Presentation is loading. Please wait.

Presentation is loading. Please wait.

Software Security Common Vulnerabilities Encoded During Development Chris Wysopal, CTO & Co-Founder, Veracode. ISACA Luncheon, 11:30am Tuesday, February.

Published byEleanor Wood Modified over 8 years ago

Similar presentations

Presentation on theme: "Software Security Common Vulnerabilities Encoded During Development Chris Wysopal, CTO & Co-Founder, Veracode. ISACA Luncheon, 11:30am Tuesday, February."— Presentation transcript:

1 Software Security Common Vulnerabilities Encoded During Development Chris Wysopal, CTO & Co-Founder, Veracode. ISACA Luncheon, 11:30am Tuesday, February 5, 2013

2 http://www.veracode.com/reports

3 The Data Set Applications from over 300 commercial and US government customers Scanned 9,910 applications over past 18 months Ranged in size from 100KB to 6GB Software was pre-release and in production Internally built, outsourced, open source, and commercial ISV code 3

4 4 ▸ Industry vertical ▸ Application supplier (internal, third-party, etc.) ▸ Application type ▸ Assurance level ▸ Language ▸ Platform Application Metadata ▸ Scan number ▸ Scan date ▸ Lines of code ▸ Flaw type Scan Data ▸ Flaw counts ▸ Flaw percentages ▸ Application count ▸ Risk-adjusted rating ▸ First scan acceptance rate ▸ Time between scans ▸ Days to remediation ▸ Scans to remediation ▸ CWE/SANS Top25 (pass/fail) ▸ OWASP Top Ten (pass/fail) ▸ Custom policies Application Security Metrics

5 5

6 Top 5 Attacked Web Application Vulnerabilities 6

7 7

8 8

9 9

10 Top 3 Vulnerabilities by Language 10

11 Top 3 Vulnerabilities by Language 11

12 Different developers deliver different vulns 12

13 Different industries accept different vulns 13 Vulnerability distribution by industry

14 How about mobile apps?

15 15 Distribution by industry Distribution by supplier type

16 16 Percentage of Android Apps Affected

17 17 Percentage of iOS Apps Affected

18 Study of Enterprise Testing of the Software Supply Chain 18 Feature Supplement of Veracode’s State of Software Security Report

19 Vendor Applications Are Proliferating Today’s business pressures require software and development outsourcing. Average enterprise has 600 mission critical apps. 65% or 390 apps are externally developed. Explosive growth in outsourced, commercial, SaaS, mobile and open source. Most enterprises understand the risk, not how to manage it. Source: Outsourcing Software Security Quocirca Research - April, 2012 Veracode Confidential

20 Dataset Overview Data from 939 application builds from Jan 2011 to Jun 2012

21 Testing Vendor Applications is a Growing Trend 21

22 Testing Vendor Applications a Growing Trend 22 Dominated by 2 industriesBroader distribution of industries Enterprises in many more industries request vendor application security tests Mar 2010 – Jul 2011 Aug 2011 – Jun 2012

23 Why is Vendor Application Testing a Growing Trend? 23 “Over the past 24 months, the number of security incidents attributed to customers, partners, and suppliers has nearly doubled.” –PwC 2012 Global State of Information Security Survey

24

25

26 * Slight differences between the total percentages in figures are due to rounding

27

28

29 29

30 Chris Wysopal cwysopal@veracode.com @weldpond Q UESTIONS ?

Download ppt "Software Security Common Vulnerabilities Encoded During Development Chris Wysopal, CTO & Co-Founder, Veracode. ISACA Luncheon, 11:30am Tuesday, February."

Similar presentations

State of Software Security 1 Jeff Ennis, CEH Solutions Architect Veracode.

State of Software Security 1 Jeff Ennis, CEH Solutions Architect Veracode.
© 2006 itSMF USA. All rights reserved. ITIL v3 – Familiar Ground, New Territory David Cannon ITSM Practice Principal - HP.

© 2006 itSMF USA. All rights reserved. ITIL v3 – Familiar Ground, New Territory David Cannon ITSM Practice Principal - HP.
Symphony Technology Group and IBS Bookmaster Pallab Chatterjee, IBS Executive Chairman.

Symphony Technology Group and IBS Bookmaster Pallab Chatterjee, IBS Executive Chairman.
Supplemental Figure 1 A No. at risk T3 530 483 304 185 50 T2 559 545 373 228 76 T1 540 532 375 208 64.

Supplemental Figure 1 A No. at risk T T T
Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
10.00 - 10.30Welcome - Tea and Coffee 10.30 – 11.00EI Strategy Overview Jim Cuddy, Dept Manageer, Software Division Enterprise Ireland, 11.00 – 11.30.

Welcome - Tea and Coffee – 11.00EI Strategy Overview Jim Cuddy, Dept Manageer, Software Division Enterprise Ireland, –
Line Efficiency     Percentage Month Today’s Date

Line Efficiency     Percentage Month Today’s Date
Improving Static Analysis Results Accuracy Chris Wysopal CTO & Co-founder, Veracode SATE Summit October 1, 2010.

Improving Static Analysis Results Accuracy Chris Wysopal CTO & Co-founder, Veracode SATE Summit October 1, 2010.
Company confidential Prepared by HERE Transit Sr. Product Manager, HERE Transit 21.04.2014 Product Overview David Volpe.

Company confidential Prepared by HERE Transit Sr. Product Manager, HERE Transit Product Overview David Volpe.
Peter Brudenall & Caroline Evans- Simmons & Simmons Marsh Technology Conference 2005 Zurich, Switzerland. Managing the Security Landscape – Legal and Risk.

Peter Brudenall & Caroline Evans- Simmons & Simmons Marsh Technology Conference 2005 Zurich, Switzerland. Managing the Security Landscape – Legal and Risk.
BUSINESS DRIVEN TECHNOLOGY

BUSINESS DRIVEN TECHNOLOGY
OWASP APPSEC, 2013 JEREMIAH GROSSMAN Founder and THE REAL STATE OF WEBSITE SECURITY and THE TRUTH ABOUT ACCOUNTABILITY and “BEST-PRACTICES.”

OWASP APPSEC, 2013 JEREMIAH GROSSMAN Founder and THE REAL STATE OF WEBSITE SECURITY and THE TRUTH ABOUT ACCOUNTABILITY and “BEST-PRACTICES.”
Release Management and Rollout A very brief overview.

Release Management and Rollout A very brief overview.
Security Scanning OWASP Education Nishi Kumar Computer based training

Security Scanning OWASP Education Nishi Kumar Computer based training
2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs Marco Morana, Member of OWASP London, Project Lead of the OWASP, CISO Guide Tobias Gondrom,

2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs Marco Morana, Member of OWASP London, Project Lead of the OWASP, CISO Guide Tobias Gondrom,
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Lean and (Prepared for) Mean: Application Security Program Essentials Philip J. Beyer - Texas Education Agency John B. Dickson.

Lean and (Prepared for) Mean: Application Security Program Essentials Philip J. Beyer - Texas Education Agency John B. Dickson.
1 Internet Security Threat Report X Internet Security Threat Report VI Figure 1.Distribution Of Attacks Targeting Web Browsers.

1 Internet Security Threat Report X Internet Security Threat Report VI Figure 1.Distribution Of Attacks Targeting Web Browsers.
McGraw-Hill/Irwin © 2006 The McGraw-Hill Companies, Inc. All rights reserved. BUSINESS DRIVEN TECHNOLOGY Chapter Ten: Extending the Organization – Supply.

McGraw-Hill/Irwin © 2006 The McGraw-Hill Companies, Inc. All rights reserved. BUSINESS DRIVEN TECHNOLOGY Chapter Ten: Extending the Organization – Supply.
August 27, 2008 Platform Market, Business & Strategy.

August 27, 2008 Platform Market, Business & Strategy.

Similar presentations

Ads by Google