2018 VULNERABILITY STATISTICS REPORT - Edgescan
2018VULNERABILITYSTATISTICS REPORT
edgescan PortalABOUT EDGESCAN SaaS: edgescan is a ‘Security-as-a-Service (SaaS)’vulnerability management service which detectsvulnerabilities in both web application and hostinginfrastructure alike.Hybrid Scalable Assessments: edgescan detectsboth known (CVE) vulnerabilities and also webapplication vulnerabilities unique to the applicationbeing assessed due to our hybrid approach.Analytics & Depth: Coupling leading edge riskanalytics, production-safe automation andhuman intelligence, edgescan provides deepauthenticated and unauthenticated vulnerabilityassessment across all layers of a systems technicalstack. Historical data to measure your risk profileover time. Effortless visibility into your fullstacksecurity posture at-a-glance – VulnerabilityIntelligence.Coverage: edgescan provides “fullstackvulnerability management” covering both hostingenvironments, component & frameworks anddeveloper-written code. Our edgescan advanced license even covers business logic and advancedmanual testing techniques.Support: Dedicated expert support from seasonedpenetration testers and developers, to provideadvice and remediation guidance.Accuracy/Human Intelligance: All vulnerabilitiesdiscovered by edgescan are verified by ourengineering team to help ensure they are a real riskand prioritised appropriately for our clients. Ouranalysts eliminate false positives and streamlinethe remediation process, saving valuable developertime and resources.Rich API Integration: Our API makes it simple toplug edgescan into your ecosystem in orderto correlate and reconcile, providing integrationwith both GRC and Bug Tracking and DevSecOpsSystems alike.One-click WAF: Rule generation supporting avariety of firewalls is also supported, helping youvirtually-patch discovered vulnerabilities.Alerting: Customise Alerting via email, SMS,Webhooks, Slack, API etc, based on custom criteria.Continuous Asset Profiling: Continuous profiling ofthe entire Internet-facing estate detecting changesin estate profile and eliminating blind spots.Scale: Managing estates from one web applicationto thousands, from a single hosting environmentto global cloud infrastructure, edgescan deliverscontinuous vulnerability intelligence, support andtesting-on-demand.Compliance: edgescan is a certified PCI ASV anddelivers testing covering the OWASP Top 10, WASCthreat classification, CWE/SANS Top 25, etc.20 MOST PROMISINGENTERPRISE SECURITYSOLUTION PROVIDERS - 2017
INTRODUCTIONVulnerabilities or bugs in software may enablecyber criminals to exploit both Internet facingand internal systems. Fraud, financial, data &identity theft, and denial-of-service attacks areoften the result, leaving companies with seriouslosses or damage to their reputation.However, some of these issues can be easilyavoided or at least mitigated. This documentdiscusses all of the vulnerabilities discovered byedgescan over the past year – during 2017.The vulnerabilities discovered are a result ofproviding “Fullstack” continuous vulnerabilitymanagement to a wide range of client verticals;from Small Businesses to Global Enterprises,From Telecoms & Media companies to SoftwareDevelopment, Gaming, Energy and Medicalorganisations.The statistics are based on the continuoussecurity assessment & management ofthousands of systems distributed globally.EXECUTIVE SUMMARY – 2017 IN REVIEWMany of the problems uncovered in 2016 and the year before arestill present. In 2017 we experienced some major cybersecuritybreaches many of which were a result of a technical security issue.Both Large global organisations and governments were breachedresulting in millions of client records being stolen. Commonvulnerabilities are still easy to find due to insecure programmingpractices.“Known vulnerabilities” (CVE’s) are also pervasive with a highpercentage of systems containing multiple CVE’s. Old CVE’sare still commonplace and could result in a breach or innon-compliance at a minimum.The Risk density of Web Applications is still an issue due totheir uniqueness – every application is developed differently.Cryptographic implementation flaws are still commonplace.The lack of system patching is still a largesource of vulnerabilities. Configuration andmaintenance are significant root causes ofattacks ranging from Ransomware todata disclosure attacks.
APPLICATION LAYER RISK DENSITY20% of allvulnerabilitiesdiscoveredare High orCritical Risk2.7%CRITICAL RISK17.3%ApplicationLayerHIGH RISK12%MEDIUM RISK28%Every application is unique anddeveloped uniquely which manifestsin a high risk density.LOW RISK40%MINIMAL RISKTIME-2-FIX (WEB APPLICATIONS / LAYER 7)7 Days22%8 – 30 Days21%31 – 90 Days30%90 Days25%Average time to close a discovered vulnerability is 67 Days#ProTip: edgescan support helps your development staff understand and mitigate discovered issues.Retest On-Demand via the console or API can help you retest your fixes when required.NETWORK LAYER RISK DENSITY2% of allvulnerabilitiesdiscoveredare High orCritical Risk0.6%CRITICAL RISK1.5%NetworkLayerHIGH RISK11.4%MEDIUM RISK43.5%Hosting infrastructure and cloud iscommoditised and appears to be easierto secure and maintain resulting in a lowerpercentage of high and critical risk density.LOW RISK43%MINIMAL RISKTIME-2-FIX (NETWORK LAYER)7 Days6%8 – 30 Days35%31 – 90 Days37%90 Days21%Average time to close a discovered vulnerability is 62 Days#ProTip: Visibility is key to understanding your technical asset estate and the potential for a vulnerabilityarising. Alerting, technical support and proactive threat intelligence via edgescan can keep you informedas issues are discovered, helping you fix discovered issues quicker and more efficiently.
FULLSTACK VULNERABILITY VIEWIn 2017 we discovered that on average, 27% of all vulnerabilitieswere associated with web applications and 73% were SFullstackVulnerabilityView2%High &CriticalRisk% OF HIGH & CRITICAL RISKISSUES IN NETWORK LAYERThe network has a higher vulnerability densitybut the web application layer is where themajority of the high and critical risk exposureresides.This is due to each application being uniquelydeveloped (not commoditised) and apparentdifficulties in managing component versioncontrol and patching of third party libraries.#ProTip: Consider component versioncontrol to help manage frameworkvulnerabilities. Open source libraries andframework components, not developed byyour development team can be a source ofvulnerabilities.APPLICATION(LAYER 7)VULNERABILITIES20%High &CriticalRisk% OF HIGH & CRITICAL RISKISSUES IN WEB LAYERSecure application development practices haveevolved significantly over the past 5 years.Integrating security into the developmentcycle (DevSecOps) and catching issues earlyis a recommended approach to reducing thepotential of vulnerabilities in the productionenvironment.#ProTip: Consider integrating Applicationlayer scanning as part of the QA cycle inyour SDLC. This can help catch issues early.Tracking and metrics are also important inorder to focus developer awareness.edgescan can integrate into your SDLC viaour API and CloudControl virtual appliance tohelp you detect vulnerabilities earlier in thedevelopment lifecycle.
PCI ASV VIEWThe PCI DSS standard defines that a vulnerability with a base CVSSv2 score of 4.0 or more, is a compliance fail. edgescan is a certifiedPCI ASV and assists clients with PCI DSS compliance by leveragingits fullstack security assessment technology and technical ationView18% OF ALLVULNERABILITIES DISCOVEREDIN 2017 HAD A SCORE EQUALTO OR HIGHER THAN4.0 – PCI DSS FAIL13% OF ALL NETWORK LAYERVULNERABILITIES DISCOVEREDIN 2017 HAD A SCORE EQUALTO OR HIGHER THAN4.0 – PCI DSS FAIL32% OF ALL WEB APPLICATIONVULNERABILITIES DISCOVEREDIN 2017 HAD A SCORE EQUALTO OR HIGHER THAN4.0 – PCI DSS FAILCommon Vulnerability Scoring System (CVSS), http://www.first.org/cvss/, base score, as indicated in theNational Vulnerability Database (NVD), http://nvd.nist.gov/cvss.cfm (where s/pci dss technical and operational requirements for approvedscanning vendors ASVs v1-1.pdfCVE – COMMON VULNERABILITIES AND EXPOSURESHTTPS://CVE.MITRE.ORG/Common Vulnerabilitiesand Exposures (CVE ) is a list ofcommon identifiers for publicly knowncyber security vulnerabilities.Many systems have a CVE which definesa security issues known to the public.Generally there is a workaround ora patch to mitigate this issue.Systems with CVE’s exposed generally are not being patched regularly. It takes time and effort to patchbut it appears patching can still reduce ones exposure to breach and increase security significantly.CVE’s (Known Vulnerabilities) can be detected quickly using a continuous assessment model. Eventhough your source code does not change, a vulnerability may be discovered which may require yourattention; Continuous visibility is the key to detecting CVE’s.
CVE LANDSCAPEOldest CVE:CVE-1999-0517Most Common:CVE-2004-2761An SNMP communityname is the default(e.g. public) null,or missing.Systems with MultipleVulnerabilitiesThe MD5 Message-DigestAlgorithm is not collisionresistant, which makes iteasier for context-dependentattackers to conduct spoofingattacks, as demonstrated byattacks on the use of MD5 inthe signature algorithm of anX.509 certificate.CVSS v2: 7.534% of systemsassessed had two ormore verified CVE’sCVSS v2: 5.0% OF CVE vs roTip: Patching and version maintenance is still a key part of maintaining a secure posture. Many systemshave vulnerabilities which simply have not been discovered yet; once they are, a patch is usually availableshortly after. It is recommended to keep pace with patching. edgescan can identify vulnerable systemsand services and alerting can be used to notify you of any required security tasks or exposed services.
VULNERABILITY TAXONOMYPreviously we have discussed the rates of vulnerability acrossboth Web Applications and Hosting environments. What might beinteresting is what type of vulnerabilities are being discovered. Thefollowing is a high level breakdown of the types of issues beingdiscovered.Below Layer 7Layer 7From a Host/Network perspective westill see a large % of issues are related toCryptography which covers issues such asdeprecated protocol support, CVE’s and poorimplementation.From an application security standpoint,insecure configuration is also a significantissue followed by client-side security. Injectionattacks are also relatively high given howdestructive they can be.Weak configuration also gives rise toa significant percentage of discoveredvulnerabilities.NETWORK VULNERABILITY TAXONOMY 1%45%Admin ConsolesSSL/TLS/SSH – BREACH,SWEET, POODLE, DROWN,BEAST, CRIMEEXPOSED SERVICESCRYPTORDP/Terminal ServicesNetworkVulnerabilityTaxonomyFile oft IISMicrosoft OutlookMS 2003OpenSSLShort Keys LengthWeak HashingWeak CiphersRC4 Support22%CONFIGURATION18%Default CredentialsFTP ExposureHSTS ConfigPATCHINGRDP SecuritySambaApache VulnerabilitiesMicrosoft VulnerabilitiesWeak SMB ConfigDeprecated SSLCisco VulnerabilitiesOpen SSH VulnerabilitiesExpired SSL/TLS certsUnsupported UnixDNS VulnerabilitiesOpen SSL VulnerabilitiesMisconfigured CertsUnsupported Web Servers(IBM, Apache etc)Firewall evasionBSD VulnerabilitiesTerminal Services SecurityIKE Security IssuesPHP VulnerabilitiesUnencrypted/TelnetIPMI WeaknessesWordpress VulnerabilitiesDefault Pages & ServicesTCP/IP Stack SecurityLack of encryption
APPLICATION VULNERABILITY TAXONOMY29%3%1%5%Directory ListingWeb Admin consolesApplication Layer DoSFile Path TraversalINSECURE CONFIGURATION/INSECURE DEPLOYMENTDevelopment FilesDefault DocumentsDefault/Weak Server/FrameworkSecurity SettingsEXPOSEDINTERFACEDENIAL OFSERVICEMalicious file uploadVertical AuthorisationExposed S3 bucketsHorizontal AuthorisationAPI’sBypass Client-side ControlsPrivilege EscalationDebugging Enabled6%Insecure Protocols EnabledInsecure HTTP MethodsUnsupported FrameworksInsecure ss-Site-Scripting (XSS)ClickjackingDefault CredentialsWeak LogicWeak Password PolicyUsername EnumerationCredential transmissionwithout encryptionSession ManagementCORSWeak ProtocolCross-Domain LeakageNo encryptionForm HijackingCSRFHTML InjectionOpen RedirectionDOM SQL InjectionCRLF InjectionXXEExternal ServiceInteractionFile PathHeader InjectionOS Command Injection20%INFORMATIONLEAKAGEDefault Error PagesSystem Information LeakageCachingSensitive InformationDisclosure WeaknessesMetadata DisclosureExposed Business Intel& DocumentsPrivate IP Address LeakageSource Code Disclosure
CONCLUSIONAWARENESSTEAMApplication security needs tobecome a board-level conversationin your organization, if it is notalready.Work with IT and operations toapply scheduled maintenancewindows aimed at updatingsystems and frameworks withsecurity patches using a risk basedapproach.MEASUREManagement sponsorship forapplication security should beresult-oriented to help raise yourorganisations security posture.REWARDRewarding of development teamsand gamification, including metricsand measuring the security postureof the businesses applications,should be considered.CAPABILITYSecurity champions need tohave the resources and servicesthey require to identify and fixvulnerabilities in software andsupporting hosting environmentsfaster.VISIBILITYAdopt a process of visibility acrossthe entire cyber-estate. Detectionof services, ports, patches andprotocols supported on an on-goingbasis is key to understanding changeand management of risk.BILL OF MATERIALSUnderstand the compositionof software applications andprioritize the vulnerable librariesand frameworks for your teams tomaintain.KNOWLEDGEDeveloper training, frequentsoftware assessment early in thedevelopment lifecycle and securityanalytics, are key to implementing asecurity program that complimentsyour organisation’s softwaredevelopment lifecycle.
2018. BCC Risk Advisory Ltd. www.bccriskadvisory.com
FULLSTACK VULNERABILITY MANAGEMENTIRL: 353 (0) 1 6815330UK: 44 (0) 203 769 0963US: 1 646 630 8832Sales and general com
vulnerability management service which detects vulnerabilities in both web application and hosting infrastructure alike. Hybrid Scalable Assessments: edgescan detects both known (CVE) vulnerabilities and also web application vulnerabilities unique to the application being assessed due to our hybrid approach.
Kandy. The highest vulnerability (0.45: moderate vulnerability) to dengue was indicated from CMC and the lowest indicated from Galaha MOH (0.15; very low vulnerability) in Kandy. Interestingly the KMC MOH area had a notable vulnerability of 0.41 (moderate vulnerability), which was the highes
Test Name Score Report Date March 5, 2018 thru April 1, 2018 April 20, 2018 April 2, 2018 thru April 29, 2018 May 18, 2018 April 30, 2018 thru May 27, 2018 June 15, 2018 May 28, 2018 thru June 24, 2018 July 13, 2018 June 25, 2018 thru July 22, 2018 August 10, 2018 July 23, 2018 thru August 19, 2018 September 7, 2018 August 20, 2018 thru September 1
Low 3.50 Pass Note to scan customer: This vulnerability is purely a denial-of-service vulnerability and it is not considered a failing condition under the PCI DSS. 10 23.229.184.1 (www. dumbbellshealth club.com) SSL Weak Encryption Algorithms Low 1.80 Pass Note to scan customer: This vulnerability is not recognized in the National Vulnerability .
Vulnerability Management solution available on demand Software-free, management free solution - Auto-updating - No software to install or maintain Industry's most comprehensive Vulnerability KnowledgeBase 3700 vulnerability signatures, updated daily Most accurate vulnerability scanner with less than .003% false positive rate
Common Vulnerability Scoring System (CVSS) values o Numerical score reflecting the severity of the vulnerability Results The associated CVSS score attached to each vulnerability by the NVD provides organizations with a visible metric to gauge the severity associated with any vulnerability and help prioritize any threat remediation strategies.
facilitating system vulnerability assessment incorporates a single, graphical representation of a system. This system representation is provided to multiple risk/vulnerability assessment tools and vulnerability data or knowledge bases, resulting in a single, consolidated input to multiple tools. A Fuzzy E xpert System applies the unique correlation
Deploying APEX Vulnerability Scanner Summer Student Report 2016 26th of August, 2016 Evaluation example - SQL-injection Application was 77, 01% approved. Application was purposely made to be vulnerable for SQL-injection The tool found the vulnerability and identified it as a SQL injection vulnerability ( SQL:Reports - 1) Conclusions
Bio-Zoology Practical - General Instruction In order to get maximum benefit and good training it is necessary for the students to follow the following instructions. 1. The students must attend all practical classes. Each experiment in practicals has got important relevance to theory subjects. 2. Bring this practical manual to your practicals class. 3. Bring the following objects to the .
