![Page 1: Data Mining a Mountain of Zero-Day Vulnerabilitiesconference.hackinthebox.org/hitbsecconf2012kul... · Building a Secure Application Even educated developers make mistakes It is difficult](https://reader033.vdocuments.mx/reader033/viewer/2022050105/5f4339d6e9a6da1b806918ea/html5/thumbnails/1.jpg)
Data Mining a Mountain of Vulnerabilities
Chris Wysopal
HITB Kuala Lumpur– October 10, 2012
![Page 2: Data Mining a Mountain of Zero-Day Vulnerabilitiesconference.hackinthebox.org/hitbsecconf2012kul... · Building a Secure Application Even educated developers make mistakes It is difficult](https://reader033.vdocuments.mx/reader033/viewer/2022050105/5f4339d6e9a6da1b806918ea/html5/thumbnails/2.jpg)
10 Biggest Breaches of 2011
2
![Page 3: Data Mining a Mountain of Zero-Day Vulnerabilitiesconference.hackinthebox.org/hitbsecconf2012kul... · Building a Secure Application Even educated developers make mistakes It is difficult](https://reader033.vdocuments.mx/reader033/viewer/2022050105/5f4339d6e9a6da1b806918ea/html5/thumbnails/3.jpg)
Why so many application related breaches?
Question:
Who would release a product riddled with security problems simply to make money?
Answer:
Pretty much every vendor out there.
- Andrew Hay, Senior Security Analyst
![Page 4: Data Mining a Mountain of Zero-Day Vulnerabilitiesconference.hackinthebox.org/hitbsecconf2012kul... · Building a Secure Application Even educated developers make mistakes It is difficult](https://reader033.vdocuments.mx/reader033/viewer/2022050105/5f4339d6e9a6da1b806918ea/html5/thumbnails/4.jpg)
Building a Secure Application
Even educated developers make mistakes
It is difficult but easier than in the past
Automation can detect and point to about 2/3 of the top vulnerability categories
It’s a dereliction of duty to not perform adequate security testing before shipping
4
![Page 5: Data Mining a Mountain of Zero-Day Vulnerabilitiesconference.hackinthebox.org/hitbsecconf2012kul... · Building a Secure Application Even educated developers make mistakes It is difficult](https://reader033.vdocuments.mx/reader033/viewer/2022050105/5f4339d6e9a6da1b806918ea/html5/thumbnails/5.jpg)
Waterholing trend
Attackers increasing vectors for breaching perimeter security:
Bribe insider
Removeable media (USB. The floppy is back)
Email attachment
Compromised website: the waterhole.
RSA recently reported on VOHO campagin
Could waterholes overtake spearphishing?
5
![Page 6: Data Mining a Mountain of Zero-Day Vulnerabilitiesconference.hackinthebox.org/hitbsecconf2012kul... · Building a Secure Application Even educated developers make mistakes It is difficult](https://reader033.vdocuments.mx/reader033/viewer/2022050105/5f4339d6e9a6da1b806918ea/html5/thumbnails/6.jpg)
So let’s mine some data!
6
![Page 7: Data Mining a Mountain of Zero-Day Vulnerabilitiesconference.hackinthebox.org/hitbsecconf2012kul... · Building a Secure Application Even educated developers make mistakes It is difficult](https://reader033.vdocuments.mx/reader033/viewer/2022050105/5f4339d6e9a6da1b806918ea/html5/thumbnails/7.jpg)
The Data Set
Applications from over 300 commercial and US government customers
Scanned 9,910 applications over past 18 months
Ranged in size from 100KB to 6GB
Software was pre-release and in production
Internally built, outsourced, open source, and commercial ISV code
7
![Page 8: Data Mining a Mountain of Zero-Day Vulnerabilitiesconference.hackinthebox.org/hitbsecconf2012kul... · Building a Secure Application Even educated developers make mistakes It is difficult](https://reader033.vdocuments.mx/reader033/viewer/2022050105/5f4339d6e9a6da1b806918ea/html5/thumbnails/8.jpg)
8
▸ Industry vertical
▸ Application supplier (internal, third-party, etc.)
▸ Application type
▸ Assurance level
▸ Language
▸ Platform
Application Metadata
▸ Scan number
▸ Scan date
▸ Lines of code
▸ Flaw type
Scan Data
▸ Flaw counts
▸ Flaw percentages
▸ Application count
▸ Risk-adjusted rating
▸ First scan acceptance rate
▸ Time between scans
▸ Days to remediation
▸ Scans to remediation
▸ CWE/SANS Top25 (pass/fail)
▸ OWASP Top Ten (pass/fail)
▸ Custom policies
Application Security Metrics
![Page 9: Data Mining a Mountain of Zero-Day Vulnerabilitiesconference.hackinthebox.org/hitbsecconf2012kul... · Building a Secure Application Even educated developers make mistakes It is difficult](https://reader033.vdocuments.mx/reader033/viewer/2022050105/5f4339d6e9a6da1b806918ea/html5/thumbnails/9.jpg)
9
![Page 10: Data Mining a Mountain of Zero-Day Vulnerabilitiesconference.hackinthebox.org/hitbsecconf2012kul... · Building a Secure Application Even educated developers make mistakes It is difficult](https://reader033.vdocuments.mx/reader033/viewer/2022050105/5f4339d6e9a6da1b806918ea/html5/thumbnails/10.jpg)
10
The latent
Vulnerabilies
vs.
The Attacks
![Page 11: Data Mining a Mountain of Zero-Day Vulnerabilitiesconference.hackinthebox.org/hitbsecconf2012kul... · Building a Secure Application Even educated developers make mistakes It is difficult](https://reader033.vdocuments.mx/reader033/viewer/2022050105/5f4339d6e9a6da1b806918ea/html5/thumbnails/11.jpg)
Top 5 Attacked Web Application Vulnerabilities
11
![Page 12: Data Mining a Mountain of Zero-Day Vulnerabilitiesconference.hackinthebox.org/hitbsecconf2012kul... · Building a Secure Application Even educated developers make mistakes It is difficult](https://reader033.vdocuments.mx/reader033/viewer/2022050105/5f4339d6e9a6da1b806918ea/html5/thumbnails/12.jpg)
Let’s take a
closer look
at the
numbers
![Page 13: Data Mining a Mountain of Zero-Day Vulnerabilitiesconference.hackinthebox.org/hitbsecconf2012kul... · Building a Secure Application Even educated developers make mistakes It is difficult](https://reader033.vdocuments.mx/reader033/viewer/2022050105/5f4339d6e9a6da1b806918ea/html5/thumbnails/13.jpg)
13
![Page 14: Data Mining a Mountain of Zero-Day Vulnerabilitiesconference.hackinthebox.org/hitbsecconf2012kul... · Building a Secure Application Even educated developers make mistakes It is difficult](https://reader033.vdocuments.mx/reader033/viewer/2022050105/5f4339d6e9a6da1b806918ea/html5/thumbnails/14.jpg)
14
![Page 15: Data Mining a Mountain of Zero-Day Vulnerabilitiesconference.hackinthebox.org/hitbsecconf2012kul... · Building a Secure Application Even educated developers make mistakes It is difficult](https://reader033.vdocuments.mx/reader033/viewer/2022050105/5f4339d6e9a6da1b806918ea/html5/thumbnails/15.jpg)
15
![Page 16: Data Mining a Mountain of Zero-Day Vulnerabilitiesconference.hackinthebox.org/hitbsecconf2012kul... · Building a Secure Application Even educated developers make mistakes It is difficult](https://reader033.vdocuments.mx/reader033/viewer/2022050105/5f4339d6e9a6da1b806918ea/html5/thumbnails/16.jpg)
16
![Page 17: Data Mining a Mountain of Zero-Day Vulnerabilitiesconference.hackinthebox.org/hitbsecconf2012kul... · Building a Secure Application Even educated developers make mistakes It is difficult](https://reader033.vdocuments.mx/reader033/viewer/2022050105/5f4339d6e9a6da1b806918ea/html5/thumbnails/17.jpg)
Top 3 Vulnerabilities by Language
17
![Page 18: Data Mining a Mountain of Zero-Day Vulnerabilitiesconference.hackinthebox.org/hitbsecconf2012kul... · Building a Secure Application Even educated developers make mistakes It is difficult](https://reader033.vdocuments.mx/reader033/viewer/2022050105/5f4339d6e9a6da1b806918ea/html5/thumbnails/18.jpg)
Top 3 Vulnerabilities by Language
18
![Page 19: Data Mining a Mountain of Zero-Day Vulnerabilitiesconference.hackinthebox.org/hitbsecconf2012kul... · Building a Secure Application Even educated developers make mistakes It is difficult](https://reader033.vdocuments.mx/reader033/viewer/2022050105/5f4339d6e9a6da1b806918ea/html5/thumbnails/19.jpg)
Different developers deliver different vulns
19
![Page 20: Data Mining a Mountain of Zero-Day Vulnerabilitiesconference.hackinthebox.org/hitbsecconf2012kul... · Building a Secure Application Even educated developers make mistakes It is difficult](https://reader033.vdocuments.mx/reader033/viewer/2022050105/5f4339d6e9a6da1b806918ea/html5/thumbnails/20.jpg)
Different industries accept different vulns
20
Vulnerability distribution by industry
![Page 21: Data Mining a Mountain of Zero-Day Vulnerabilitiesconference.hackinthebox.org/hitbsecconf2012kul... · Building a Secure Application Even educated developers make mistakes It is difficult](https://reader033.vdocuments.mx/reader033/viewer/2022050105/5f4339d6e9a6da1b806918ea/html5/thumbnails/21.jpg)
Are
DEVELOPERs
making any
progress at
eradicating
cross-site
scripting or
sql
injection?
![Page 22: Data Mining a Mountain of Zero-Day Vulnerabilitiesconference.hackinthebox.org/hitbsecconf2012kul... · Building a Secure Application Even educated developers make mistakes It is difficult](https://reader033.vdocuments.mx/reader033/viewer/2022050105/5f4339d6e9a6da1b806918ea/html5/thumbnails/22.jpg)
22
![Page 23: Data Mining a Mountain of Zero-Day Vulnerabilitiesconference.hackinthebox.org/hitbsecconf2012kul... · Building a Secure Application Even educated developers make mistakes It is difficult](https://reader033.vdocuments.mx/reader033/viewer/2022050105/5f4339d6e9a6da1b806918ea/html5/thumbnails/23.jpg)
23
![Page 24: Data Mining a Mountain of Zero-Day Vulnerabilitiesconference.hackinthebox.org/hitbsecconf2012kul... · Building a Secure Application Even educated developers make mistakes It is difficult](https://reader033.vdocuments.mx/reader033/viewer/2022050105/5f4339d6e9a6da1b806918ea/html5/thumbnails/24.jpg)
Dare we ask,
How is the
U.S.
government
sector doing?
![Page 25: Data Mining a Mountain of Zero-Day Vulnerabilitiesconference.hackinthebox.org/hitbsecconf2012kul... · Building a Secure Application Even educated developers make mistakes It is difficult](https://reader033.vdocuments.mx/reader033/viewer/2022050105/5f4339d6e9a6da1b806918ea/html5/thumbnails/25.jpg)
25
![Page 26: Data Mining a Mountain of Zero-Day Vulnerabilitiesconference.hackinthebox.org/hitbsecconf2012kul... · Building a Secure Application Even educated developers make mistakes It is difficult](https://reader033.vdocuments.mx/reader033/viewer/2022050105/5f4339d6e9a6da1b806918ea/html5/thumbnails/26.jpg)
What
percentage of
WEB
applications
fail OWASP
TOP TEN?
a) 34%
b) 57%
c) 86%
d) 99%
![Page 27: Data Mining a Mountain of Zero-Day Vulnerabilitiesconference.hackinthebox.org/hitbsecconf2012kul... · Building a Secure Application Even educated developers make mistakes It is difficult](https://reader033.vdocuments.mx/reader033/viewer/2022050105/5f4339d6e9a6da1b806918ea/html5/thumbnails/27.jpg)
27
![Page 28: Data Mining a Mountain of Zero-Day Vulnerabilitiesconference.hackinthebox.org/hitbsecconf2012kul... · Building a Secure Application Even educated developers make mistakes It is difficult](https://reader033.vdocuments.mx/reader033/viewer/2022050105/5f4339d6e9a6da1b806918ea/html5/thumbnails/28.jpg)
28
![Page 29: Data Mining a Mountain of Zero-Day Vulnerabilitiesconference.hackinthebox.org/hitbsecconf2012kul... · Building a Secure Application Even educated developers make mistakes It is difficult](https://reader033.vdocuments.mx/reader033/viewer/2022050105/5f4339d6e9a6da1b806918ea/html5/thumbnails/29.jpg)
Who is
holding their
software
vendors
accountable?
![Page 30: Data Mining a Mountain of Zero-Day Vulnerabilitiesconference.hackinthebox.org/hitbsecconf2012kul... · Building a Secure Application Even educated developers make mistakes It is difficult](https://reader033.vdocuments.mx/reader033/viewer/2022050105/5f4339d6e9a6da1b806918ea/html5/thumbnails/30.jpg)
30
Enterprise Industries
![Page 31: Data Mining a Mountain of Zero-Day Vulnerabilitiesconference.hackinthebox.org/hitbsecconf2012kul... · Building a Secure Application Even educated developers make mistakes It is difficult](https://reader033.vdocuments.mx/reader033/viewer/2022050105/5f4339d6e9a6da1b806918ea/html5/thumbnails/31.jpg)
31
3rd Party Application Purpose
![Page 32: Data Mining a Mountain of Zero-Day Vulnerabilitiesconference.hackinthebox.org/hitbsecconf2012kul... · Building a Secure Application Even educated developers make mistakes It is difficult](https://reader033.vdocuments.mx/reader033/viewer/2022050105/5f4339d6e9a6da1b806918ea/html5/thumbnails/32.jpg)
33
![Page 33: Data Mining a Mountain of Zero-Day Vulnerabilitiesconference.hackinthebox.org/hitbsecconf2012kul... · Building a Secure Application Even educated developers make mistakes It is difficult](https://reader033.vdocuments.mx/reader033/viewer/2022050105/5f4339d6e9a6da1b806918ea/html5/thumbnails/33.jpg)
34
![Page 34: Data Mining a Mountain of Zero-Day Vulnerabilitiesconference.hackinthebox.org/hitbsecconf2012kul... · Building a Secure Application Even educated developers make mistakes It is difficult](https://reader033.vdocuments.mx/reader033/viewer/2022050105/5f4339d6e9a6da1b806918ea/html5/thumbnails/34.jpg)
So I hear
you can run
applications
on smart
phones?
![Page 35: Data Mining a Mountain of Zero-Day Vulnerabilitiesconference.hackinthebox.org/hitbsecconf2012kul... · Building a Secure Application Even educated developers make mistakes It is difficult](https://reader033.vdocuments.mx/reader033/viewer/2022050105/5f4339d6e9a6da1b806918ea/html5/thumbnails/35.jpg)
37
Distribution by industry Distribution by supplier type
![Page 36: Data Mining a Mountain of Zero-Day Vulnerabilitiesconference.hackinthebox.org/hitbsecconf2012kul... · Building a Secure Application Even educated developers make mistakes It is difficult](https://reader033.vdocuments.mx/reader033/viewer/2022050105/5f4339d6e9a6da1b806918ea/html5/thumbnails/36.jpg)
38
Percentage of Android Apps Affected
![Page 37: Data Mining a Mountain of Zero-Day Vulnerabilitiesconference.hackinthebox.org/hitbsecconf2012kul... · Building a Secure Application Even educated developers make mistakes It is difficult](https://reader033.vdocuments.mx/reader033/viewer/2022050105/5f4339d6e9a6da1b806918ea/html5/thumbnails/37.jpg)
39
Percentage of iOS Apps Affected
![Page 38: Data Mining a Mountain of Zero-Day Vulnerabilitiesconference.hackinthebox.org/hitbsecconf2012kul... · Building a Secure Application Even educated developers make mistakes It is difficult](https://reader033.vdocuments.mx/reader033/viewer/2022050105/5f4339d6e9a6da1b806918ea/html5/thumbnails/38.jpg)
When given an
exam on
application
security
fundamentals,
over half of
developers…
a) Receive an A
b) Receive a B or worse
c) Receive a C or worse
d) Fail (receive a D or F)
![Page 39: Data Mining a Mountain of Zero-Day Vulnerabilitiesconference.hackinthebox.org/hitbsecconf2012kul... · Building a Secure Application Even educated developers make mistakes It is difficult](https://reader033.vdocuments.mx/reader033/viewer/2022050105/5f4339d6e9a6da1b806918ea/html5/thumbnails/39.jpg)
42