With the publication of the seventh ‘State of Software Security' report from Veracode this week, some organisations seem to be adopting an ‘Animal Farm' mindset to AppSec. All vulnerabilities might not be equal, but there could be danger in giving more credence to certain vulnerability types that might come back and bite them on the ass.
The Veracode 'State of Software Security' report suggests that even though XSS vulnerabilities are the most frequently occurring and SQLi the most common when it comes to 'severe vulnerability types' (and indeed the most reported by media) they are actually far from being the most common of all vulnerabilities.
The report says that if you just look at the occurrence of hard-coded passwords within the credentials management category, for example, then "just that single vulnerability type alone occurs more frequently than SQLi flaws."
This gets us to wondering what impact such a mindset might have on AppSec more broadly? If the thought process is, whether consciously or otherwise, that XSS and SQLi are at the top of the vulnerability tree then does this allow others to escape the level of attention they should really be getting?
After all, such things as information leakage, cryptographic issues, quality of code and directory
traversal are all still dangerous and need to be detected/removed. Yet can they sneak into the software threatscape relatively unnoticed if what we are primarily interested in are the most severe vulnerabilities?
This leaves two questions that need to be answered, it would appear: are organisations doing enough to ensure AppSec programs are actually effective, and what could organisations be doing better to ensure that AppSec really does work?
Chris Wysopal, co-founder and CTO at Veracode told SCMagazineUK.com that with the number of vulnerable components that remain pervasive in most software, it is clear that the industry's reactive approach to application security isn't working. “While Open Source software brings great value to the developer community with regards to improving speed to market” Wysopal says, for example “it brings inherent security risks that most developers are unaware of.”
Only through integrating security into the development cycle will organisations be able to begin eliminating this inherent risk, according to Wysopal. “Approaches including remediation coaching and eLearning opportunities for developers have had a notable impact on flaw density reduction” he told SC, concluding “without supporting the developer community to become more security-focused, and providing tools that allow them to scan and secure their applications throughout the development cycle without impeding speed to market, vulnerable components will remain pervasive.”
Ryan O'Leary, VP of Threat Research Centre at WhiteHat Security, adds that "companies need to make sure they're properly assessing the risk to their application.” He agrees that while XSS and SQL injection get the headlines, there are many other vulnerabilities that are potentially more dangerous and easier to pull off. “When looking at vulnerabilities found in their websites, businesses need to take into account both how severe the issue is, as well as how easy it is to accomplish” O'Leary told us in conversation “in addition, companies need to be mindful not to fall into the trap of just fixing the issues that take the shortest time.”
Which is a good point as often these are low-level issues with little risk. In most cases, the more dangerous the vulnerability, the harder it is to fix. This often leads businesses to put these off until later as it's a more resource-intensive activity. “This is the wrong way to think of the problem” O'Leary insists “prioritising the most critical issues first is the only way to truly improve the security posture of the website.”
Alex Mathews, EMEA technical manager of Positive Technologies points out that "it's also worth noting that a hacker may exploit several vulnerabilities in one attack; taken separately, each of these flaws may be rated as 'low' or 'medium' risk but their combination can create a serious threat.” And as Mark James, security specialist at ESET, reminds us “potentially every piece of code has vulnerabilities, the only way we are going to get safer is to stop using old outdated code and create new more secure software to do the same tasks.”