2019 edgescan vulnerability Stats report

By -



Measure, so we can improve.


 Its been a while since I've blogged anything due to lack of anything meaningful to say or the fact that few people actually want to listen :) but anyways... I've been working on the 2019 edgescan Vulnerability Stats report which always gives me joy as I find it very interesting to see a real picture of the vulnerability landscape based on the clients we humbly serve via our edgescan SaaS.

 Currently we assess thousands of web applications and hundreds of thousands of endpoints, all under continuous/on-demand cyber security assessment. 
Industries such as finance, government, media, pharma, retail, energy, legal all served by our SaaS but the result makes for some good reading when you look into the statistics of vulnerability.

App layer is where the risk lives:

In 2018 we discovered that on average, 19% of all vulnerabilities were associated with (Layer 7) web applications, API’s, etc., and 81% were network vulnerabilities.

The Risk Density is still high and has not changed significantly from last years report. 

Even though we find more vulnerabilities in the Infrastructure layer the risk is certainly living in the application layer. This is due to the “snowflake effect”; every application is unique, developed in a stand alone fashion and serves a unique purpose as opposed to infrastructure which is commoditised and much more uniform.

Change and uniqueness certainly introduces additional risk. Internal, non public application layer security is worse; 24.9% of all discovered vulnerabilities are High or Critical Risk.



 "Zeroday" Vulnerabilities are a myth for most part:

Most of the vulnerabilities discovered are from between 2011 and 2015. Believe it or not, the majority of vulnerabilities discovered out there are between four and seven years old. According the the Verizon DBiR (2018) the majority of breaches are also as a result of exploitation of old, known vulnerabilities!!

Vulnerability Taxonomy

The most common issues relate to client-side security such as XSS and JavaScript Injection attacks. Vulnerable components are also significantly high as 12.35% followed by weak authentication at 9.25% of all discovered vulnerabilities.


2018's most common Infrastructure Vulnerabilities

No surprise SSL/TLS issues top the chart as the most common discovered vulnerability in 2018. In recent years SSL /TLS has taken a battering, with many implementation and design weaknesses exposed. SMB security issues were also very common. What is worrisome here is a decent amount of the SMB issues discovered were in relation to CVE2017-0144, CVE-2017-0145 (EternalBlue/NotPetya/Wannacry) malware.


More deeper detail about the above and other issues shall be discussed in the forthcoming 2019 Vulnerability Stats Report - Coming soon!

 Update: you can download the report here:
https://www.edgescan.com/company/vulnerability-stats/

 Media Coverage:
https://www.infosecurity-magazine.com/news/web-application-security/
https://www.scmagazineuk.com/80-enterprise-systems-feature-unpatched-cve-vulnerabilities/article/1526226

Comments

Post a Comment

Popular posts from this blog

By -
Image
The HSE Data Breach and the State of Irish Cyber Security Many years ago, shortly after I founded the Irish chapter of OWASP ( http://www.owasp.org ) (in 2007??) we were delivering free application and software development classes to anyone who wanted them. It was a local low key affair but every class we delivered was "sold out". We have 60-80 folks mostly developers willing to spend 4-5 hours on learning the fundamentals of secure application development and testing. I suppose we felt cyber security was an important issue because that's what we did. At the time many folks in business felt cyber security was an overhead or a "tax" and did not give it much time. A few years later (late 2010) when the the foundation of the NCSC (National Cyber Security Centre) was announced, a few of us (local OWASP Ireland leaders) wrote a number of emails to the Irish government offering free cyber security training. As we were working for a non profit (501.3c) charity (OWA...
Read more

Edgescan and Huawei - Cybersecurity - Irish Times Article and Panel Discussion

By -
Image
I recently was interviewed by the Irish times on why is everything getting hacked and how can we change the game.... https://www.irishtimes.com/special-reports/cybersecurity-focus/criminals-have-an-inbuilt-advantage-in-the-great-cyber-arms-race-1.4651078  A recording of the Panel with Andy Purdy, CSO of Huawei North America. https://www.youtube.com/watch?v=cQJ1uSQ4IEk&t=33s Both are decent and worth a listen.
Read more

How Simple can it be.....XSS Prevention....

By -
Cross Site Scripting is sill a very common web vulnerability. Generally it is used to attack clients/users. It can be used for malware upload, botnet hooking, keylogging, a payload delivery system for clickjacking and CSRF attacks and much much more, all for 6 easy payments of $9.99...sorry got carried away there :) But is is easily preventable. You dont even have to know what XSS (type 0, type 1, type 2, DOM, Stored, Reflected) is to prevent it. One pretty simple way to prevent XSS is to use the OWASP ESAPI (Enterprise Security API). A very easy tool to use/invoke. It's also managed and attended to by Chris Schmidt ....A great guy... Regardless of what it does....if there was a mandate to use it on all redisplayed external input a site could become virtually XSS free!! (all for 6 easy payments of......). It's easy to deploy.... 1. Include in JSP (Java version) 2. Invoke in JSP 3. Job done!!! We include it by <%@ page import="org.owasp.esapi.ESAPI...
Read more