1 / 34

Unpacking the Numbers: A Snapshot into Current Web Application Vulnerabilities

This article provides insights into the current state of web application vulnerabilities, including data analysis, top issues, and common attack techniques. It also offers recommendations for improving security.

kpullin
Download Presentation

Unpacking the Numbers: A Snapshot into Current Web Application Vulnerabilities

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A snapshot into current Web Application vulnerabilities

  2. Introduction Willem Mouton willemm@senseofsecurity.com.au @w_m__

  3. Why we like numbers (and WebApps) Unpacking the numbers Digging a bit deeper Dealing with the root cause Closing thoughts Q&A

  4. Why we like numbers (and WebApps) • Improves our internal processes and quality • Provides (somewhat of) a measurement against industry • Helps answer some of your most burning questions

  5. Unpacking the numbers https://xkcd.com/

  6. Unpacking the numbers Data collected from • 175 reports reviewed* • 3670 findings analysed** • Average of 21 findings per report • Roughly 40% of our projects

  7. Unpacking the numbers Sense of Security Risk Matrix

  8. Unpacking the numbers Top 10 issues identified in 2018 (irrespective of risk level)

  9. Unpacking the numbers Top 10 issues identified in 2018 (irrespective of risk level) We’ll get back to these

  10. Unpacking the numbers SOS Top 10 categories vs OWASP Top 10 (and why they differ on paper)

  11. Unpacking the numbers Large vs Small (on average across all reports)

  12. Unpacking the numbers Private sector vs Government (on average across all reports)

  13. Digging deeper https://xkcd.com/

  14. Digging deeper Data validation remains a massive problem SQL Injection 11% of all applications test had at least one instance 20 year old technique Fully industrialised attacks Widely used in breaches Noisy but low detection rate

  15. Digging deeper Data validation remains a massive problem SQL Injection 11% of all applications test had at least one instance 20 year old technique Fully industrialised attacks Widely used in breaches Noisy but low detection rate

  16. Digging deeper Data validation remains a massive problem SQL Injection 11% of all applications test had at least one instance 20 year old technique Fully industrialised attacks Widely used in breaches Noisy but low detection rate

  17. Digging deeper Data validation remains a massive problem SQL Injection 11% of all applications test had at least one instance 20 year old technique Fully industrialised attacks Widely used in breaches Noisy but low detection rate

  18. Digging deeper Data validation remains a massive problem SQL Injection 11% of all applications test had at least one instance 20 year old technique Fully industrialised attacks Widely used in breaches Noisy but low detection rate

  19. Digging deeper Data validation remains a massive problem Cross-Site Scripting 31% of all applications tested had at least one instance More complicated, but can be more damaging

  20. Digging deeper Data validation remains a massive problem Cross-Site Scripting 31% of all applications tested had at least one or more instances More complicated, but can be more damaging

  21. Digging deeper The forgotten software stack Components with known vulnerabilities 31% of all applications tested had outdated components Mostly ignored Hosting of 3rd party CDN providers Poor internal management of code dependencies

  22. Digging deeper The forgotten software stack Components with known vulnerabilities 31% of all applications tested had outdated components Mostly ignored Hosting of 3rd party CDN providers Poor internal management of code dependencies https://builtwith.com/

  23. Digging deeper The forgotten software stack Components with known vulnerabilities 31% of all applications tested had outdated components Mostly ignored Hosting of 3rd party CDN providers Poor internal management of code dependencies

  24. Digging deeper 88% of all applications tested had SSL/TLS issues Certificate issues Protocol issues Cipher / Configuration issues Known attacks Standardisation lacking

  25. Digging deeper Some honourable mentions XML external entity vulnerabilities Serialization issues Server-side request forgery (SSRF)

  26. Root cause • Configuration • Design • Implementation

  27. Root cause • Configuration • Design • Implementation

  28. A quick Segway Consider the eco system your web application live in Most common attack actively being used Credential stuffing Known breaches (Don’t be (in)one of them) #ShamelessPromotions Our Whitepaper on External Network Pentesting

  29. A quick Segway Consider the eco system your web application live in Most common attack actively being used Credential stuffing Known breaches (Don’t be (in)one of them) #ShamelessPromotions Our Whitepaper on External Network Pentesting

  30. Closing thoughts https://xkcd.com/

  31. Closing thoughts Changing the next years report Security from design to …. to BAU Consider all vulnerabilities Create development / deployment standards for your organisation Automation is key, but don’t forget the manual work Use industry guidelines, OWASP ASVS is great Training

  32. Closing thoughts Changing the next years report Security from design to …. to BAU Consider all vulnerabilities Create development / deployment standards for your organisation Automation is key, but don’t forget the manual work Use industry guidelines, OWASP ASVS is great Training

  33. Questions? https://xkcd.com/

  34. A snapshot into current Web Application vulnerabilities

More Related