The 2023 Vulnerability Stats report as delivered to the IISF.
Covering: PTaaS, Pentesting, Vulnerabilty Managment, EPSS, CISA KEV, Risk, Attack Surface Management. Its based on delivering thousands of PTaaS and RBVM assessments throughout 2022. Why tools and traditional pentesting has failed.
The 2018 Vulnerability Stats report covering off a fullstack review of cyber security across 1000's of web applictions, end-points and cloud based systems globally.
Inspired by my work on understanding the effects of the EU cyber resilience act, I made this presentation on vulnerability handling - SBOM, Vex, CVE, CVSS, CWE and more.
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...EndgameInc
Despite the best efforts of the security community—and big claims from security vendors—large areas of vulnerabilities and exploits remain to be leveraged by adversaries.You will learn about:
- A new perspective on the current state of software flaws.
- The wide margin between disclosed vulnerabilities and
public exploits including a historical analysis and
trending patterns.
- Effective countermeasures that can be deployed to
detect, and prevent, the exploitation of vulnerabilities.
- The limitations of Operating System provided mitigations,
and how a combination of increased countermeasures
with behavioral analysis will get defenders closer to
preventing the largest number of threats.
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Braindev Kyiv
Sergey Kochergan is QA Engineer at Luxoft with extensive experience in software engineering and security field. As an independent consultant, he has provided strategic expertise to business clients with frameworks for SCADA security policy, organazied hackatons and ctf events. Sergey was involved into R&D projects of System Design for SDR communication hardware, network forensics with IDS.
In this lecture Sergey will tell the audience about Security in general, will make overview of nowadays Web Testing Environment and also will present his vision of Risk Rating Methodology and Vulnerability Patterns.
For our next events join us:
http://www.meetup.com/Kyiv-Dev-Meetup-SmartMonday/
https://www.facebook.com/braindevkyiv
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksAndre Van Klaveren
A presentation of the OWASP Top 10 2017 release candidate, expected to be finalized in summer 2017. Presented at the St. Louis CYBER meetup on Wednesday, June 7, 2017.
The 2018 Vulnerability Stats report covering off a fullstack review of cyber security across 1000's of web applictions, end-points and cloud based systems globally.
Inspired by my work on understanding the effects of the EU cyber resilience act, I made this presentation on vulnerability handling - SBOM, Vex, CVE, CVSS, CWE and more.
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...EndgameInc
Despite the best efforts of the security community—and big claims from security vendors—large areas of vulnerabilities and exploits remain to be leveraged by adversaries.You will learn about:
- A new perspective on the current state of software flaws.
- The wide margin between disclosed vulnerabilities and
public exploits including a historical analysis and
trending patterns.
- Effective countermeasures that can be deployed to
detect, and prevent, the exploitation of vulnerabilities.
- The limitations of Operating System provided mitigations,
and how a combination of increased countermeasures
with behavioral analysis will get defenders closer to
preventing the largest number of threats.
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Braindev Kyiv
Sergey Kochergan is QA Engineer at Luxoft with extensive experience in software engineering and security field. As an independent consultant, he has provided strategic expertise to business clients with frameworks for SCADA security policy, organazied hackatons and ctf events. Sergey was involved into R&D projects of System Design for SDR communication hardware, network forensics with IDS.
In this lecture Sergey will tell the audience about Security in general, will make overview of nowadays Web Testing Environment and also will present his vision of Risk Rating Methodology and Vulnerability Patterns.
For our next events join us:
http://www.meetup.com/Kyiv-Dev-Meetup-SmartMonday/
https://www.facebook.com/braindevkyiv
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksAndre Van Klaveren
A presentation of the OWASP Top 10 2017 release candidate, expected to be finalized in summer 2017. Presented at the St. Louis CYBER meetup on Wednesday, June 7, 2017.
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Yuji Kosuga
With the recent rapid increase in interactive web applications that employ back-end database services, an SQL injection attack has become one of the most serious security threats. The SQL injection attack allows an attacker to access the underlying database, execute arbitrary commands at intent, and receive a dynamically generated output, such as HTML web pages. In this paper, we present our technique, Sania, for detecting SQL injection vulnerabilities in web applications during the development and debugging phases. Sania intercepts the SQL queries between a web application and a database, and automatically generates elaborate attacks according to the syntax and semantics of the potentially vulnerable spots in the SQL queries. In addition, Sania compares the parse trees of the intended SQL query and those resulting after an attack to assess the safety of these spots. We evaluated our technique using real-world web applications and found that our solution is efficient in comparison with a popular web application vulnerabilities scanner. We also found vulnerability in a product that was just about to be released.
Watch on-demand now: https://securityintelligence.com/events/application-security-protection-world-of-devops/
How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Development teams are aware of the shifting security challenges they face. However, they're by no means security experts, nor do they have spare time on their hands to learn new tools.
What can development teams do to keep pace with rapidly-evolving application security threats?
The answer lies in automation. By making application security part of the continuous build processes, organizations can protect against these major risks.
In this session, you will learn:
- New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments.
- Best practices for designing and incorporating an automated approach to application security into your existing development environment.
- Future development and application security challenges organizations will face and what they can do to prepare.
Empowering Application Security Protection in the World of DevOpsIBM Security
Watch on-demand now: https://securityintelligence.com/events/application-security-protection-world-of-devops/
How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Development teams are aware of the shifting security challenges they face. However, they're by no means security experts, nor do they have spare time on their hands to learn new tools.
What can development teams do to keep pace with rapidly-evolving application security threats?
The answer lies in automation. By making application security part of the continuous build processes, organizations can protect against these major risks.
In this session, you will learn:
- New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments.
- Best practices for designing and incorporating an automated approach to application security into your existing development environment.
- Future development and application security challenges organizations will face and what they can do to prepare.
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Jeff Williams
Abstract: SAST, DAST, and WAF have been around for almost 15 years — they’re almost impossible to use, can’t protect modern applications, and aren’t compatible with modern software development. Recent studies have demonstrated that these tools miss the majority of real vulnerabilities and attacks while generating staggering numbers of false positives. To compensate, these tools require huge teams of application security experts that can’t possibly keep up with the size of modern application portfolios. Fortunately, the next generation of application security technology uses dynamic software instrumentation to solve these challenges. Gartner calls these products “Interactive Application Security Testing (IAST)” and “Runtime Application Self-Protection (RASP).” In this talk, you’ll learn how IAST and RASP have revolutionized vulnerability assessment and attack prevention in a massively scalable way.
Bio: A pioneer in application security, Jeff Williams is the founder and CTO of Contrast Security, a revolutionary application security product. Contrast is an application agent that enables software to both report vulnerabilities and prevent attacks. Jeff has over 25 years of security experience, speaks frequently on cutting-edge application security, and has helped secure code at hundreds of major enterprises. Jeff served as the Global Chairman of the OWASP Foundation for eight years, where he created many open-source standards, tools, libraries, and guidelines - including the OWASP Top Ten.
Software Development Weaknesses - SecOSdays Sofia, 2019Balázs Tatár
The OWASP Top 10 is a powerful awareness document for web application security, the latest version was released in 2017. It represents industry standards weaknesses that are the most critical ones in terms of their security risk.
In this talk we go into details of all its items, matching them with vulnerability types from the CWE (Common Weakness Enumeration) category system.
To understand the most common security issues and their consequences, one of the best ways is to learn about prevention.
Most of them can be remediated at a low cost if they are discovered during the development phase - in this session we're going to check Java, C, PHP, Perl and other programming languages in order to raise awareness for secure software development.
Evaluation of Web Application Vulnerability Scannersyuliana_mar
Evaluation of Web Application Vulnerability Scanners’ Strengths and Limitations Using Custom Web Application
By: Yuliana Martrosyan
Advisor: Dr. Levent Ertaul
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Kymberlee Price
Vulnerability Management Nirvana: A Study in Predicting Exploitability
When everything is a priority, nothing is. 15% or 10,000 vulnerabilities have a CVSS score of 10. Vendors and practitioners alike use CVSS or their own threat intelligence models to predict which vulnerabilities will be exploited next. We review current options, present a predictive data-driven prioritization model, and how attendees can get started using our approach in their vulnerability management program.
How to approach validation of vulnerbilities for scale penetration testing. DEpth, accuracy and scale are a triad of problems each requiring attention. Attackers and threat actors have more time and patieince to look for complex vulnerabilities. Automation reliance is not working and will not beat determined humans.
Does a Hybrid model for vulnerability Management Make Sense.pdfEoin Keary
Combining automation for scale and human expertise for depth. Leveraging thousands of datapoints and cyber analytics to verify security vulnerabilities. Why automation alone does not work because our enemies are humans. Automation does not have the skills to exploit business logic risks. Context is queen when it comes to risk bases priortization.
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Yuji Kosuga
With the recent rapid increase in interactive web applications that employ back-end database services, an SQL injection attack has become one of the most serious security threats. The SQL injection attack allows an attacker to access the underlying database, execute arbitrary commands at intent, and receive a dynamically generated output, such as HTML web pages. In this paper, we present our technique, Sania, for detecting SQL injection vulnerabilities in web applications during the development and debugging phases. Sania intercepts the SQL queries between a web application and a database, and automatically generates elaborate attacks according to the syntax and semantics of the potentially vulnerable spots in the SQL queries. In addition, Sania compares the parse trees of the intended SQL query and those resulting after an attack to assess the safety of these spots. We evaluated our technique using real-world web applications and found that our solution is efficient in comparison with a popular web application vulnerabilities scanner. We also found vulnerability in a product that was just about to be released.
Watch on-demand now: https://securityintelligence.com/events/application-security-protection-world-of-devops/
How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Development teams are aware of the shifting security challenges they face. However, they're by no means security experts, nor do they have spare time on their hands to learn new tools.
What can development teams do to keep pace with rapidly-evolving application security threats?
The answer lies in automation. By making application security part of the continuous build processes, organizations can protect against these major risks.
In this session, you will learn:
- New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments.
- Best practices for designing and incorporating an automated approach to application security into your existing development environment.
- Future development and application security challenges organizations will face and what they can do to prepare.
Empowering Application Security Protection in the World of DevOpsIBM Security
Watch on-demand now: https://securityintelligence.com/events/application-security-protection-world-of-devops/
How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Development teams are aware of the shifting security challenges they face. However, they're by no means security experts, nor do they have spare time on their hands to learn new tools.
What can development teams do to keep pace with rapidly-evolving application security threats?
The answer lies in automation. By making application security part of the continuous build processes, organizations can protect against these major risks.
In this session, you will learn:
- New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments.
- Best practices for designing and incorporating an automated approach to application security into your existing development environment.
- Future development and application security challenges organizations will face and what they can do to prepare.
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Jeff Williams
Abstract: SAST, DAST, and WAF have been around for almost 15 years — they’re almost impossible to use, can’t protect modern applications, and aren’t compatible with modern software development. Recent studies have demonstrated that these tools miss the majority of real vulnerabilities and attacks while generating staggering numbers of false positives. To compensate, these tools require huge teams of application security experts that can’t possibly keep up with the size of modern application portfolios. Fortunately, the next generation of application security technology uses dynamic software instrumentation to solve these challenges. Gartner calls these products “Interactive Application Security Testing (IAST)” and “Runtime Application Self-Protection (RASP).” In this talk, you’ll learn how IAST and RASP have revolutionized vulnerability assessment and attack prevention in a massively scalable way.
Bio: A pioneer in application security, Jeff Williams is the founder and CTO of Contrast Security, a revolutionary application security product. Contrast is an application agent that enables software to both report vulnerabilities and prevent attacks. Jeff has over 25 years of security experience, speaks frequently on cutting-edge application security, and has helped secure code at hundreds of major enterprises. Jeff served as the Global Chairman of the OWASP Foundation for eight years, where he created many open-source standards, tools, libraries, and guidelines - including the OWASP Top Ten.
Software Development Weaknesses - SecOSdays Sofia, 2019Balázs Tatár
The OWASP Top 10 is a powerful awareness document for web application security, the latest version was released in 2017. It represents industry standards weaknesses that are the most critical ones in terms of their security risk.
In this talk we go into details of all its items, matching them with vulnerability types from the CWE (Common Weakness Enumeration) category system.
To understand the most common security issues and their consequences, one of the best ways is to learn about prevention.
Most of them can be remediated at a low cost if they are discovered during the development phase - in this session we're going to check Java, C, PHP, Perl and other programming languages in order to raise awareness for secure software development.
Evaluation of Web Application Vulnerability Scannersyuliana_mar
Evaluation of Web Application Vulnerability Scanners’ Strengths and Limitations Using Custom Web Application
By: Yuliana Martrosyan
Advisor: Dr. Levent Ertaul
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Kymberlee Price
Vulnerability Management Nirvana: A Study in Predicting Exploitability
When everything is a priority, nothing is. 15% or 10,000 vulnerabilities have a CVSS score of 10. Vendors and practitioners alike use CVSS or their own threat intelligence models to predict which vulnerabilities will be exploited next. We review current options, present a predictive data-driven prioritization model, and how attendees can get started using our approach in their vulnerability management program.
How to approach validation of vulnerbilities for scale penetration testing. DEpth, accuracy and scale are a triad of problems each requiring attention. Attackers and threat actors have more time and patieince to look for complex vulnerabilities. Automation reliance is not working and will not beat determined humans.
Does a Hybrid model for vulnerability Management Make Sense.pdfEoin Keary
Combining automation for scale and human expertise for depth. Leveraging thousands of datapoints and cyber analytics to verify security vulnerabilities. Why automation alone does not work because our enemies are humans. Automation does not have the skills to exploit business logic risks. Context is queen when it comes to risk bases priortization.
Vulnerability stats, full stack cyber issues.
Vulnerability management, threat analysis and attack surface management. Exposures, MTTR and cyber risk management.
Bested in the assessment of thousands of systems globally on a continuous basis.
A deck discussing the the findings from the Edgescan 2021 Vulnerability Stats Report. A full stack view of the vulnerabilities discovered in 2020 based on thousands of assessments. Host, network and application layer security metrics -Full stack
Hide and seek - Attack Surface Management and continuous assessment.Eoin Keary
Attack surface management and visibility is key to maintaining a robust cyber security posture. Continuous assessment, accuracy and scale are key to enterprise security.
Discussion on how to deliver vulnerability management at scale.
Why Fullstack vulnerability management is important and silos of security are an issue. The pitfalls when delivering 1000's of assessments on a continuous basis. How edgescan delivers vulnerability intelligence.
Web security – everything we know is wrong cloud versionEoin Keary
A revised version for 2017 on an old OWASP talk from 2015.
Web application security, Development security challenges and how we are approaching cyber security incorrectly for years...but there is hope!!
Why continuous assessment is required. How to keep pace with development and secure constant change. Vulnerability statistics across the fullstack. What are the most common security issues in the web application and host layer.
Talk in Switzerland at European Broadcasting Union cyber security event - Feb 2017.
Discussing some core aspects of secure application development, technical security controls and secure systems development lifecycle....
Understanding User Behavior with Google Analytics.pdfSEO Article Boost
Unlocking the full potential of Google Analytics is crucial for understanding and optimizing your website’s performance. This guide dives deep into the essential aspects of Google Analytics, from analyzing traffic sources to understanding user demographics and tracking user engagement.
Traffic Sources Analysis:
Discover where your website traffic originates. By examining the Acquisition section, you can identify whether visitors come from organic search, paid campaigns, direct visits, social media, or referral links. This knowledge helps in refining marketing strategies and optimizing resource allocation.
User Demographics Insights:
Gain a comprehensive view of your audience by exploring demographic data in the Audience section. Understand age, gender, and interests to tailor your marketing strategies effectively. Leverage this information to create personalized content and improve user engagement and conversion rates.
Tracking User Engagement:
Learn how to measure user interaction with your site through key metrics like bounce rate, average session duration, and pages per session. Enhance user experience by analyzing engagement metrics and implementing strategies to keep visitors engaged.
Conversion Rate Optimization:
Understand the importance of conversion rates and how to track them using Google Analytics. Set up Goals, analyze conversion funnels, segment your audience, and employ A/B testing to optimize your website for higher conversions. Utilize ecommerce tracking and multi-channel funnels for a detailed view of your sales performance and marketing channel contributions.
Custom Reports and Dashboards:
Create custom reports and dashboards to visualize and interpret data relevant to your business goals. Use advanced filters, segments, and visualization options to gain deeper insights. Incorporate custom dimensions and metrics for tailored data analysis. Integrate external data sources to enrich your analytics and make well-informed decisions.
This guide is designed to help you harness the power of Google Analytics for making data-driven decisions that enhance website performance and achieve your digital marketing objectives. Whether you are looking to improve SEO, refine your social media strategy, or boost conversion rates, understanding and utilizing Google Analytics is essential for your success.
Instagram has become one of the most popular social media platforms, allowing people to share photos, videos, and stories with their followers. Sometimes, though, you might want to view someone's story without them knowing.
Italy Agriculture Equipment Market Outlook to 2027harveenkaur52
Agriculture and Animal Care
Ken Research has an expertise in Agriculture and Animal Care sector and offer vast collection of information related to all major aspects such as Agriculture equipment, Crop Protection, Seed, Agriculture Chemical, Fertilizers, Protected Cultivators, Palm Oil, Hybrid Seed, Animal Feed additives and many more.
Our continuous study and findings in agriculture sector provide better insights to companies dealing with related product and services, government and agriculture associations, researchers and students to well understand the present and expected scenario.
Our Animal care category provides solutions on Animal Healthcare and related products and services, including, animal feed additives, vaccination
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfFlorence Consulting
Quattordicesimo Meetup di Milano, tenutosi a Milano il 23 Maggio 2024 dalle ore 17:00 alle ore 18:30 in presenza e da remoto.
Abbiamo parlato di come Axpo Italia S.p.A. ha ridotto il technical debt migrando le proprie APIs da Mule 3.9 a Mule 4.4 passando anche da on-premises a CloudHub 1.0.
Gen Z and the marketplaces - let's translate their needsLaura Szabó
The product workshop focused on exploring the requirements of Generation Z in relation to marketplace dynamics. We delved into their specific needs, examined the specifics in their shopping preferences, and analyzed their preferred methods for accessing information and making purchases within a marketplace. Through the study of real-life cases , we tried to gain valuable insights into enhancing the marketplace experience for Generation Z.
The workshop was held on the DMA Conference in Vienna June 2024.
2. ME (Eoin Keary)
• OWASP Leader – 10 years
• Testing Guide founder/lead
• Code Review Guide founder/lead
• Global Vice-Chair
• Founder – Edgescan
• Ireland-HQ, NY, UK
• 250+ clients (Fortune 100 to SME)
• Circa 100 Staff, 60% Penetration testers, 30% Prod Dev.
• 15,000+ assessments/month (ASM/PTaaS/VM)
3. Risk – “The chance of something bad happening”
This is an analysis of vulnerabilities discovered across
hundreds of organizations across the full stack.
From Fortune 500 to medium and small businesses the
Edgescan Vulnerability Stats report 2023 attempts to
provide a statistical model of the most common
weaknesses faced by organisations globally.
4. What is Edgescan? – How do we get these
statistics….
Edgescan is
• Attack Surface Management,
• Full stack vulnerability management,
• Purpose built API Security Testing Engine
• Penetration Testing as a Service (PTaaS), and
• Risk prioritization on an enterprise scale.
Continuously scanning of web applications, API’s, cloud and networks
for vulnerabilities without sacrificing accuracy, richness or fidelity.
Validation and Triage:
• All discovered vulnerabilities and risks are
validated via a combination of cyber-analytics and
human expertise.
• This is designed to ensure all reported
vulnerabilities are real, prioritized and valid,
helping our client save significant time in terms of
remediation and response.
• Vulnerabilities are mapped to CVSS, CISA KEV,
EPSS, EVSS* scoring
*Edgescan Validated Vulnerability Score
5. Breach Probability - Prioritization
What is EPSS?
The Exploit Prediction Scoring System (EPSS) is
an open, data-driven effort for estimating the
likelihood (probability) that a software vulnerability
will be exploited in the wild. The EPSS model
produces a probability score between 0 and 1 (0 and
100%). The higher the score, the greater the
probability that a vulnerability will be exploited.
The EPSS model produces a probability score
between 0 and 1 (0 and 100%), where the higher
the score, the greater the probability that a
vulnerability will be exploited.
https://www.first.org/epss/
What is CISA KEV?
CISA maintains the authoritative source of
vulnerabilities that have been exploited in the
wild: the Known Exploited Vulnerability (KEV)
catalog.
CISA strongly recommends all organizations
review and monitor the KEV catalog and
prioritize remediation of the listed vulnerabilities
to reduce the likelihood of compromise by
known threat actors. –
https://www.cisa.gov/known-exploited-
vulnerabilities
EVSS (Edgescan Validated Security Score)
Every vulnerability discovered by Edgescan is
validated via a combination of data analytics and
human expertise resulting in near false positive-free
vulnerability intelligence. Once a vulnerability is
validated is it mapped to both the CISA KEV and
EPSS to assist with prioritization. All vulnerabilities
in Edgescan (where applicable) have a CVSS, CISA
KEV, EPSS and EVSS risk score.
**Both the CISA KEV and EPSS don’t list unique vulnerabilities associated with a unique web
application or web site.
6. Risk Density – Risks Across the Stack
The following is a breakdown of the risks discovered across the full stack, Web applications and Network/Host
It also depicts the risks associated with potential PCI (Payment Card Industry) Failures – (Not every vulnerability results in a PCI fail).
Fullstack % of Total
Critical Severity 9.8%
High Severity 23.4%
Medium Severity 27.8%
Low Severity 39.0%
Application % of Total
Critical Severity 5.0%
High Severity 7.0%
Medium Severity 9.6%
Low Severity 78.0%
Network % of Total
Critical Severity 10.5%
High Severity 25.0%
Medium Severity 28.8%
Low Severity 35.7%
PCI Failures % of Total
Critical Severity 10%
High Severity 35%
Medium Severity 54%
Low Severity 0%
54% of PCI failures were
of medium Severity.
“Much research indicates
that such vulnerabilities
will never be exploited
albeit they result in a PCI
DSS compliance fail”
Across the full stack
more than 33% of
discovered
vulnerabilities were of
a critical or high
severity
Across the Web
application and API
layers 12% of
discovered
vulnerabilities were of
a critical or high
severity
25.5% of discovered
vulnerabilities in the
infrastructure/
hosting/cloud layer
were of a critical or
high severity
7. Internet Facing – Critical Severity
% of all
Vulns
Name CVSS CVE CWE On CISA
KEV
CVE on
CISA KEV
EPSS
3.0% Apache Multiple Log4j Vulnerabilities
(Log4Shell)
10 CVE-2021-44228, CVE-2021-
45046
CWE-20, CWE-
400, CWE-502
TRUE CVE-2021-
44228
0.97095
2.6% OS End Of Life Detection 10 FALSE
2.6% WordPress Elegant Themes Divi Theme 3.0
<= 4.5.2 Authenticated Arbitrary File Upload
9 CVE-2020-35945 FALSE 0.00885
2.6% MariaDB End Of Life Detection (Windows) 10 FALSE
1.9% PHP < 7.4.28, 8.0.x < 8.0.16, 8.1.x < 8.1.3
Security Update (Feb 2022) - Windows
9.8 CVE-2021-21708 CWE-416 FALSE 0.00954
1.5% Magento 2.3.3-p1 <= 2.3.7-p2, 2.4.x <= 2.4.3-
p1 Multiple RCE Vulnerabilities (APSB22-12)
9.8 CVE-2022-24086, CVE-2022-
24087
CWE-20 TRUE CVE-2022-
24086
0.35544
1.5% PHP < 7.4.33, 8.0.x < 8.0.25, 8.1.x < 8.1.12
Security Update
9.8 CVE-2022-31630, CVE-2022-
37454
CWE-125, CWE-
190
FALSE 0.03806
1.5% PHP Multiple Vulnerabilities (Feb 2019) -
Windows
9.8 CVE-2019-9020, CVE-2019-9021,
CVE-2019-9023, CVE-2019-9024
CWE-125, CWE-
416
FALSE 0.02686
1.5% Microsoft Exchange Server 2016 / 2019
Multiple Vulnerabilities (KB5007012)
9.6 CVE-2021-26427, CVE-2021-
34453, CVE-2021-41348, CVE-
2021-41350
CWE-269 FALSE 0.02427
1.5% Microsoft Exchange Server 2013 / 2016 / 2019
Multiple Vulnerabilities (KB5008631)
9 CVE-2022-21846, CVE-2022-
21855, CVE-2022-21969
CWE-94 FALSE 0.01877
1.1% SAP Multiple Products Request Smuggling
and Request Concatenation Vulnerability
(ICMAD, 3123396)
10 CVE-2022-22536 CWE-444 TRUE CVE-2022-
22536
0.19548
Critical Severity vulnerabilities discovered in 2022 ordered by frequency.
Note the vulnerabilities which are listed on the CISA KEV and the corresponding
The mapping between CVSS, CISA
KEV and EPSS
CISA KEV and EPSS do not
appear to be aligned 100% of the
time.
High CVSS scores do not
necessarily mean remediation is
considered high priority.
Some CISA KEV vulnerabilities
have a low EPSS score. –
Conclusion: we need multiple
viewpoints to determine priority.
8. API: Critical and High Severity
Name Vulnerability Reference & Notes CWE/OWASP % of Critical
Vulnerabilities
Injection Attacks SQL, NoSQL,
LDAP
OS Injections
Code Injections
ORM based vulnerabilities
Parsers such as XML
Traversal based attacks.
CWE-79, CWE-725,
API8:2019
27.30%
Lack of resources and
rate limiting
The API does not restrict the number or frequency of requests from a particular API client.
This can be abused to make thousands of API calls per second, or request hundred or
thousands of data records at once, resulting in a Denial of Service condition. This
weakness also enables arbitrary scraping of other parties API's and violate fair usage
agreements.
CWE-770 /
API4:2019
19.20%
Broken authentication Weak authentication allowing compromise of authentication tokens or exploitation of
common implementation flaws to assume other user’s identity or bypass authentication
completely.
Compromising a system’s ability to identify the client/user, compromises API security
overall.
API2:2019/CWE-
287
15.30%
Broken object level
authorization (BOLA)
AKA insecure direct object reference (IDOR). As its name implies, the ability to directly
access resources without privileges or authorization.
CWE-639 /
API1:2019
13.20%
Excessive data exposure
(Information disclosure)
Exposure of all object properties of an API endpoint without consideration for use-case or
requirement. Resulting in the reliance on API clients to perform the data filtering before
displaying it to the user.
CWE-22, CWE-23,
CWE-200,CWE-
269, CWE-250 /
API3:2019
9.70%
Mass assignment API does not control which object attributes can be modified providing the potential for
access to opaque data, outcomes or functions. This can be used to create new parameters
that were never intended which in turn creates or overwrites new variable or objects in
program code.
CWE-915 /
API6:2019
7.30%
Broken function level
authorization
Admin or sensitive functions exposed in error to unauthorized clients resulting in data
disclosure or privileged execution for unauthorized API clients. In effect resulting in an
overly large attack surface and unintended exposure risk.
CWE-285 /
API5:2019
6.90%
The most common High and Critical severity
vulnerabilities discovered in 2022.
The Occurrence % is the rate of occurrence compared to
all critical & high severity vulnerabilities discovered in
2022.
Edgescan validates vulnerabilities based on context of
the unique issue and does not always tally with CVSS
scoring
CWE/OWSP: Common Weakness Enumeration/OWASP
API Top 10 Reference.
9. Name On CISA
KEV
Percentage
of Total CWE CVE
Description
SQL injection 23.4%
CWE-89
SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data
context in which their input appears and interfere with the structure of the surrounding query.
Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and
executing operating system commands.
Malicious File
Upload
22.7%
CWE-434
Uploaded viruses and malware could later be downloaded by users of the application. Such malware can cause partial or complete compromise of a network that the host resides on.
Cross-site
scripting (stored)
19.1%
CWE-79
Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc.
The victim then retrieves the malicious script from the server when it requests the stored information. Stored XSS is also sometimes referred to as Persistent or Type-II XSS.
Authorization
Issue - Privilege
Bypass
7.8%
CWE-285
Access control enforces policy such that users cannot act outside of their intended permissions.
Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits.
PHP Multiple
Vulnerabilities
7.1%
CWE-264
CVE-2012-2688,CVE-
2012-3365
Multiple vulnerabilities pertaining to PHP patching.
Log4Shell (CVE-
2021-44228)
Yes 5.0%
CWE-917 CVE-2021-44228
A remote code execution vulnerability exists in Apache Log4j < 2.15.0 due to insufficient protections on message lookup substitutions when dealing with user controlled input.
A remote, unauthenticated attacker can exploit this, via a web request to execute arbitrary code with the permission level of the running Java process.
Spring4Shell Yes 4.3%
CWE-94 CVE-2022-22965
The application appears to be vulnerable to CVE-2022-22965 (otherwise known as Spring4Shell) - remote code execution (RCE) via data binding.
Please note the detection of this vulnerability is not possible to verify with absolute certainty from an external perspective
Weak Password
Policy
1.4%
CWE-521
System has poor password controls. No MFA, Default Credentials etc.
Database Console
Exposure
1.4%
CWE-200
It was noted whilst testing the application; that the Database console was accessible.
The Database Console provides access to privileged functionality which should not be accessible, except by authorized users or networks.
Access to the console could allow a malicious actor to execute SQL statements on the sever
File path traversal 1.4% CWE-35 This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory.
SQL Injection is still the main contender (as was in 2021) which is interesting to note as we can easily develop code (or block vectors) to mitigate such attacks.
Something which is overlooked quite frequently is malicious file uploads 22.7% or total critical vulnerabilities discovered. This can give rise to ransomware, malware and internal
network breach pivot points for attackers.
Log4Shell (First discovered in late 2021) contributed to 5% of all critical severity vulnerabilities discovered in 2022.
Authorization issues cover privilege escalation or access to restricted functionality which would result in a data breach.
Web Applications: Critical Severity
10. % of all
vulns
Name CVSS CVE CWE On CISA KEV CVE on CISA KEV EPSS
8.1% Mozilla Firefox Security
Updates(mfsa2022-24) - Windows
9.8 CVE-2022-2200, CVE-2022-34468, CVE-2022-
34470, CVE-2022-34471, CVE-2022-34472, CVE-
2022-34473, CVE-2022-34474, CVE-2022-34475,
CVE-2022-34476, CVE-2022-34477, ..
CWE-1321, CWE-190,
CWE-416, CWE-601, CWE-
617, CWE-787, CWE-79,
CWE-824
FALSE 0.23331
8.0% Adobe Acrobat Various
Vulnerabilities
10 CVE-2009-0193, CVE-2009-0658, CVE-2009-0927,
CVE-2009-0928, CVE-2009-1061, CVE-2009-
1062CVE-2019-7140, CVE-2019-7141, CVE-2019-
7142, ..,
CWE-119, CWE-20 TRUE CVE-2009-0927 0.86734
7.4% Mozilla Firefox Security Update
Various
9.6 CVE-2022-0511, CVE-2022-22753, CVE-2022-
22754, CVE-2022-22755, CVE-2022-22756, CVE-
2022-22757, CVE-…
CWE-119, CWE-20, CWE-
209, CWE-367, CWE-672,
CWE-787, CWE-863
FALSE 0.01018
5.3% Oracle Java SE Security Updates
(apr2019-5072813) 01 - Windows
9 CVE-2019-2699 FALSE 0.00954
3.2% Adobe Flash Player Various
Vulnerabilities
10 CVE-2014-0497CVE-2018-4877, CVE-2018-
4878CVE-2016-0964, CVE-2016-0965, CVE-2016-
0966, CVE-2016-0967, CVE-2016-0968, CVE-2016-
0969, …
CWE-189 TRUE CVE-2021-21017,CVE-2021-
28550,CVE-2018-4939,CVE-2018-
15961,CVE-2018-4878
0.94050
2.7% Microsoft SQL Server
Unsupported Version Detection
10 FALSE
2.6% OS End Of Life Detection 10 FALSE
2.3% SUSE: Various Security
Advisories
9.8 CVE-2019-18902, CVE-2019-18903, CVE-2020-
7216, CVE-2020-7217
CWE-401, CWE-416, CWE-
772
FALSE 0.01156
1.7% Intel Active Management
Technology Multiple
Vulnérabilités (INTEL-SA-00295)
9.8 CVE-2020-0531, CVE-2020-0532, CVE-2020-0537,
CVE-2020-0538, CVE-2020-0540, CVE-2020-0594,
CVE-2020-0595, CVE-2020-0596, CVE-2020-11899,
CVE-2020-11900,….
CWE-125, CWE-20, CWE-
415, CWE-416, CWE-522
TRUE CVE-2020-11899 0.00885
0.7% Apache Tomcat AJP RCE
Vulnerability (Ghostcat)
9.8 CVE-2020-1938 CWE-269 TRUE CVE-2020-1938 0.96554
0.7% SUSE: Security Advisory (SUSE-
SU-2022:3466-1)
9.8 CVE-2022-40674 CWE-416 FALSE 0.17166
0.6% HTTP Brute Force Logins With
Default Credentials
9 FALSE
Non-Internet Facing – Critical Severity
Mozilla Firefox and Adobe top
the list with multiple CVE’s. The
Adobe vulnerabilities are listed
on the CISA KEV and have an
EPSS score of 86%.
Adobe Flash, Apache and Intel
vulnerabilities also have CISA
KEV entries. The Flash
vulnerability also has an EPSS
score of 94% and Apache
EPSS score of 96% albeit not
as common a weakness.
11. Vulnerability Clustering
Metrics relating to the average count of vulnerabilities per asset*.
Most assets across the full stack have multiple vulnerabilities:
Risk Cluster/Asset % of Assets
1-10 vulnerabilities 52.55%
11-100 vulnerabilities 18.60%
100+ vulnerabilities 9.35%
52.22% of all assets assessed in 2022 had between 1 and 10 vulnerabilities throughout the 12
month period.
18.6% of all assets assessed in 2022 has between 11 and 100 vulnerabilities & 9.35% of assets
had 100+ vulnerabilities.
*Assets are defined in Edgescan as an endpoint, API or Web application
12. Attack Surface Management (ASM)
Port # discovered Protocol Notes
22 21910 SSH Exposed remote Access Service. There were 90 CVE’s reported relating to SSH in 2022
8443 17960 HTTP Potential Pre-production Web Service
8080 8660 HTTP Potential Pre-production port
179 8180 BGP Exposed Border Gateway Web Service. There were 17 CVE’s reported relating to BGP in 2022
222 7190 UDP UDP Service
25 6290 SMTP Exposed SMTP Email Port.
5000 6270 UPnP Exposed Universal Plug and Play Service. There were 5 CVE’s reported relating to UPnP in 2022
111 6000 SUNRPC Exposed RPC service. There were 4 CVE’s reported relating to SUNRPC in 2022
53 5680 DNS DNS Service
1720 5190 H323 Exposed SIP service. There were 8 CVE’s reported relating to H323/SIP in 2022
10000 4940 NDMP Exposed Network Data Management Protocol
264 4800 SecuRemote Checkpoint SecuRemote Service.
3389 4540 RDP Exposed Remote Login. There were 16 CVE’s reported relating to RDP in 2022
1300 4500 H323 SIP service. There were 8 CVE’s reported relating to H323/SIP in 2022
1719 4450 SMB Exposed SMB Report. There were 18 CVE’s reported relating to RDP in 2022
21 2980 FTP File Transfer Service. There were 18 CVE’s reported relating to FTP in 2022
110 2020 POP3 Plain text Email Port Service
3306 1990 MYSQL Exposed Database ‘nuff said
139 1730 SMB Server Message Block
5432 1710 PostgreSQL Exposed Database
23 1540 Telnet Exposed Remote Access
Based on a sample of 500,000 continuous scans the below describes the systems discovered to be
exposed on the public Internet. (Standard ports such as http 80 and https 443 are not included)
We still see exposed Databases
and remote access services which
are easily exploited for data theft,
network breach or ransomware
attacks.
Many of the exposed services of
note have CVE’s attributed to
them in 2022.
SSH Exposures were relatively
common (21,910 exposures
discovered). SSH had circa 90
new CVE’s attributed to the
protocol in 2022. Port 22 is subject
to countless, unauthorized login
attempts by hackers who are
attempting to access unsecured
servers.
A highly effective deterrent is to
simply turn off Port 22 and run the
service on a seemingly random
port above 1024 (and up to
65535).
Remote Access exposures are a common attack vector
for ransomware attacks as a first step of the attack chain.
13. Vulnerability Age
CVE Year % vulnerabilities
in 2022*
% High or Critical
Severity
2022 16.34% 83.54%
2021 21.10% 80.95%
2020 31.49% 74.18%
2019 23.60% 44.43%
2018 16.01% 54.11%
2017 5.78% 56.77%
2016 6.03% 75.55%
2015 9.10% 11.66%
2014 1.31% 36.62%
2013 5.79% 3.05%
2012 0.98% 32.10%
2011 0.79% 15.23%
2010 0.11% 73.17%
2009 0.34% 51.77%
2008 0.08% 14.74%
2007 0.11% 5.29%
2006 0.01% 57.14%
2005 0.00% 0.00%
2004 0.15% 1.79%
2003 0.08% 0.00%
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
70.00%
80.00%
90.00%
CVE’S DISCOVERED IN 2022
% discovered in 2022 % High or critical
During 2022 we can see the percentages of aged CVE’s discovered. E.g. 21.1%
of the vulnerabilities discovered contained CVE’s from 2021 with 80% of the
CVE’s considered High or Critical Severity
* The % of vulnerabilities containing
a CVE from a specific year. Some
assets had more than one
vulnerability. Some assets have
more than one CVE from multiple
years.
14. Conclusions
• We are still not getting the basics right.
• In 2022 we’ve observed very basic vulnerabilities many of which are commonly leveraged by cybercrime.
• Continuous assessment, validation & prioritization will make a huge difference to any organizations cybersecurity
posture.
• Resilience; “Internal”/Non-Internet facing vulnerability management is certainly overlooked, possibly the reason for
the ease of pivot by cyber crime organisations once they breach the perimeter.
• API security is still “the poor relation” to web application security possibly due to poor tooling and approaches to API
security assessment. API discovery is also an important tool to leverage and keep pace with what’s deployed
publicly.
• Attack Surface Management (ASM) is not a “Wishlist item and aids decent vulnerability management coverage.
Many exposures ASM detects are not CVE/OWASP related but rather due to poor visibility.
• Reliance on “ShiftLeft” Security alone will not prevent the problem of system insecurity looking at business system
risk from a “full stack” perspective.
• Remediation times need to come down. This may be due to poor prioritization and lack of understanding of “what
matters” when assessing a “Vulnerability Backlog”.
• CISA KEV and EPSS are great tools when combined with CVSS. Validated, accurate vulnerability data has also
proven to increase the speed of MTTR & manage vulnerability backlog.
15. Thanks
March 2023 – Edgescan
Vulnerability Stats Report.
Download from www.edgescan.com
16. No, at least not as expected.
Global metrics (2022) point to the fact that things are worse than
ever…..
Is “Shift Left” working?
17. Is “Shift Left” working?
Observing behaviour is best when done in its living
environment….” Naturalistic observation”
18. Shift Left?
Focuses on
• Application software during developed phase.
• In isolation (in many cases).
• In test environment - Software environment probably unsimilar to test environment.
• Data “food chain” not considered – upstream/downstream
19. What are we securing?
Software is defined as the following: applications, API, OS,
firewall, cloud, load balancers, browsers, web servers, toasters,
etc. …)
“Secure software only does what it was designed to do. Anything
else is weakness.”
20. “It’s the Software, Stupid…”
• The method of breach, pivot and exploit is all the based on a couple of weaknesses;
• # 1: Logical weaknesses which include poor authentication, poor authorization, poor business logic design; and
• # 2: Technical weaknesses which are vulnerabilities in software- those weaknesses which can be exploited via
tools, manual knowhow or “commercial grade” exploitation toolkits
21. • # 1 is due to poor design, peer review, understanding use cases and environment, and lack of
awareness of potential threats/risks to the system.
• We have always had to contend with this.
• # 2 is all about the software, stupid. Even though we have “shift left” coursing through our veins,
even the biggest and most profitable/experienced enterprises are still producing critically weak
systems which are widespread, amplifying the problem.
“It’s the Software, Stupid…”
22. It can be argued….
Shift left is static:
The full stack system is being tested in an environment which does not
change around it.
Problem: Our environment is always changing. Even in the systems where
the developer code is not subject to too much change, the landscapes in
which they live are.
Vulnerabilities in the browser, the web server, the cryptography, and the
firewall all rely on each other and combined, deliver the system solution.
23. “Change gives rise to risk”
• Change occurs when:
• A system does not change:
• Over time critical vulnerabilities are discovered. Patches are released.
Yesterday I was secure, today I’ve a Critical Risk. Need to
patch/Redeploy.
• When a system changes:
• New features deployed, new services exposed, larger attack surface,
more exposed, more to attack, more headaches…
24. Enterprise Systems
Defined by Numerous Components.
Many of them open-source, third party, with various degrees of secure design and development.
1. A deployment environment developed by a third party, subject to vulnerabilities and human error.
2. A custom web application developed by the enterprise.
3. A firewall, WAF etc., also prone to vulnerabilities, coding errors.
4. A third-party client-side component
5. A B2B service to deliver a function we purchased and built.
In 90% of cases, Shift-Left Security would only help assure point 2 above– the developed code. We hope
this highlights our main point and have painted a landscape of castles made of sand….
25. Conclusion #2:
We need to “get shifty…”
• We Need to Shift Left, Right, and Across the Full Stack…
• Shift Left makes sense - for developing secure code
• NOT to effectively measure a system’s security posture in the wild, where all the components are working
in tandem.
• We need to focus on run-time assessment, using automation for scale and efficiency, but
we need accuracy and depth also.
• Shifting right addresses some of this by virtue of production safe testing of an application
in its living environment. We need continuous assessment and attack surface
management to continuously monitor the asset, AND the environment in which it is
deployed….