Application Vulnerability: Trend Analysis and Correlation of Coding Patterns Across Industries

8/12/2019 Application Vulnerability: Trend Analysis and Correlation of Coding Patterns Across Industries

http://slidepdf.com/reader/full/application-vulnerability-trend-analysis-and-correlation-of-coding-patterns 1/10

Application Vulnerability: Trend Analysisand Correlation of Coding Patterns

Across IndustriesUsing our latest assessment, security architects and developers candetermine which industries — as well as areas of source code andapplications — are most vulnerable to attack, and mitigate the impact.

Executive SummaryAttacks on Web applications threaten nearlyevery organization with an online presence.Based on our experience, these unwelcomeassaults cost companies millions of dollars and

can cause serious damage in terms of brandintegrity and customer turnover. Our EnterpriseRisk and Security Solutions (ERSS) assessmentteam recently evaluated the state of Web appli-cation vulnerability using automated vulnerabilityscanners and manual tests to analyze the state ofsecurity across nine industries.

This white paper presents results identiedduring 2012 and 2013. It focuses on the generalapplication functionalities and the correspond-ing parameters that were developed, but failed,to secure code across verticals. The paper also

details suitable recommendations for mitigatingsecurity vulnerabilities that arise within thesescenarios.

Vulnerability AnalysisThe security posture of each vertical analyzedduring our 2013 assessment can be bestunderstood by examining the concentration ofvulnerability across these industries (see Figure 1,

page 2). Vulnerabilities pertain to severity levels— high, medium and low. Applications withinthe insurance vertical comprise the highestpercentage in total vulnerabilities across theverticals. These applications also contain thehighest number of security coding aws or staticapplication vulnerabilities. Banking and FinancialServices (BFS) and Information, Media and Enter-tainment (IME) applications have nearly thesame vulnerability levels, with IME applicationsbeing the most susceptible — showing the highestnumber of dynamic application vulnerabilitiescompared with other verticals.

Vulnerability Trends in 2012 and 2013The security posture of Web-based applications iscontinuously changing, primarily due to the riseof new hacking methods, the spreading awareness

among developers and regulatory compliance, forexample. 1 Figure 2 compares application vulner-ability distribution across various verticals, basedon the ndings of SAST and DAST assessmentsconducted in 2012 and 2013. The number of appli-cations tested is also shown.

In 2012, nearly 76% of the vulnerabilities weidentied were found in healthcare applications,

• Cognizant 20-20 Insights

cognizant 20-20 insights | april 2014



2

14% were discovered in insurance industry appli-cations, and about 3% were identied in BFS

applications. Fewer vulnerabilities were seen inretail, IME and other domains such as travel andhospitality and consumer goods. In 2013, nearly37% of the vulnerabilities were detected ininsurance industry applications, 27% were foundin BFS, 26% in IME and 8% in retail.

The following sections describe our industry-based vulnerability analysis. The study usedautomated vulnerability scanners and manualtests, and employed SAST- and DAST-specicinterpretation of industry trends to zero in on theexact application threats and their causes.

Static Application Security TestingIn static application security testing (SAST), theapplication code is examined for aws that canlead to security threats. SAST uses tool-basedscanning, as well as manual reviews. Tool-basedscanning involves tests generated by pre-denedsecurity rules. Manual review entails validatingthe tool output and identifying additional securityaws using manual expertise.

Automated Tool for Vulnerability Detection

Tools for automated security testing produceresults with false-positives (identied as applica-tion vulnerabilities by the tool, but not actually

cognizant 20-20 insights

0

1000

2000

3000

4000

5000

0 2000 4000 000 000 10000 2000 4000 6000 8000

A

T V u

l n e r a

b i l i t y

o u n

t

SAST Vulnerability Count

BFSInsuranceIMEOthers

Vulnerability Concentration Across Verticals

Figure 1

20,772

12,293

10,204

16,947

618

11,774

1400 3831

55,493

2612519

7370

10,000

20,000

30,000

40,000

50,000

60,000

0

50

100

150

200

BFS Insurance IME Retail OthersHealthcare

V u

l n e r a

b i l i t y C o u n

tA

p p l i c

a t i o n

C o u n

t

2012 Vulnerablility Count


2012 Application Count


Vulnerability Concentration Across Verticals

Figure 2



cognizant 20-20 insights 3

vulnerabilities) and false negatives (existing vul-nerabilities that were missed by the tool).

Manual analysis techniques are employed toeliminate false-positives and identify false-neg-atives. Figure 3 above illustrates the summaryof the number of coding aws identied by theautomated security code scanning tools, false-positives identied by manual analysis and theactual vulnerabilities reported to the client’spoint of contact for the applications of different

verticals. The major verticals assessed here wereBFS, Insurance and IME. Other verticals, includingretail, healthcare, T&H and mobility, were groupedinto one category.

For this analysis, we employed a number ofcommercial scanners, open source tools andfreeware. As shown by the data, automatedsecurity scanners have huge false-positive rates.For example, in the insurance and IME verticals,more than 90% of reported issues are false-posi-tives. In general, applications in IME verticals relymore on Web 2.0 components, Flash and Action

scripts, which can increase their complexity.Automated tools are very limited when it comes tounderstanding the business logic and functionalow of the applications, due to the high false-positive counts found in this vertical. This makesthe intervention of manual security expertiseessential — not only for removing false-positives,but also for uncovering vulnerabilities in theapplication that automated tools fail to capture.

Vulnerability Trends in VerticalsStatistical information about the vulnerabili-ties pertaining to SAST with respect to differentverticals and vulnerability categories is depictedin Figure 4 (next page). Security standards suchas OWASP 2, WASC3 and CWE 4/SANS 5 were used toclassify these vulnerabilities.

The various categories of secure coding awsfor different verticals are listed in Figure 5 (nextpage). The most prevalent of these falls under the“Best Practices Violation” category, due to thelack of awareness among developers concerningadherence to secure coding standards. Commonpoor coding practices include null pointer deref-erence, missing checks against null, using weakXML schema, data in hidden elds and failureto remove debug code, comments and othersensitive leftover code. “Information Leakage,Error Handling and Input Validation” aws arealso rampant due to improper handling of applica-tion input and output, which form the major entrypoints for application attacks. Of the total issuesidentied, insurance industry applications werefound to contain the highest number of securitycoding aws. In fact, 91% of coding aws werefound in “Best Practices Violation,” followed by5% in “Input Validation” and 3% in “InformationLeakage and Error Handling” categories.

Dynamic Application Security TestingDynamic application security testing (DAST)or “black-box” testing evaluates applications

15

10791

181176

225

1811 15 7 4

0

20

40

60

80

100

120

140

160

180

200

BFS Insurance IME Others

V u

l n e r a

b i l i t y C

o u n

t

Vulnerabilities

detected by tool.False positives identiedby manual analysis.Vulnerabilities reportedto the client.

Vertical vulnerabilitycounts are represented asmultiples of 100.

Automatic SAST Tool for Vulnerability Detection

Figure 3




during their execution at runtime. This is usefulin determining the risks the application facesin a production environment. Our ERSS teamemploys automated scanning tools and manualtesting techniques to dynamically test an appli-cation. The following sections of this white paperelucidate DAST vulnerability detection usingautomated tools and industry-based DAST vulner-ability trends.

Automated Tool Vulnerability Detection

Dynamic testing is performed using industry-standard automated scanners. The performanceof each scanner typically depends on the security

rule sets dened for these tools. Cognizant’s ERSSgroup performs intensive manual testing, whichhelps assure comprehensive coverage. Some ofthe manual tests include detecting business logicbypass issues and session-related problems, suchas session hijacking, session xation and sessionreplay, as well as authentication issues likeinsufcient logout mechanism, improper cachemanagement, and security miscongurationissues such as SSL renegotiation, click jackingand other such vulnerabilities. Figure 6 (nextpage) summarizes the number of applicationvulnerabilities identied by various automateddynamic security testing tools (commercial, open

V u

l n e r a

b i l i t y C o u n

t

0 1 2 3 4 5

Verticals

BFS

Insurance

IME

Others

11225

15410

7262

4019

0

2000

4000

6000

800010000

12000

14000

16000

18000

SAST Vulnerability Distribution

Figure 4

BFS

Insurance

IME

Others

02000400060008000

10000120001400016000

V u

l n e r a

b i l i t y C o u n

t

Vulnerability Category

InputValidation

SourceCodeDesign

InformationLeakageand Error-Handling

DirectObject

Reference

ResourceUsage

APIUsage

BestPracticesViolation

WeakSession

UsingHTTP GET

Query

Others

Vulnerability Count Based on SAST

Figure 5



source and freeware), false-positives identied bymanual analysis, and the actual vulnerabilities ofdifferent verticals reported to the client.

Vertical Vulnerabilities

The number of dynamic application vulnerabilitiesis showcased across verticals (see Figure 7). Mostvulnerabilities were found in the IME vertical,with the highest count being in the “InsecureDirect Object Reference” category, followed by“Injection.” Next in line was the insurance vertical,with the highest count in “Security Miscongura-tion,” followed by “Insufcient Transport LayerProtection.”

As Figure 8 (next page) shows, the most dominantvulnerability was in the “Insecure Direct Object

Reference” category. When a developer exposesa reference to an internal object to the user, thistype of vulnerability occurs. A large number ofvulnerabilities were also found in “Injection” and“Cross-Site Scripting,” denoting that developersstill show their trust in user input by failing toperform sufcient input validation and outputencoding, and using secure defaults. “SecurityMisconguration” and “Insufcient TransportLayer Protection” were also very prevalent. Thiscould result from testing environments that donot mirror the actual production environment,have weak server congurations, or have no orpoor SSL congurations. Robust congurationsare essential for maintaining high security for alive site compared with a test site.

5cognizant 20-20 insights


V u

l n e r a

b i l i t y

C o u n

t

19 30

598

2711 16

554

2211 15 458

0

100

200

300

400

500

600

700

Vulnerabilitiesdetected by tool.

False positives identiedby manual analysis.Vulnerabilities reportedto the client.

Vertical vulnerability counts are represented asmultiples of 100.

Automatic DAST Tool Vulnerability Detection

Figure 6

V u

l n e r a

b i l i t y C o u n

t

27 2245

8

1068

1537

4482

810

0 1 2 3 4 5

0

1000

2000

3000

4000

5000

Verticals

BFS

Insurance

IME

Others

DAST Vulnerability Distribution

Figure 7




The overall vulnerability count in the DAST andSAST ndings was highest in IME applications. Thetotal count is comparable to those of insuranceand BFS. In fact, nearly 60% of the applicationstested belong to BFS, but only about 25% ofthe total vulnerabilities reported are present inthose applications. Furthermore, these applica-tions have fewer critical vulnerabilities related toissues such as injection. Hence, it can be inferredfrom the statistics that BFS applications arerelatively more secure. This can be attributed tothe fact that the banking and nance sector dealswith highly sensitive data, for which security isparamount. While condentiality and integrityof nancial data are critical, the third parameterof the security triad — availability — is equallyessential for this growing industry. Securityawareness is progressively increasing within thedeveloper community in BFS because of theserequirements, thereby leading developers toemphasize application security. And becauseBFS applications are also subject to compliancemandates, security requirements are taken care

of during development. This helps to keep theseapplications even more secure.

Security Trends in ApplicationDevelopmentSecurity threats in an application can be drilleddown to the particular functionality that isaffected by the security aw and the parameterthat provides an entry point to the attack vector.

Typical application functionality could beanything from a login/logout function to apayment function. It can further be zeroed downon the query parameters, form parameters,cookies and page parameters that are createdby the developers to accomplish the respectivefunctionality. Figure 9 (next page) shows the dis-tribution of vulnerable parameters and functionsacross verticals.

The most commonly affected parameters are theconguration parameters, which impact the con-guration function and make the application sus-ceptible to security misconguration issues. Thisis due to failure to employ platform-specic securecongurations. Developers should also focus onadd/modify/submit functions, which are largelyvulnerable; submit parameters, for instance, areoften targeted by attackers. As a result, applica-tions become prone to cross-site request forgery,clickjacking and malicious content uploads.

These parameters can be safeguarded duringdevelopment by setting secure attributes andperforming safety checks to ensure that the dataor le that is submitted conforms to the acceptedtype, range and business logic. Other parametersthat require attention include URL/links, proleparameters and IDs such as user IDs, sessionIDs and viewstate parameters. Failure to securethese can result in unsafe redirects and forwards,phishing, session hijacking and user imperson-ation.

BFS

Insurance

IME

Others

V u

l n e r a

b i l i t y C o u n

t

Vulnerability Category

0

500

1000

1500

2000

2500

Injection Cross-SiteScripting

(XSS)

BrokenAuthentication

InsecureDirect ObjectReferences

Cross-SiteRequestForgery

SecurityMisconguration

InsecureCryptographic

Storage

Failureto Restrict

URL Access

InsufficientTransport

Layer

UnvalidatedRedirects

and Forwards

OtherSecurityIssues

Vulnerability Count Based on DAST Category

Figure 8




It is the responsibility of the developer to ensurethat URL redirects are examined for authorization.Developers should also ensure that ID parametersare generated based on stringent industry-stan-dard protocols, and that session IDs are correctlyinvalidated — not resused — and regenerated atfrequent intervals. These session tokens andother sensitive data must be protected duringtransit by using proper SSL conguration, andalso in cookies in order to prevent cookie theft.Payment parameters are often targeted too, asthey can be exploited to execute payment fraudsand cybercrimes. Therefore, the duty lies withdevelopers to ascertain that these parametersare handled in a highly secure manner. The focus

areas for the developer community should be toincorporate strong validation for input and outputparameters, follow secure congurations, set safeattributes for the parameters in general, andpreserve the condentiality of the sensitive datacarried by the parameters.

Looking AheadThis white paper has presented statistics onapplication vulnerability trends across severalverticals with respect to dynamic and staticapplication security testing. The following recom-mendations will help developers improve securityacross numerous parameters:

0

200

400

600

800

1000

1200

Viewstate User Name Submit Session ID Search Profile Product Password Link ID Dropdown Date Credit Card &Bank Account

Cookie Configuration Cache Control

OthersIMEInsuranceBFS

0

200

400

600

800

1000

1200

OthersIMEInsuranceBFS

User Roles/PrivilegeEscalation

Search Redirect

Payment

Password

Logout

Login File Upload/Download

Configuration

Add/Modify/Submit

Vulnerable Parameters and Functions

Figure 9

Parameters Type BFS Insurance IME Others

Cache Control 5 0 0 2

Con guration 103 227 787 6

Cookie 34 0 0 10Credit Card &Bank Account 0 8 0 0

Date 2 0 0 7

Dropdown 28 0 0 1

ID 218 22 7 50

Link 204 9 16 33

Password 2 16 6 6

Product 25 0 2 9

Pro le 158 0 0 43

Search 29 8 0 3

Session ID 0 14 0 6

Submit 275 11 31 16

User Name 0 3 0 2

Viewstate 30 1 0 0

Functionality Type BFS Insurance IME Others

Add/Modify/Submit

736 18 27 122

Con guration 147 239 787 18

File Upload/Download

13 1 23 17

Login 0 39 8 9

Logout 0 0 0 3

Password 0 0 0 2

Payment 170 12 2 5

Redirect 0 0 0 4Search 0 8 0 14

User Roles/PrivilegeEscalation

47 2 2 0




• Ascertain the validity of input supplied by theuser with respect to the data type, range, sizeand business logic allowed.

• Ensure that session management is robust byusing industry-standard session-managementand handling mechanisms.

• Protect sensitive data such as IDs, session

tokens, user personal data, payment informa-tion and the like in transmission and storage.

• Employ secure congurations for all applica-tion components.

The developer community in general shouldclosely adhere to security standards andimplement secure practices throughout thesoftware development lifecycle to create highlysecure applications.

Analysis MethodologyFigure 10 describes the applications that were

studied using dynamic (DAST) and static appli-cation security testing (SAST) methodologies.It illustrates a statistical representation of thevarious applications for which security testingwas conducted based on their type, the verticalsto which they belong and the technology used.

SAST was performed on 214 applications andDAST on 105 applications. Of the total applica-

tions tested, 79% were Web applications, 5% weremobile applications and 16% were other types ofapplications such as IVR, mainframe, native appli-cations, Web services and CS, for example.

Approximately 60% of Web application assess-ments were carried out in the BFS vertical,followed by 14% in IME and 10% in the insurance

vertical. Mobile application security assess-ments were performed for the insurance, retail,healthcare, travel and hospitality, IME and manu-facturing/logistics verticals.

SAST was carried out on applications that werebuilt using technologies such as Java, Android,.Net, COBOL, Objective C and PHP. Nearly 63%of the applications were developed in Java,Java-based frameworks and Android. .Netprojects made up 13% of the applications andCOBOL comprised 21%.

SAST was performed on the codebase of Web,native and mobile applications and Web services,for example. Cognizant, as well as third party-developed code, was taken into account for thisanalysis. SAST for code developed over severalframeworks — including mobile/Web frameworkssuch as Titanium Appecelerator and e-commerceframeworks such as ATG — were also considered.

Application Count Based on Application Type Application Count Based on Verticals

SAST Application Count Based on Technology SAST/ DAST Application Count

0

30

60

90

Java .Net .COBOL O bjective C PHP

120

150

252

Web Mobile Others


5116

187

55

43

34

SAST Application Count DAST Application Count

214

105135

2946

1 3

Application Distribution by Type, Vertical and Technology

Figure 10




Application code within the BFS domain consti-tutes the largest portion of applications undersecurity testing — nearly 72%. The applicationpool comprises 13% of IME applications and

6% insurance, with the remaining being retail,healthcare, travel and hospitality, consumergoods, and manufacturing and logistics applica-tions.

AcknowledgmentsThe author would like to recognize the contribu-tions of the following Cognizant associates to thiswhite paper:

Vimalaasree Anandhan, Security ArchitectMahalakshmi Ravi, Security AnalystKavitha Karunakaran, Security SpecialistSandhana Joldrine Xavier, Security AnalystSaravanan Sankaran, Security SpecialistA, Rajakumari, Security AnalystK, Ratnadeepika, Security Analyst

The author would also like to thank the followingexperts and analysts in application securityassessment:

A AjanthaAnjum AfrinArul SumithraBalasunder RakeshBalu ChitraCeline George

TK ChendhilkumarDurga Surya Kumar SimmaU GopinathS GowripriyaJothi Prakash, Grace CatherineK SubhashiniDeivendran KarthigaMurugan VigneshMuthuramalingam Jose Arokia MaryMuthuveeran SubashNarayanan Droupathy SubhashK Padma PrasoonaJayaprakash PavithraRadhakrishnan AgashnarayaniRamdass KarthikeyanKaruppiah NagamarimuthuKuruvilla MathewM Balaji SwaminathanMantraratnam SwetaMarreddi Venkatesh

Footnotes1 Regulatory Compliance: Regulations a company must follow to meet specic requirements.2 OWASP: Open Web Applications Security Project. A worldwide, not-for-prot charitable organization

focused on improving the security of software.3 SANS: The SANS Institute was established in 1989 as a cooperative research and education organization.4 WASC: The Web Application Security Consortium (WASC) is a 501c3 nonprot comprising an international

group of experts, industry practitioners and organizational representatives who produce open source andwidely agreed upon best-practice security standards for the World Wide Web.

5 CWE: Common Weakness Enumeration provides a unied, measurable set of software weaknesses that isenabling more effective discussion, description, selection and use of software security tools and servicesthat can nd these weaknesses in source code and operational systems, and better understand andmanage software weaknesses related to architecture and design.

GlossaryBFS: Banking and Financial Services

CWE: Common Weakness EnumerationDAST: Dynamic Application Security TestingERSS: Enterprise Risk and Security SolutionsHIPAA: Health Insurance Portability and Account-ability Act

IME: Information, Media and EntertainmentPractice

OWASP: Open Web Application Security ProjectPCI: Payment Card IndustrySANS: SysAdmin, Audit, Networking, and SecuritySAST: Static Application Security TestingT&H: Travel and HospitalityWASC: Web Application Security Consortium



About CognizantCognizant (NASDAQ: CTSH) is a leading provider of information technology, consulting, and business process out-sourcing services, dedicated to helping the world’s leading companies build stronger businesses. Headquartered inTeaneck, New Jersey (U.S.), Cognizant combines a passion for client satisfaction, technology innovation, deep industry

and business process expertise, and a global, collaborative workforce that embodies the future of work. With over 50delivery centers worldwide and approximately 171,400 employees as of December 31, 2013, Cognizant is a member ofthe NASDAQ-100, the S&P 500, the Forbes Global 2000, and the Fortune 500 and is ranked among the top performingand fastest growing companies in the world. Visit us online at www.cognizant.com or follow us on Twitter: Cognizant.

About Cognizant Enterprise Risk and Security SolutionsThe Cognizant Enterprise Risk and Security Solutions (ERSS) group specializes in providing end-to-end information-security solutions for various industry verticals, including retail, banking and nancial services, logistics, telecom,healthcare, manufacturing and travel and hospitality – having serviced over 400 customers across various geogra-phies. Our team of experts provides information-security solutions and services based on best-of-breed products ineach category of enterprise security. Our services encompass:

• 600-plus security consultants specializing in Identify and Access Management (IAM), Governance, Risk andCompliance (GRC), Data Security, Application Security Assessment (Secure SDLC) and Integrated ThreatManagement.

• 300+ CISA, CISM, CISSP, CEH and vendor-certied associates.

• 250+ Infrastructure Security trained associates.

• Over 7000 combined years of information-security experience.

• A proven track record and experience in 400-plus client engagements for security services.

• Partnership with leading vendors such as IBM, CA, Oracle, SailPoint, Novell, Dell, RSA, HP, Symantec and McAfee.

World Headquarters500 Frank W. Burr Blvd.Teaneck, NJ 07666 USAPhone: +1 201 801 0233Fax: +1 201 801 0243Toll Free: +1 888 937 3277Email: [email protected]

European Headquarters1 Kingdom StreetPaddington CentralLondon W2 6BDPhone: +44 (0) 20 7297 7600Fax: +44 (0) 20 7121 0102Email: [email protected]

India Operations Headquarters#5/535, Old Mahabalipuram RoadOkkiyam Pettai, ThoraipakkamChennai, 600 096 IndiaPhone: +91 (0) 44 4209 6000Fax: +91 (0) 44 4209 6060Email: [email protected]

© Copyright 2014, Cognizant. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by anymeans, electronic, mechanical, photocopying, recording, or otherwise, without the express written permission from Cognizant. The information contained herein is

subject to change without notice. All other trademarks mentioned herein are the property of their respective owners.

About the AuthorDr. Sivakumar Kathiresan, M.E., PhD., is a Principal Architect, Technology, within Cognizant’s EnterpriseRisk and Security Solutions group. In this role, he leads the Application Security Assessment team, andhas managed 120-plus security assessment projects across different verticals over the last three years.Sivakumar has 20 years of experience, including in industry, research and academia, and has deliveredmore than 100 knowledge-sharing sessions on various elds of enterprise security at different forums.His current areas of interest are advanced log analysis, vulnerability management, advanced persistentthreats and management, and security analytics. Sivakumar received his PhD from the Indian Institute

of Technology, Roorkee. He continues to research the area of Web security. His certicates include CEH,Sourcere, Qualysguard, Envision, LanDesk and Big Data Associate. He can be reached at [email protected] .

K RegaS NishaSambasivam SuganiyaSelvaraj NithyaS SivapradhaSrinivasan AmithSundaram Kalicharan

Sundaramurthy Subhashini

Thomas, LijoV Satheesh KumarVaradarajan PradeepVedeshwar RaghavendraGK YashwanthHaja Mohideen T Mohaideen Natchiya SharmeelaJain Dinesh

Jemmi Angelin

http://www.cognizant.com/

mailto:Sivakumar.Kathiresan%40cognizant.com?subject=




http://www.cognizant.com/

Application Vulnerability: Trend Analysis and Correlation of Coding Patterns Across Industries

Documents

Transcript of Application Vulnerability: Trend Analysis and Correlation of Coding Patterns Across Industries