The State of Appsec 2012
THE STATE OF APPSEC 2012 2012 APPLICATION: A APPSEC: APPLICATION SECURITY, THE USE OF SOFTWARE, HARDWARE, AND PROCEDURAL COMPUTER FROGRAM WITH AN INTERFACE, ENABLING PEOPLE TO USE THE COMPUTER AS A TOCL TO ACOOMPLISH METHODS TO PROTECT APPLICATIONS FROM EXTERNAL THREATS. A SPECIFIC TASK. THE BIG PICTURE THERE HAVE BEEN NUMBER OF WEBSITES IN MILLIONS 738,839,688 2007 ESTIMATED RECORDS BREACHED 2012 SINCE 2006 250 500 1000 346 MILLION NUMBER OF INTERNET USERS VS. POPULATION IN BILLIONS 16 683 227 7.08 200 MILLION 2011 2012 THAT'S EQUIVALENT TO THE POPULATION OF NORTH, CENTRAL AND MOST OF SOUTH AMERICA. O internet users I people on earth NUMBER OF DEVICES CONNECTED TO THE INTERNET IN BILLIONS 2008 396 MILLION 2010 Total Population of North, Central and South America 942 MILLION 10 15 number of websites number of internet users number of devices connected to the internet O 644 million è 2.27 billion 3000 O 109 million è 1.15 billion WEB APPLICATIONS JUMPED FROM 1.9% TO 52% IN 3 YEARS AS A PERCENTAGE OF PUBLISHED VULNERABILITIES. 2500 SHORTAGE OF IPV4 2200 THE AMOUNT CF DEVICES CONNECTED TO THE ADDRESSES 2000 INTERNET SLRPASSES THE NUMBER OF PEOPLE ON EARTH. < 12.5 BILLION 1500 1124 1094 1000 926 765 EOB 500 2007 2008 2009 2010 2011 2012 NUMBER OF PUBLISHED INCIDENTS PER YEAR METHODS OF ATTACK BREAKDOWN OF ATTACKS FROM 2006 TO PRESENT AS REPORTED IN THE WEB HACKING INCIDENT DATABASE. CROSS-SITE SCRIPTING CROSS-SITE REQUEST FORGERY 26% 3.7% BRUTE FORCE 7.4% DENIAL OF SERVICE SOL INJECTION 11.8% 34.1% ОТНER 17% XSS CROSS-SITE SCRIPTING POTENTIAL CROSS-SITE SCRIPTING IS THE PROCES OF ADDING MALIOOUS OUTCOMES OF XSS: ACCOUNT HIJACKING, COOKIE THEFT, FALSE ADVERTISING CR OTHER MODIFICATIONS. CODE TO A WEBSITE THAT CAN EXECUTE IN A USER'S BROWSER ODDS ÀRE YOU HAVE A VULNERABILITY WINDOWS LIVE XSS VULNERABILITIES WERE FOUND IN 71% OF VENDOR SUPPLIED WEB APPLICATION IN 2012 THE FOLLOWING G GOOGLE IBM COMPANIES HAD XSS VULNERABILITIES FOUND IN THEIR SOFTWARE. S SKYPE NASA W WORDPRESS BUILDS SOL INJECTIONE SOL INJECTION IS WHEN A CODING FLAW IS EXPLOITED TO EMBED MALICIOUS CODE PRODUCING A QUERY THAT ATTACKERS MAY CAN ACCESS OTHERWISE BE ABLE TO CREATE, READ, MODIFY OR INACCESSIBLE DATA CELETE SENSITIVE DATA STORED INA OF VENDOR SUPPLIED WEB APPLICATION BUILDS CONTAIN DATABASE. UNIVERSITY OF NEBRASKA-LINOOLN NEBRASKA METHODIST UNIVERSITY OF WISCONSIN-MADISON UNIVERSITY CF WASHINGTON PURDUE UNIVERSITY OHIO STATE UNIVERSITY UNIVERSITY OF CALIFORNIA, BERKELEY SOLI VULNERABILITIES UNIVERSITY OF HARTFORD ARE FOUND EVERY- WHERE, ONE HACKER PUBLISHED A LIST OF DOWLING COLLEGE SOLI VULNERABILITIES NORTHERN ARIZONA YESHIVA UNIVERSITY FOUND IN THE FOL- LOWING SCHOOLS WASHINGTON AND LEE UNIVERSITY ACROSS THE COUNTRY UNIVERSITY OF CALIFORNIA, LOS ANGELES UNIVERSITY OF NORTH CAROLINA AT CHAPEL HILL UNIVERSITY OF HOUSTON TEXAS CHRISTIAN UNIVERSITY 3 OF THE BIGGEST SQLI ATTACKS IN 2012 #PROJECTWHITEFOK LINKEDIN DECEMBER 2012 s to 31 targets Hackers ASA the FBI, Interpol, the JUNE 2012 gained access including Pentagon and numerous other educational and government organizations. Russian hacker "dwdm" accessed and leaked millions of passwords. "#ProjectWhiteFox will conclude this year's series of attacks by promoting hacktivism worldwide and drawing names, email addresses, attention to the freedom home addresses, passwords of information on the "On a gradings of A through F experts say, Linkedin, eHarmony and Lastfm.com would get, at best, a 'D' for security ACCESSED # OF RECORDS AFFECTED # OF RECORDS ACCESSED AFFECTED 1.6 MILLION no net -Team GhostShel the SOL Injection vulnerable links, a nef were posted 6.5 MILLION password -New York Times millions of passwords on the GAMIGO "It's the largest leak I've ever actually seen, Steve Thomas, Internet Security Expert, PwnedList 1 # OF RECORDS AFFECTED HAMBURG, GERMANY ACCESSED JULY 2012 11 MILLION | 8.2 MILLION e-mail addresses, usemames, and encrypted passwords Hacker "8in4ry_ Munch3r" HASHED EMAIL PASSWORDS ADDRESSES accessed user account credentials. DOWNLOAD VERACODE'S STATE OF SOFTWARE SECURITY REPORT: "Enterprise Testing of the Saftware Supply Chain" https://info.veracode.com/vast-soss.html SOURCES http://www.securityweek.com/inkedin-breach-cost-1m-says-2-3-mrilion-security-upgrades-coming http://spectrum.ie0e.org/riskfactor/telecom/security/linkedin-and-eharmony-hacked-8-milion-passwords-taken http://www.cm.com.au/News/304545,users-claim-inkedin-hack-happened-kast-ysar.aspx http://www.zdnet.com/8-24-milion-gamigo-passwords-keaked-after-hack-7000001403/ http://www.privacyrights.org/data-breach/new http://www.gamesindustry.biz/articles/2012-07-24-gamrigo-hacked-11-milion-passwords-orline http://www.dailylech.com/NVIDIA+Weve+Been+Hacved+User+Records+Lost/artide25170.htm http://thehackemews.com/2012/06/department-of-homeland-security-and-us.htmi http://www.zdnet.com/sql-injecion-attacks-up-69-7000001742/ http://www.darkreading.com/nsicer- PRESENTED BY VERACODE DEVELOPED BY threat/167801100/security/news/240002408/6-biggest-breaches-of-2012-so-far.htmi http://codecurmudgeon.com/wp/sgl-injection-hall-of-shame/ http://www.indefenseofdata.com/data-breach-rends-stats/ http://www.nationsorline.org/oneworkd/america.htm NOWSOURCING
The State of Appsec 2012
Source
http://www.v...fographic/Category
TechnologyGet a Quote
