• No results found

Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?"

Copied!
31
0
0

Loading.... (view fulltext now)

Download now ( 31 Page )

Full text

(1)

Dan Cornell

Denim Group, Ltd.

Remediation Statistics:

What Does Fixing Application

Vulnerabilities Cost?

(2)

Agenda

ƒ

An Innocent Question

ƒ

Finding a Structure for Remediation Projects

ƒ

Methodology

ƒ

Remediation Data

ƒ

Analysis and Recommendations

(3)

Fixing a Cross-Site Scripting (XSS)

Vulnerability

How long does it take?

A)

9.6 minutes

B)

16.2 minutes

C)

84 minutes

D)

It doesn’t matter

(4)

Fixing a Cross-Site Scripting (XSS)

Vulnerability

How long does it take?

A)

9.6 minutes – Average fix time for stored XSS

(no load)

B)

16.2 minutes – Average fix time for reflected

XSS (no load)

C)

84 minutes – Average fix time for stored and

reflected (loaded)

D)

It doesn’t matter

(5)

Fixing a Cross-Site Scripting (XSS)

Vulnerability

How long does it take?

A)

9.6 minutes – Average fix time for stored XSS

(no load)

B)

16.2 minutes – Average fix time for reflected

XSS (no load)

C)

84 minutes – Average fix time for stored and

reflected (loaded)

D)

It doesn’t matter

(6)

Remediation Worst Practices

ƒ

When the security team:

ƒ Demands a development team devote time and

budget to remediation

ƒ Provides them with no direction or support

ƒ Has the development team attempt to make fixes on

their own

(7)

Remediation Worst Practices

ƒ Result: No new features

and half- or non-fixed vulnerabilities

ƒ Good luck getting your

next remediation project approved

(8)

Finding a Structure for Remediation

Projects

ƒ Desired outcome: predictable and effective remediation

projects

ƒ Predictable: know how long they will take and how much they will cost

ƒ Effective: targeted

vulnerabilities actually get fixed

ƒ A community of stakeholders

ƒ Security

ƒ Development

(9)

Remediation Projects

ƒ

Inception

ƒ

Planning

ƒ Calculate Risk

ƒ Agree on Fix and Confirmation Methods

ƒ Determine Level of Effort

ƒ Schedule

ƒ

Execution

ƒ Set up Development Environment

ƒ Fix Vulnerabilities

ƒ Confirm Fixes and Perform Functional Testing

(10)

Remediation: How To Guide

ƒ Describes methodology for software security remediation projects

ƒ Includes tips and best practices

ƒ Free online

(11)

That’s Great But…

ƒ How long will it actually take me to fix my vulnerabilities?

ƒ Software security remediation projects are software

development projects

ƒ So estimate them as such

ƒ Best practices:

ƒ Bottom-up estimation

ƒ Cluster vulnerabilities where possible

ƒ It would be nice to have some data to use as a starting

(12)

Data!

ƒ Took data from 15 remediated applications

ƒ Two types of analysis:

ƒ Vulnerability-level (4 applications)

ƒ Project-level (13 applications)

ƒ Data from Inception and Planning phases was too messy

ƒ Data from Execution phase was useable

(13)

The Good (Why This Data Might Be Useful)

ƒ

Some data is better than no data

ƒ As long as you understand potential areas of bias

ƒ Read “How to Measure Anything” by Douglas W.

Hubbard

ƒ

Had relatively large sample size for some

vulnerability types

(14)

The Bad (Some Potential Sources of Bias)

ƒ

Relatively small sample size

ƒ

Based on a single project type

ƒ Outsourced software security remediation projects

ƒ

Data required cleanup and normalization

ƒ

Vulnerability data centered around technical

vulnerabilities

(15)

Vulnerability Type Sample Count Average Fix (minutes) Dead Code (unused methods) 465 2.6 Poor logging: system output stream 83 2.9 Poor Error Handling: Empty catch block 180 6.8 Lack of Authorization check 61 6.9 Unsafe threading 301 8.5 ASP.NET non‐serializable object in session 42 9.3 XSS (stored) 1023 9.6 Null Dereference 157 10.2 Missing Null Check 46 15.7 XSS (reflected) 25 16.2 Redundant null check 21 17.1

(16)

Some Thoughts and Notes

ƒ Apparently deleting code and changing logging methods are easy

ƒ Cross-Site Scripting

ƒ Vulnerability count tracks with data from WhiteHat, Veracode, other sources

ƒ Harder to fix reflected XSS than stored XSS ƒ Lack of Authorization Check

ƒ Fix consisted of copy/pasting file include into a number of files ƒ SQL Injection

ƒ Surprisingly high

(17)

So If I Have 6 Stored XSS Vulnerabilities…

… my remediation project should take about an

hour, right?

(18)

Remediation Is Not Just About Coding Fixes

ƒ This data is from one of four steps in one of three

phases

ƒ “Fix Vulnerabilities” step in the “Execution” phase

ƒ What about Inception and Planning?

ƒ No great data available yet

ƒ What about the rest of Execution?

ƒ Set up Development Environment

ƒ Fix Vulnerabilities

ƒ Confirm Fixes and Perform Functional Testing

ƒ Deploy

(19)

Where Is Time Being Spent?

17% 37% 20% 24% 15% 9% 31% 59% 44% 15% 42% 16% 29% 24% 3% 28% 10% 20% 30% 40% 50% 60% 70% Indicates the weighted average  versus the average of individual  projects

(20)

Some Thoughts and Notes

ƒ

Setup Development Environment

ƒ Best case: existing development environment or VM

ƒ Worst case: Safari expedition to recreate environment

setup because organization no longer had this knowledge

ƒ Instructions on setting up a development environment were a deliverable

ƒ

Fix Vulnerabilities

ƒ This is what people focus on but there is wide

(21)

Some Thoughts and Notes (continued)

ƒ

Confirm Fixes / QA

ƒ Sometimes this took more time than the actual fixes

ƒ Best case: Existing set of automated functional /

regression tests

ƒ

Deploy

ƒ Best case: use an existing planned release

ƒ

Overhead

(22)

Using the Data

ƒ

I thought you said to estimate bottom-up?

ƒ Yes. Do that

ƒ Use the vulnerability data as a guide for estimation

ƒ Use the project composition data for validation

ƒ Use the lessons of the data to try and minimize

(23)

What Can I Do To Minimize Remediation Costs?

Avoid introducing vulnerabilities into your software

(24)

What Can I Do To Minimize Remediation

Costs?

ƒ Have ready access to

development environments for the developers doing the

remediation

ƒ Automated functional /

regression testing helps speed security fixes

ƒ Use planned deployments when possible

(25)

Which Vulnerabilities Get Fixed and

When?

ƒ Use your data-backed,

bottom-up WBS for risk management and planning

ƒ Serious vulnerabilities that

are easy to fix? Consider an out-of-cycle release

(26)

The Outlier

ƒ

We remediated one vulnerability not included in

the study that was more expensive to fix than all

vulnerabilities in the study

ƒ Authentication issue in a connected system

ƒ

Requirements and architecture vulnerability

ƒ Automated scanners – static or dynamic: powerless to find it

ƒ

Should have / would have been caught by even a

basic threat modeling or abuse case session

(27)

So Where Does This Leave Us

ƒ

Good:

ƒ We have a framework

ƒ We have some data

ƒ

Less good:

ƒ The data comes with a number of caveats

ƒ

Given a framework and some data you should be:

ƒ Better able to execute successful projects

ƒ Better able to estimate projects

(28)

Next Steps For Me

ƒ

Release a more in-depth report

ƒ

Include more data in the analysis

ƒ

Perform deeper analysis

ƒ Impact of size of project (hours)

ƒ Impact of number of vulnerabilities remediated

ƒ Impact of platform

ƒ And so on…

(29)

Apply

ƒ Review your existing vulnerability data

ƒ Create a “back of the envelope” plan to address open vulnerabilities

ƒ Run different scenarios: “All critical and high” “All public-facing apps” and so on

ƒ Talk to developers

ƒ How do they set up development environments?

ƒ When do they do planned releases?

ƒ Fix some vulnerabilities!

(30)

Remediation Resource Center

ƒ Resources for remediating

software security vulnerabilities

ƒ Videos

ƒ How-to Guide ƒ Blog posts

(31)

Questions?

Dan Cornell

[email protected]

Twitter:

@danielcornell

www.denimgroup.com

blog.denimgroup.com

www.denimgroup.com/remediation

(210) 572-4400

References

Download now ( PDF - 31 Page - 1.37 MB )

Related documents

Phenotyping of High Temperature Susceptibility in Garden Roses (Rosa xhybrida)

This project was initiated to address the observed decline in the sale of garden roses due to the lack of widely adapted material. Adaptation to global climate change is

The Rhizoctonia solani AG1-IB (isolate 7/3/14) transcriptome during interaction with the host plant lettuce (Lactuca sativa L.)

The results of the current study demonstrate that the necrotrophic pathogen R. solani AG1-IB shows specific gene expression patterns during the course of interaction with its host

Becker, Sascha O.; Boeckh, Katrin; Hainz, Christa; Woessmann, Ludger

To test whether the cultural values and norms originating in the Habsburg Empire still endure today, we use the micro dataset of the 2006 Life in Transition Survey (LiTS)

BUKU PENDAFTARAN PELAJAR Registration Booklet

Jika saya tidak menamati pengajian yang tersebut dengan tiada sebab-sebab yang tertentu SAYA BERSETUJU AKAN MEMBAYAR BALIK kepada MARA segala perbelanjaan

Effect Of Cryorolling On The Microstructures, Mechanical Properties And Corrosion Behaviour Of Low Carbon Steel Using Martensite Starting Microstructure

EFFECT OF CRYOROLLING ON THE MICROSTRUCTURES, MECHANICAL PROPERTIES AND CORROSION BEHAVIOUR OF LOW CARBON STEEL USING MARTENSITE STARTING

The Value of Telemedine Programs

Program Implementation and Support SCSNI Program Oversight Operations Support Telemedicine.com Equipment Installation Technical Support Site Assessment Installation and

Chatpun Khamyat Department of Industrial Engineering, Kasetsart University, Bangkok, Thailand

In this study, the mathematical model of t the oil delivery trucks routing problem which is a modify- MTSP approach for solving a multi trucks system by using a case study