • Penetration Testing as a Service (PTaaS), and • Risk prioritization on an enterprise scale. Continuously scanning of web applications, API’s, cloud and networks for vulnerabilities without sacrificing accuracy, richness or fidelity. Validation and Triage: • All discovered vulnerabilities and risks are validated via a combination of cyber-analytics and human expertise. • This is designed to ensure all reported vulnerabilities are real, prioritized and valid, helping our client save significant time in terms of remediation and response. • Vulnerabilities are mapped to CVSS, CISA KEV, EPSS, EVSS* scoring *Edgescan Validated Vulnerability Score
  • 5. Breach Probability - Prioritization What is EPSS? The Exploit Prediction Scoring System (EPSS) is an open, data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild. The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited. The EPSS model produces a probability score between 0 and 1 (0 and 100%), where the higher the score, the greater the probability that a vulnerability will be exploited. https://www.first.org/epss/ What is CISA KEV? CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild: the Known Exploited Vulnerability (KEV) catalog. CISA strongly recommends all organizations review and monitor the KEV catalog and prioritize remediation of the listed vulnerabilities to reduce the likelihood of compromise by known threat actors. – https://www.cisa.gov/known-exploited- vulnerabilities EVSS (Edgescan Validated Security Score) Every vulnerability discovered by Edgescan is validated via a combination of data analytics and human expertise resulting in near false positive-free vulnerability intelligence. Once a vulnerability is validated is it mapped to both the CISA KEV and EPSS to assist with prioritization. All vulnerabilities in Edgescan (where applicable) have a CVSS, CISA KEV, EPSS and EVSS risk score. **Both the CISA KEV and EPSS don’t list unique vulnerabilities associated with a unique web application or web site.
  • 6. Risk Density – Risks Across the Stack The following is a breakdown of the risks discovered across the full stack, Web applications and Network/Host It also depicts the risks associated with potential PCI (Payment Card Industry) Failures – (Not every vulnerability results in a PCI fail). Fullstack % of Total Critical Severity 9.8% High Severity 23.4% Medium Severity 27.8% Low Severity 39.0% Application % of Total Critical Severity 5.0% High Severity 7.0% Medium Severity 9.6% Low Severity 78.0% Network % of Total Critical Severity 10.5% High Severity 25.0% Medium Severity 28.8% Low Severity 35.7% PCI Failures % of Total Critical Severity 10% High Severity 35% Medium Severity 54% Low Severity 0% 54% of PCI failures were of medium Severity. “Much research indicates that such vulnerabilities will never be exploited albeit they result in a PCI DSS compliance fail” Across the full stack more than 33% of discovered vulnerabilities were of a critical or high severity Across the Web application and API layers 12% of discovered vulnerabilities were of a critical or high severity 25.5% of discovered vulnerabilities in the infrastructure/ hosting/cloud layer were of a critical or high severity
  • 7. Internet Facing – Critical Severity % of all Vulns Name CVSS CVE CWE On CISA KEV CVE on CISA KEV EPSS 3.0% Apache Multiple Log4j Vulnerabilities (Log4Shell) 10 CVE-2021-44228, CVE-2021- 45046 CWE-20, CWE- 400, CWE-502 TRUE CVE-2021- 44228 0.97095 2.6% OS End Of Life Detection 10 FALSE 2.6% WordPress Elegant Themes Divi Theme 3.0 <= 4.5.2 Authenticated Arbitrary File Upload 9 CVE-2020-35945 FALSE 0.00885 2.6% MariaDB End Of Life Detection (Windows) 10 FALSE 1.9% PHP < 7.4.28, 8.0.x < 8.0.16, 8.1.x < 8.1.3 Security Update (Feb 2022) - Windows 9.8 CVE-2021-21708 CWE-416 FALSE 0.00954 1.5% Magento 2.3.3-p1 <= 2.3.7-p2, 2.4.x <= 2.4.3- p1 Multiple RCE Vulnerabilities (APSB22-12) 9.8 CVE-2022-24086, CVE-2022- 24087 CWE-20 TRUE CVE-2022- 24086 0.35544 1.5% PHP < 7.4.33, 8.0.x < 8.0.25, 8.1.x < 8.1.12 Security Update 9.8 CVE-2022-31630, CVE-2022- 37454 CWE-125, CWE- 190 FALSE 0.03806 1.5% PHP Multiple Vulnerabilities (Feb 2019) - Windows 9.8 CVE-2019-9020, CVE-2019-9021, CVE-2019-9023, CVE-2019-9024 CWE-125, CWE- 416 FALSE 0.02686 1.5% Microsoft Exchange Server 2016 / 2019 Multiple Vulnerabilities (KB5007012) 9.6 CVE-2021-26427, CVE-2021- 34453, CVE-2021-41348, CVE- 2021-41350 CWE-269 FALSE 0.02427 1.5% Microsoft Exchange Server 2013 / 2016 / 2019 Multiple Vulnerabilities (KB5008631) 9 CVE-2022-21846, CVE-2022- 21855, CVE-2022-21969 CWE-94 FALSE 0.01877 1.1% SAP Multiple Products Request Smuggling and Request Concatenation Vulnerability (ICMAD, 3123396) 10 CVE-2022-22536 CWE-444 TRUE CVE-2022- 22536 0.19548 Critical Severity vulnerabilities discovered in 2022 ordered by frequency. Note the vulnerabilities which are listed on the CISA KEV and the corresponding The mapping between CVSS, CISA KEV and EPSS CISA KEV and EPSS do not appear to be aligned 100% of the time. High CVSS scores do not necessarily mean remediation is considered high priority. Some CISA KEV vulnerabilities have a low EPSS score. – Conclusion: we need multiple viewpoints to determine priority.
  • 8. API: Critical and High Severity Name Vulnerability Reference & Notes CWE/OWASP % of Critical Vulnerabilities Injection Attacks SQL, NoSQL, LDAP OS Injections Code Injections ORM based vulnerabilities Parsers such as XML Traversal based attacks. CWE-79, CWE-725, API8:2019 27.30% Lack of resources and rate limiting The API does not restrict the number or frequency of requests from a particular API client. This can be abused to make thousands of API calls per second, or request hundred or thousands of data records at once, resulting in a Denial of Service condition. This weakness also enables arbitrary scraping of other parties API's and violate fair usage agreements. CWE-770 / API4:2019 19.20% Broken authentication Weak authentication allowing compromise of authentication tokens or exploitation of common implementation flaws to assume other user’s identity or bypass authentication completely. Compromising a system’s ability to identify the client/user, compromises API security overall. API2:2019/CWE- 287 15.30% Broken object level authorization (BOLA) AKA insecure direct object reference (IDOR). As its name implies, the ability to directly access resources without privileges or authorization. CWE-639 / API1:2019 13.20% Excessive data exposure (Information disclosure) Exposure of all object properties of an API endpoint without consideration for use-case or requirement. Resulting in the reliance on API clients to perform the data filtering before displaying it to the user. CWE-22, CWE-23, CWE-200,CWE- 269, CWE-250 / API3:2019 9.70% Mass assignment API does not control which object attributes can be modified providing the potential for access to opaque data, outcomes or functions. This can be used to create new parameters that were never intended which in turn creates or overwrites new variable or objects in program code. CWE-915 / API6:2019 7.30% Broken function level authorization Admin or sensitive functions exposed in error to unauthorized clients resulting in data disclosure or privileged execution for unauthorized API clients. In effect resulting in an overly large attack surface and unintended exposure risk. CWE-285 / API5:2019 6.90% The most common High and Critical severity vulnerabilities discovered in 2022. The Occurrence % is the rate of occurrence compared to all critical & high severity vulnerabilities discovered in 2022. Edgescan validates vulnerabilities based on context of the unique issue and does not always tally with CVSS scoring CWE/OWSP: Common Weakness Enumeration/OWASP API Top 10 Reference.
  • 9. Name On CISA KEV Percentage of Total CWE CVE Description SQL injection 23.4% CWE-89 SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query. Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands. Malicious File Upload 22.7% CWE-434 Uploaded viruses and malware could later be downloaded by users of the application. Such malware can cause partial or complete compromise of a network that the host resides on. Cross-site scripting (stored) 19.1% CWE-79 Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Stored XSS is also sometimes referred to as Persistent or Type-II XSS. Authorization Issue - Privilege Bypass 7.8% CWE-285 Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits. PHP Multiple Vulnerabilities 7.1% CWE-264 CVE-2012-2688,CVE- 2012-3365 Multiple vulnerabilities pertaining to PHP patching. Log4Shell (CVE- 2021-44228) Yes 5.0% CWE-917 CVE-2021-44228 A remote code execution vulnerability exists in Apache Log4j < 2.15.0 due to insufficient protections on message lookup substitutions when dealing with user controlled input. A remote, unauthenticated attacker can exploit this, via a web request to execute arbitrary code with the permission level of the running Java process. Spring4Shell Yes 4.3% CWE-94 CVE-2022-22965 The application appears to be vulnerable to CVE-2022-22965 (otherwise known as Spring4Shell) - remote code execution (RCE) via data binding. Please note the detection of this vulnerability is not possible to verify with absolute certainty from an external perspective Weak Password Policy 1.4% CWE-521 System has poor password controls. No MFA, Default Credentials etc. Database Console Exposure 1.4% CWE-200 It was noted whilst testing the application; that the Database console was accessible. The Database Console provides access to privileged functionality which should not be accessible, except by authorized users or networks. Access to the console could allow a malicious actor to execute SQL statements on the sever File path traversal 1.4% CWE-35 This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. SQL Injection is still the main contender (as was in 2021) which is interesting to note as we can easily develop code (or block vectors) to mitigate such attacks. Something which is overlooked quite frequently is malicious file uploads 22.7% or total critical vulnerabilities discovered. This can give rise to ransomware, malware and internal network breach pivot points for attackers. Log4Shell (First discovered in late 2021) contributed to 5% of all critical severity vulnerabilities discovered in 2022. Authorization issues cover privilege escalation or access to restricted functionality which would result in a data breach. Web Applications: Critical Severity
  • 10. % of all vulns Name CVSS CVE CWE On CISA KEV CVE on CISA KEV EPSS 8.1% Mozilla Firefox Security Updates(mfsa2022-24) - Windows 9.8 CVE-2022-2200, CVE-2022-34468, CVE-2022- 34470, CVE-2022-34471, CVE-2022-34472, CVE- 2022-34473, CVE-2022-34474, CVE-2022-34475, CVE-2022-34476, CVE-2022-34477, .. CWE-1321, CWE-190, CWE-416, CWE-601, CWE- 617, CWE-787, CWE-79, CWE-824 FALSE 0.23331 8.0% Adobe Acrobat Various Vulnerabilities 10 CVE-2009-0193, CVE-2009-0658, CVE-2009-0927, CVE-2009-0928, CVE-2009-1061, CVE-2009- 1062CVE-2019-7140, CVE-2019-7141, CVE-2019- 7142, .., CWE-119, CWE-20 TRUE CVE-2009-0927 0.86734 7.4% Mozilla Firefox Security Update Various 9.6 CVE-2022-0511, CVE-2022-22753, CVE-2022- 22754, CVE-2022-22755, CVE-2022-22756, CVE- 2022-22757, CVE-… CWE-119, CWE-20, CWE- 209, CWE-367, CWE-672, CWE-787, CWE-863 FALSE 0.01018 5.3% Oracle Java SE Security Updates (apr2019-5072813) 01 - Windows 9 CVE-2019-2699 FALSE 0.00954 3.2% Adobe Flash Player Various Vulnerabilities 10 CVE-2014-0497CVE-2018-4877, CVE-2018- 4878CVE-2016-0964, CVE-2016-0965, CVE-2016- 0966, CVE-2016-0967, CVE-2016-0968, CVE-2016- 0969, … CWE-189 TRUE CVE-2021-21017,CVE-2021- 28550,CVE-2018-4939,CVE-2018- 15961,CVE-2018-4878 0.94050 2.7% Microsoft SQL Server Unsupported Version Detection 10 FALSE 2.6% OS End Of Life Detection 10 FALSE 2.3% SUSE: Various Security Advisories 9.8 CVE-2019-18902, CVE-2019-18903, CVE-2020- 7216, CVE-2020-7217 CWE-401, CWE-416, CWE- 772 FALSE 0.01156 1.7% Intel Active Management Technology Multiple Vulnérabilités (INTEL-SA-00295) 9.8 CVE-2020-0531, CVE-2020-0532, CVE-2020-0537, CVE-2020-0538, CVE-2020-0540, CVE-2020-0594, CVE-2020-0595, CVE-2020-0596, CVE-2020-11899, CVE-2020-11900,…. CWE-125, CWE-20, CWE- 415, CWE-416, CWE-522 TRUE CVE-2020-11899 0.00885 0.7% Apache Tomcat AJP RCE Vulnerability (Ghostcat) 9.8 CVE-2020-1938 CWE-269 TRUE CVE-2020-1938 0.96554 0.7% SUSE: Security Advisory (SUSE- SU-2022:3466-1) 9.8 CVE-2022-40674 CWE-416 FALSE 0.17166 0.6% HTTP Brute Force Logins With Default Credentials 9 FALSE Non-Internet Facing – Critical Severity Mozilla Firefox and Adobe top the list with multiple CVE’s. The Adobe vulnerabilities are listed on the CISA KEV and have an EPSS score of 86%. Adobe Flash, Apache and Intel vulnerabilities also have CISA KEV entries. The Flash vulnerability also has an EPSS score of 94% and Apache EPSS score of 96% albeit not as common a weakness.
  • 11. Vulnerability Clustering Metrics relating to the average count of vulnerabilities per asset*. Most assets across the full stack have multiple vulnerabilities: Risk Cluster/Asset % of Assets 1-10 vulnerabilities 52.55% 11-100 vulnerabilities 18.60% 100+ vulnerabilities 9.35% 52.22% of all assets assessed in 2022 had between 1 and 10 vulnerabilities throughout the 12 month period. 18.6% of all assets assessed in 2022 has between 11 and 100 vulnerabilities & 9.35% of assets had 100+ vulnerabilities. *Assets are defined in Edgescan as an endpoint, API or Web application
  • 12. Attack Surface Management (ASM) Port # discovered Protocol Notes 22 21910 SSH Exposed remote Access Service. There were 90 CVE’s reported relating to SSH in 2022 8443 17960 HTTP Potential Pre-production Web Service 8080 8660 HTTP Potential Pre-production port 179 8180 BGP Exposed Border Gateway Web Service. There were 17 CVE’s reported relating to BGP in 2022 222 7190 UDP UDP Service 25 6290 SMTP Exposed SMTP Email Port. 5000 6270 UPnP Exposed Universal Plug and Play Service. There were 5 CVE’s reported relating to UPnP in 2022 111 6000 SUNRPC Exposed RPC service. There were 4 CVE’s reported relating to SUNRPC in 2022 53 5680 DNS DNS Service 1720 5190 H323 Exposed SIP service. There were 8 CVE’s reported relating to H323/SIP in 2022 10000 4940 NDMP Exposed Network Data Management Protocol 264 4800 SecuRemote Checkpoint SecuRemote Service. 3389 4540 RDP Exposed Remote Login. There were 16 CVE’s reported relating to RDP in 2022 1300 4500 H323 SIP service. There were 8 CVE’s reported relating to H323/SIP in 2022 1719 4450 SMB Exposed SMB Report. There were 18 CVE’s reported relating to RDP in 2022 21 2980 FTP File Transfer Service. There were 18 CVE’s reported relating to FTP in 2022 110 2020 POP3 Plain text Email Port Service 3306 1990 MYSQL Exposed Database ‘nuff said  139 1730 SMB Server Message Block 5432 1710 PostgreSQL Exposed Database  23 1540 Telnet Exposed Remote Access Based on a sample of 500,000 continuous scans the below describes the systems discovered to be exposed on the public Internet. (Standard ports such as http 80 and https 443 are not included) We still see exposed Databases and remote access services which are easily exploited for data theft, network breach or ransomware attacks. Many of the exposed services of note have CVE’s attributed to them in 2022. SSH Exposures were relatively common (21,910 exposures discovered). SSH had circa 90 new CVE’s attributed to the protocol in 2022. Port 22 is subject to countless, unauthorized login attempts by hackers who are attempting to access unsecured servers. A highly effective deterrent is to simply turn off Port 22 and run the service on a seemingly random port above 1024 (and up to 65535). Remote Access exposures are a common attack vector for ransomware attacks as a first step of the attack chain.
  • 13. Vulnerability Age CVE Year % vulnerabilities in 2022* % High or Critical Severity 2022 16.34% 83.54% 2021 21.10% 80.95% 2020 31.49% 74.18% 2019 23.60% 44.43% 2018 16.01% 54.11% 2017 5.78% 56.77% 2016 6.03% 75.55% 2015 9.10% 11.66% 2014 1.31% 36.62% 2013 5.79% 3.05% 2012 0.98% 32.10% 2011 0.79% 15.23% 2010 0.11% 73.17% 2009 0.34% 51.77% 2008 0.08% 14.74% 2007 0.11% 5.29% 2006 0.01% 57.14% 2005 0.00% 0.00% 2004 0.15% 1.79% 2003 0.08% 0.00% 0.00% 10.00% 20.00% 30.00% 40.00% 50.00% 60.00% 70.00% 80.00% 90.00% CVE’S DISCOVERED IN 2022 % discovered in 2022 % High or critical During 2022 we can see the percentages of aged CVE’s discovered. E.g. 21.1% of the vulnerabilities discovered contained CVE’s from 2021 with 80% of the CVE’s considered High or Critical Severity * The % of vulnerabilities containing a CVE from a specific year. Some assets had more than one vulnerability. Some assets have more than one CVE from multiple years.
  • 14. Conclusions • We are still not getting the basics right. • In 2022 we’ve observed very basic vulnerabilities many of which are commonly leveraged by cybercrime. • Continuous assessment, validation & prioritization will make a huge difference to any organizations cybersecurity posture. • Resilience; “Internal”/Non-Internet facing vulnerability management is certainly overlooked, possibly the reason for the ease of pivot by cyber crime organisations once they breach the perimeter. • API security is still “the poor relation” to web application security possibly due to poor tooling and approaches to API security assessment. API discovery is also an important tool to leverage and keep pace with what’s deployed publicly. • Attack Surface Management (ASM) is not a “Wishlist item and aids decent vulnerability management coverage. Many exposures ASM detects are not CVE/OWASP related but rather due to poor visibility. • Reliance on “ShiftLeft” Security alone will not prevent the problem of system insecurity looking at business system risk from a “full stack” perspective. • Remediation times need to come down. This may be due to poor prioritization and lack of understanding of “what matters” when assessing a “Vulnerability Backlog”. • CISA KEV and EPSS are great tools when combined with CVSS. Validated, accurate vulnerability data has also proven to increase the speed of MTTR & manage vulnerability backlog.
  • 15. Thanks March 2023 – Edgescan Vulnerability Stats Report. Download from www.edgescan.com
  • 16. No, at least not as expected. Global metrics (2022) point to the fact that things are worse than ever….. Is “Shift Left” working?
  • 17. Is “Shift Left” working? Observing behaviour is best when done in its living environment….” Naturalistic observation”
  • 18. Shift Left? Focuses on • Application software during developed phase. • In isolation (in many cases). • In test environment - Software environment probably unsimilar to test environment. • Data “food chain” not considered – upstream/downstream
  • 19. What are we securing? Software is defined as the following: applications, API, OS, firewall, cloud, load balancers, browsers, web servers, toasters, etc. …) “Secure software only does what it was designed to do. Anything else is weakness.”
  • 20. “It’s the Software, Stupid…” • The method of breach, pivot and exploit is all the based on a couple of weaknesses; • # 1: Logical weaknesses which include poor authentication, poor authorization, poor business logic design; and • # 2: Technical weaknesses which are vulnerabilities in software- those weaknesses which can be exploited via tools, manual knowhow or “commercial grade” exploitation toolkits
  • 21. • # 1 is due to poor design, peer review, understanding use cases and environment, and lack of awareness of potential threats/risks to the system. • We have always had to contend with this. • # 2 is all about the software, stupid. Even though we have “shift left” coursing through our veins, even the biggest and most profitable/experienced enterprises are still producing critically weak systems which are widespread, amplifying the problem. “It’s the Software, Stupid…”
  • 22. It can be argued…. Shift left is static: The full stack system is being tested in an environment which does not change around it. Problem: Our environment is always changing. Even in the systems where the developer code is not subject to too much change, the landscapes in which they live are. Vulnerabilities in the browser, the web server, the cryptography, and the firewall all rely on each other and combined, deliver the system solution.
  • 23. “Change gives rise to risk” • Change occurs when: • A system does not change: • Over time critical vulnerabilities are discovered. Patches are released. Yesterday I was secure, today I’ve a Critical Risk. Need to patch/Redeploy. • When a system changes: • New features deployed, new services exposed, larger attack surface, more exposed, more to attack, more headaches…
  • 24. Enterprise Systems Defined by Numerous Components. Many of them open-source, third party, with various degrees of secure design and development. 1. A deployment environment developed by a third party, subject to vulnerabilities and human error. 2. A custom web application developed by the enterprise. 3. A firewall, WAF etc., also prone to vulnerabilities, coding errors. 4. A third-party client-side component 5. A B2B service to deliver a function we purchased and built. In 90% of cases, Shift-Left Security would only help assure point 2 above– the developed code. We hope this highlights our main point and have painted a landscape of castles made of sand….
  • 25. Conclusion #2: We need to “get shifty…” • We Need to Shift Left, Right, and Across the Full Stack… • Shift Left makes sense - for developing secure code • NOT to effectively measure a system’s security posture in the wild, where all the components are working in tandem. • We need to focus on run-time assessment, using automation for scale and efficiency, but we need accuracy and depth also. • Shifting right addresses some of this by virtue of production safe testing of an application in its living environment. We need continuous assessment and attack surface management to continuously monitor the asset, AND the environment in which it is deployed….