SlideShare ist ein Scribd-Unternehmen logo

Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?

Denim Group
Denim Group

For the security industry to mature more data needs to be available about the true cost of security vulnerabilities. Data and statistics are starting to be released, but most of this currently focuses on the prevalence of different types of vulnerabilities and incidents rather than the costs of addressing the underlying issues. This session presents statistics from the remediation of 15 web-based applications in order to provide insight into the actual cost of remediating application-level vulnerabilities. The presentation begins by setting out a structured model for software security remediation projects so that time spent on tasks can be consistently tracked. It lays out possible sources of bias in the underlying data to allow for better-informed consumption of the final analysis. Also it discusses different approaches to remediating vulnerabilities such as fixing easy vulnerabilities first versus fixing serious vulnerabilities first. Next, historical data from the fifteen remediation projects is presented. This data consists of the average cost to remediate specific classes of vulnerabilities – cross-site scripting, SQL injection and so on – as well as the overall project composition to demonstrate the percentage of time spent on actual fixes as well as the percentages of time spent on other supporting activities such as environment setup, testing and verification and deployment. The data on the remediation of specific vulnerabilities allows for a comparison of the relative difficulty of remediating different vulnerability types. The data on the overall project composition can be used to determine the relative “efficiency” of different projects. Finally, analysis of the data is used to create a model for estimating remediation projects so that organizations can create realistic estimates in order to make informed remediate/do not remediate decisions. In addition, characteristics of the analyzed projects are mapped to project composition to demonstrate best practices that can be used to decrease the cost of future remediation efforts.

Technologie
1 von 31
Downloaden Sie, um offline zu lesen
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost? Dan Cornell Denim Group, Ltd. Session ID: ASEC-302 Session Classification: Intermediate
Agenda  An Innocent Question  Finding a Structure for Remediation Projects  Methodology  Remediation Data  Analysis and Recommendations  Questions 2
Fixing a Cross-Site Scripting (XSS) Vulnerability How long does it take? A) 9.6 minutes B) 16.2 minutes C) 84 minutes D) It doesn’t matter E) All of the above 3
Fixing a Cross-Site Scripting (XSS) Vulnerability How long does it take? A) 9.6 minutes – Average fix time for stored XSS (no load) B) 16.2 minutes – Average fix time for reflected XSS (no load) C) 84 minutes – Average fix time for stored and reflected (loaded) D) It doesn’t matter E) All of the above 4
Fixing a Cross-Site Scripting (XSS) Vulnerability How long does it take? A) 9.6 minutes – Average fix time for stored XSS (no load) B) 16.2 minutes – Average fix time for reflected XSS (no load) C) 84 minutes – Average fix time for stored and reflected (loaded) D) It doesn’t matter E) All of the above 5
Remediation Worst Practices  When the security team:  Demands a development team devote time and budget to remediation  Provides them with no direction or support  Has the development team attempt to make fixes on their own  Complains when things don’t work out 6
Remediation Worst Practices  Result: No new features and half- or non-fixed vulnerabilities  Good luck getting your next remediation project approved 7
Finding a Structure for Remediation Projects  Desired outcome: predictable and effective remediation projects  Predictable: know how long they will take and how much they will cost  Effective: targeted vulnerabilities actually get fixed  A community of stakeholders  Security  Development  IT Audit / Compliance 8
Remediation Projects  Inception  Planning  Calculate Risk  Agree on Fix and Confirmation Methods  Determine Level of Effort  Schedule  Execution  Set up Development Environment  Fix Vulnerabilities  Confirm Fixes and Perform Functional Testing  Deploy 9
Remediation: How To Guide  Describes methodology for software security remediation projects  Includes tips and best practices  Free online denimgroup.com/howtoguide_download_register.html 10
That’s Great But…  How long will it actually take me to fix my vulnerabilities?  Software security remediation projects are software development projects  So estimate them as such  Best practices:  Bottom-up estimation  Cluster vulnerabilities where possible  It would be nice to have some data to use as a starting point… 11
Data!  Took data from 15 remediated applications  Two types of analysis:  Vulnerability-level (4 applications)  Project-level (13 applications)  Data from Inception and Planning phases was too messy  Data from Execution phase was useable 12
The Good (Why This Data Might Be Useful)  Some data is better than no data  As long as you understand potential areas of bias  Read “How to Measure Anything” by Douglas W. Hubbard  Had relatively large sample size for some vulnerability types 13
The Bad (Some Potential Sources of Bias)  Relatively small sample size  Based on a single project type  Outsourced software security remediation projects  Data required cleanup and normalization  Vulnerability data centered around technical vulnerabilities  Most identified by automated static analysis 14
Vulnerability-Specific Data (20+ Sample Count) Vulnerability Type Sample Count Average Fix (minutes) Dead Code (unused methods) 465 2.6 Poor logging: system output stream 83 2.9 Poor Error Handling: Empty catch block 180 6.8 Lack of Authorization check 61 6.9 Unsafe threading 301 8.5 ASP.NET non-serializable object in session 42 9.3 XSS (stored) 1023 9.6 Null Dereference 157 10.2 Missing Null Check 46 15.7 XSS (reflected) 25 16.2 Redundant null check 21 17.1 SQL injection 30 97.5 15
Some Thoughts and Notes  Apparently deleting code and changing logging methods are easy  Cross-Site Scripting  Vulnerability count tracks with data from WhiteHat, Veracode, other sources  Harder to fix reflected XSS than stored XSS  Lack of Authorization Check  Fix consisted of copy/pasting file include into a number of files  SQL Injection  Surprisingly high  Reason: fixes were for more complicated SQL injection vulnerabilities 16
So If I Have 6 Stored XSS Vulnerabilities… … my remediation project should take about an hour, right? But wait! 17
Remediation Is Not Just About Coding Fixes  This data is from one of four steps in one of three phases  “Fix Vulnerabilities” step in the “Execution” phase  What about Inception and Planning?  No great data available yet  What about the rest of Execution?  Set up Development Environment  Fix Vulnerabilities  Confirm Fixes and Perform Functional Testing  Deploy  Overhead 18
Where Is Time Being Spent? 70% Indicates the weighted average versus the average of individual 60% 59% projects 50% 44% 42% 40% 37% 30% 31% 28% 29% 24% 24% 20% 17% 20% 15% 15% 16% 10% 9% 3% 2% 0% 0% 0% Setup Development Fix Vulnerabilities Confirm Fixes / QA 0% Deploy Overhead Environment 19
Some Thoughts and Notes  Setup Development Environment  Best case: existing development environment or VM  Worst case: Safari expedition to recreate environment setup because organization no longer had this knowledge  Instructions on setting up a development environment were a deliverable  Fix Vulnerabilities  This is what people focus on but there is wide variation 20
Some Thoughts and Notes (continued)  Confirm Fixes / QA  Sometimes this took more time than the actual fixes  Best case: Existing set of automated functional / regression tests  Deploy  Best case: use an existing planned release  Overhead  Surprisingly high in some cases 21
Using the Data  I thought you said to estimate bottom-up?  Yes. Do that  Use the vulnerability data as a guide for estimation  Use the project composition data for validation  Use the lessons of the data to try and minimize required investment 22
What Can I Do To Minimize Remediation Costs? Avoid introducing vulnerabilities into your software (you are all welcome for this piece of sage advice) 23
What Can I Do To Minimize Remediation Costs?  Have ready access to development environments for the developers doing the remediation  Automated functional / regression testing helps speed security fixes  Use planned deployments when possible 24
Which Vulnerabilities Get Fixed and When?  Use your data-backed, bottom-up WBS for risk management and planning  Serious vulnerabilities that are easy to fix? Consider an out-of-cycle release  Otherwise leverage planned releases 25
The Outlier  We remediated one vulnerability not included in the study that was more expensive to fix than all vulnerabilities in the study  Authentication issue in a connected system  Requirements and architecture vulnerability  Automated scanners – static or dynamic: powerless to find it  Should have / would have been caught by even a basic threat modeling or abuse case session 26
So Where Does This Leave Us  Good:  We have a framework  We have some data  Less good:  The data comes with a number of caveats  Given a framework and some data you should be:  Better able to execute successful projects  Better able to estimate projects  Better able to minimize project costs 27
Next Steps For Me  Release a more in-depth report  Include more data in the analysis  Perform deeper analysis  Impact of size of project (hours)  Impact of number of vulnerabilities remediated  Impact of platform  And so on…  Include data on logical vulnerabilities 28
Apply  Review your existing vulnerability data  Create a “back of the envelope” plan to address open vulnerabilities  Run different scenarios: “All critical and high” “All public-facing apps” and so on  Talk to developers  How do they set up development environments?  When do they do planned releases?  Fix some vulnerabilities!  Application-level vulnerabilities persist for a long time 29
Remediation Resource Center  Resources for remediating software security vulnerabilities  Videos  How-to Guide  Blog posts denimgroup.com/remediation 30
Questions? Dan Cornell dan@denimgroup.com Twitter: @danielcornell www.denimgroup.com blog.denimgroup.com www.denimgroup.com/remediation (210) 572-4400 31

Empfohlen

RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
Denim Group
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Denim Group
 
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
Denim Group
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability Remediation
Denim Group
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual Testing
Denim Group
 
Real Cost of Software Remediation
Real Cost of Software RemediationReal Cost of Software Remediation
Real Cost of Software Remediation
Denim Group
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application Vulnerabilities
Denim Group
 
Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?
Denim Group
 

Empfohlen

RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
Denim Group
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Denim Group
 
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
Denim Group
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability Remediation
Denim Group
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual Testing
Denim Group
 
Real Cost of Software Remediation
Real Cost of Software RemediationReal Cost of Software Remediation
Real Cost of Software Remediation
Denim Group
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application Vulnerabilities
Denim Group
 
Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?
Denim Group
 
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataAppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
Denim Group
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic View
Denim Group
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
Denim Group
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Denim Group
 
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Denim Group
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
Denim Group
 
Application Assessment Techniques
Application Assessment TechniquesApplication Assessment Techniques
Application Assessment Techniques
Denim Group
 
Web Application Remediation - OWASP San Antonio March 2007
Web Application Remediation - OWASP San Antonio March 2007Web Application Remediation - OWASP San Antonio March 2007
Web Application Remediation - OWASP San Antonio March 2007
Denim Group
 
Mobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat YourselfMobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat Yourself
Denim Group
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3
Denim Group
 
Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)
Denim Group
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Denim Group
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
Denim Group
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
Denim Group
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security Program
Denim Group
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
Denim Group
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan Cornell
Denim Group
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
Denim Group
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security Program
Denim Group
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
Denim Group
 
Dan Cornell - The Real Cost of Software Remediation
Dan Cornell - The Real Cost of Software RemediationDan Cornell - The Real Cost of Software Remediation
Dan Cornell - The Real Cost of Software Remediation
Source Conference
 
Sw Software Metrics
Sw Software MetricsSw Software Metrics
Sw Software Metrics
jonathan077070
 

Weitere ähnliche Inhalte

Was ist angesagt?

AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataAppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
Denim Group
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
Denim Group
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Denim Group
 
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Denim Group
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
Denim Group
 
Mobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat YourselfMobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat Yourself
Denim Group
 
Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)
Denim Group
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
Denim Group
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security Program
Denim Group
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
Denim Group
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan Cornell
Denim Group
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
Denim Group
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
Denim Group
 

Was ist angesagt? (20)

AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataAppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic View
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
 
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
 
Application Assessment Techniques
Application Assessment TechniquesApplication Assessment Techniques
Application Assessment Techniques
 
Web Application Remediation - OWASP San Antonio March 2007
Web Application Remediation - OWASP San Antonio March 2007Web Application Remediation - OWASP San Antonio March 2007
Web Application Remediation - OWASP San Antonio March 2007
 
Mobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat YourselfMobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat Yourself
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3
 
Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security Program
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan Cornell
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security Program
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
 

Ähnlich wie Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?

Dan Cornell - The Real Cost of Software Remediation
Dan Cornell - The Real Cost of Software RemediationDan Cornell - The Real Cost of Software Remediation
Dan Cornell - The Real Cost of Software Remediation
Source Conference
 
Dependability Benchmarking by Injecting Software Bugs
Dependability Benchmarking by Injecting Software BugsDependability Benchmarking by Injecting Software Bugs
Dependability Benchmarking by Injecting Software Bugs
Roberto Natella
 
Better Software East 2016: Evolving Automated to Continuous
Better Software East 2016: Evolving Automated to ContinuousBetter Software East 2016: Evolving Automated to Continuous
Better Software East 2016: Evolving Automated to Continuous
Parasoft
 
Icse 2011 ds_1
Icse 2011 ds_1Icse 2011 ds_1
Icse 2011 ds_1
SAIL_QU
 
Continuous Delivery (Internet-Briefing 2012-04-03)
Continuous Delivery (Internet-Briefing 2012-04-03)Continuous Delivery (Internet-Briefing 2012-04-03)
Continuous Delivery (Internet-Briefing 2012-04-03)
Netcetera
 
Avoiding Software Insanity
Avoiding Software InsanityAvoiding Software Insanity
Avoiding Software Insanity
josephnaveen
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Jeff Williams
 
Shifting Left…AND Right to Ensure Full Application Security Coverage
Shifting Left…AND Right to Ensure Full Application Security CoverageShifting Left…AND Right to Ensure Full Application Security Coverage
Shifting Left…AND Right to Ensure Full Application Security Coverage
DevOps.com
 
DETERMINING THE RISKY SOFTWARE PROJECTS USING ARTIFICIAL NEURAL NETWORKS
DETERMINING THE RISKY SOFTWARE PROJECTS USING ARTIFICIAL NEURAL NETWORKSDETERMINING THE RISKY SOFTWARE PROJECTS USING ARTIFICIAL NEURAL NETWORKS
DETERMINING THE RISKY SOFTWARE PROJECTS USING ARTIFICIAL NEURAL NETWORKS
ijseajournal
 
Chapter 10 Testing and Quality Assurance1Unders.docx
Chapter 10 Testing and Quality Assurance1Unders.docxChapter 10 Testing and Quality Assurance1Unders.docx
Chapter 10 Testing and Quality Assurance1Unders.docx
keturahhazelhurst
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDC
Denim Group
 

Ähnlich wie Remediation Statistics: What Does Fixing Application Vulnerabilities Cost? (20)

Dan Cornell - The Real Cost of Software Remediation
Dan Cornell - The Real Cost of Software RemediationDan Cornell - The Real Cost of Software Remediation
Dan Cornell - The Real Cost of Software Remediation
 
Sw Software Metrics
Sw Software MetricsSw Software Metrics
Sw Software Metrics
 
Managing Software Risk with CAST
Managing Software Risk with CASTManaging Software Risk with CAST
Managing Software Risk with CAST
 
Dependability Benchmarking by Injecting Software Bugs
Dependability Benchmarking by Injecting Software BugsDependability Benchmarking by Injecting Software Bugs
Dependability Benchmarking by Injecting Software Bugs
 
Better Software East 2016: Evolving Automated to Continuous
Better Software East 2016: Evolving Automated to ContinuousBetter Software East 2016: Evolving Automated to Continuous
Better Software East 2016: Evolving Automated to Continuous
 
Test-Driven Development (TDD)
Test-Driven Development (TDD)Test-Driven Development (TDD)
Test-Driven Development (TDD)
 
Parasoft .TEST, Write better C# Code Using Data Flow Analysis
Parasoft .TEST, Write better C# Code Using Data Flow Analysis Parasoft .TEST, Write better C# Code Using Data Flow Analysis
Parasoft .TEST, Write better C# Code Using Data Flow Analysis
 
SAST, fight against potential vulnerabilities
SAST, fight against potential vulnerabilitiesSAST, fight against potential vulnerabilities
SAST, fight against potential vulnerabilities
 
Icse 2011 ds_1
Icse 2011 ds_1Icse 2011 ds_1
Icse 2011 ds_1
 
Continuous Delivery (Internet-Briefing 2012-04-03)
Continuous Delivery (Internet-Briefing 2012-04-03)Continuous Delivery (Internet-Briefing 2012-04-03)
Continuous Delivery (Internet-Briefing 2012-04-03)
 
Cross-project defect prediction
Cross-project defect predictionCross-project defect prediction
Cross-project defect prediction
 
Avoiding Software Insanity
Avoiding Software InsanityAvoiding Software Insanity
Avoiding Software Insanity
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
 
Continuous integration at CartoDB March '16
Continuous integration at CartoDB March '16Continuous integration at CartoDB March '16
Continuous integration at CartoDB March '16
 
Shifting Left…AND Right to Ensure Full Application Security Coverage
Shifting Left…AND Right to Ensure Full Application Security CoverageShifting Left…AND Right to Ensure Full Application Security Coverage
Shifting Left…AND Right to Ensure Full Application Security Coverage
 
DETERMINING THE RISKY SOFTWARE PROJECTS USING ARTIFICIAL NEURAL NETWORKS
DETERMINING THE RISKY SOFTWARE PROJECTS USING ARTIFICIAL NEURAL NETWORKSDETERMINING THE RISKY SOFTWARE PROJECTS USING ARTIFICIAL NEURAL NETWORKS
DETERMINING THE RISKY SOFTWARE PROJECTS USING ARTIFICIAL NEURAL NETWORKS
 
Chapter 10 Testing and Quality Assurance1Unders.docx
Chapter 10 Testing and Quality Assurance1Unders.docxChapter 10 Testing and Quality Assurance1Unders.docx
Chapter 10 Testing and Quality Assurance1Unders.docx
 
The limits of unit testing by Craig Stuntz
The limits of unit testing by Craig StuntzThe limits of unit testing by Craig Stuntz
The limits of unit testing by Craig Stuntz
 
The Limits of Unit Testing by Craig Stuntz
The Limits of Unit Testing by Craig StuntzThe Limits of Unit Testing by Craig Stuntz
The Limits of Unit Testing by Craig Stuntz
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDC
 

Mehr von Denim Group

Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Denim Group
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
Denim Group
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Denim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
Denim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
Denim Group
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
Denim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
Denim Group
 

Mehr von Denim Group (20)

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4J
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
 

Kürzlich hochgeladen

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Kürzlich hochgeladen (20)

Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 

Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?

  • 1. Remediation Statistics: What Does Fixing Application Vulnerabilities Cost? Dan Cornell Denim Group, Ltd. Session ID: ASEC-302 Session Classification: Intermediate
  • 2. Agenda  An Innocent Question  Finding a Structure for Remediation Projects  Methodology  Remediation Data  Analysis and Recommendations  Questions 2
  • 3. Fixing a Cross-Site Scripting (XSS) Vulnerability How long does it take? A) 9.6 minutes B) 16.2 minutes C) 84 minutes D) It doesn’t matter E) All of the above 3
  • 4. Fixing a Cross-Site Scripting (XSS) Vulnerability How long does it take? A) 9.6 minutes – Average fix time for stored XSS (no load) B) 16.2 minutes – Average fix time for reflected XSS (no load) C) 84 minutes – Average fix time for stored and reflected (loaded) D) It doesn’t matter E) All of the above 4
  • 5. Fixing a Cross-Site Scripting (XSS) Vulnerability How long does it take? A) 9.6 minutes – Average fix time for stored XSS (no load) B) 16.2 minutes – Average fix time for reflected XSS (no load) C) 84 minutes – Average fix time for stored and reflected (loaded) D) It doesn’t matter E) All of the above 5
  • 6. Remediation Worst Practices  When the security team:  Demands a development team devote time and budget to remediation  Provides them with no direction or support  Has the development team attempt to make fixes on their own  Complains when things don’t work out 6
  • 7. Remediation Worst Practices  Result: No new features and half- or non-fixed vulnerabilities  Good luck getting your next remediation project approved 7
  • 8. Finding a Structure for Remediation Projects  Desired outcome: predictable and effective remediation projects  Predictable: know how long they will take and how much they will cost  Effective: targeted vulnerabilities actually get fixed  A community of stakeholders  Security  Development  IT Audit / Compliance 8
  • 9. Remediation Projects  Inception  Planning  Calculate Risk  Agree on Fix and Confirmation Methods  Determine Level of Effort  Schedule  Execution  Set up Development Environment  Fix Vulnerabilities  Confirm Fixes and Perform Functional Testing  Deploy 9
  • 10. Remediation: How To Guide  Describes methodology for software security remediation projects  Includes tips and best practices  Free online denimgroup.com/howtoguide_download_register.html 10
  • 11. That’s Great But…  How long will it actually take me to fix my vulnerabilities?  Software security remediation projects are software development projects  So estimate them as such  Best practices:  Bottom-up estimation  Cluster vulnerabilities where possible  It would be nice to have some data to use as a starting point… 11
  • 12. Data!  Took data from 15 remediated applications  Two types of analysis:  Vulnerability-level (4 applications)  Project-level (13 applications)  Data from Inception and Planning phases was too messy  Data from Execution phase was useable 12
  • 13. The Good (Why This Data Might Be Useful)  Some data is better than no data  As long as you understand potential areas of bias  Read “How to Measure Anything” by Douglas W. Hubbard  Had relatively large sample size for some vulnerability types 13
  • 14. The Bad (Some Potential Sources of Bias)  Relatively small sample size  Based on a single project type  Outsourced software security remediation projects  Data required cleanup and normalization  Vulnerability data centered around technical vulnerabilities  Most identified by automated static analysis 14
  • 15. Vulnerability-Specific Data (20+ Sample Count) Vulnerability Type Sample Count Average Fix (minutes) Dead Code (unused methods) 465 2.6 Poor logging: system output stream 83 2.9 Poor Error Handling: Empty catch block 180 6.8 Lack of Authorization check 61 6.9 Unsafe threading 301 8.5 ASP.NET non-serializable object in session 42 9.3 XSS (stored) 1023 9.6 Null Dereference 157 10.2 Missing Null Check 46 15.7 XSS (reflected) 25 16.2 Redundant null check 21 17.1 SQL injection 30 97.5 15
  • 16. Some Thoughts and Notes  Apparently deleting code and changing logging methods are easy  Cross-Site Scripting  Vulnerability count tracks with data from WhiteHat, Veracode, other sources  Harder to fix reflected XSS than stored XSS  Lack of Authorization Check  Fix consisted of copy/pasting file include into a number of files  SQL Injection  Surprisingly high  Reason: fixes were for more complicated SQL injection vulnerabilities 16
  • 17. So If I Have 6 Stored XSS Vulnerabilities… … my remediation project should take about an hour, right? But wait! 17
  • 18. Remediation Is Not Just About Coding Fixes  This data is from one of four steps in one of three phases  “Fix Vulnerabilities” step in the “Execution” phase  What about Inception and Planning?  No great data available yet  What about the rest of Execution?  Set up Development Environment  Fix Vulnerabilities  Confirm Fixes and Perform Functional Testing  Deploy  Overhead 18
  • 19. Where Is Time Being Spent? 70% Indicates the weighted average versus the average of individual 60% 59% projects 50% 44% 42% 40% 37% 30% 31% 28% 29% 24% 24% 20% 17% 20% 15% 15% 16% 10% 9% 3% 2% 0% 0% 0% Setup Development Fix Vulnerabilities Confirm Fixes / QA 0% Deploy Overhead Environment 19
  • 20. Some Thoughts and Notes  Setup Development Environment  Best case: existing development environment or VM  Worst case: Safari expedition to recreate environment setup because organization no longer had this knowledge  Instructions on setting up a development environment were a deliverable  Fix Vulnerabilities  This is what people focus on but there is wide variation 20
  • 21. Some Thoughts and Notes (continued)  Confirm Fixes / QA  Sometimes this took more time than the actual fixes  Best case: Existing set of automated functional / regression tests  Deploy  Best case: use an existing planned release  Overhead  Surprisingly high in some cases 21
  • 22. Using the Data  I thought you said to estimate bottom-up?  Yes. Do that  Use the vulnerability data as a guide for estimation  Use the project composition data for validation  Use the lessons of the data to try and minimize required investment 22
  • 23. What Can I Do To Minimize Remediation Costs? Avoid introducing vulnerabilities into your software (you are all welcome for this piece of sage advice) 23
  • 24. What Can I Do To Minimize Remediation Costs?  Have ready access to development environments for the developers doing the remediation  Automated functional / regression testing helps speed security fixes  Use planned deployments when possible 24
  • 25. Which Vulnerabilities Get Fixed and When?  Use your data-backed, bottom-up WBS for risk management and planning  Serious vulnerabilities that are easy to fix? Consider an out-of-cycle release  Otherwise leverage planned releases 25
  • 26. The Outlier  We remediated one vulnerability not included in the study that was more expensive to fix than all vulnerabilities in the study  Authentication issue in a connected system  Requirements and architecture vulnerability  Automated scanners – static or dynamic: powerless to find it  Should have / would have been caught by even a basic threat modeling or abuse case session 26
  • 27. So Where Does This Leave Us  Good:  We have a framework  We have some data  Less good:  The data comes with a number of caveats  Given a framework and some data you should be:  Better able to execute successful projects  Better able to estimate projects  Better able to minimize project costs 27
  • 28. Next Steps For Me  Release a more in-depth report  Include more data in the analysis  Perform deeper analysis  Impact of size of project (hours)  Impact of number of vulnerabilities remediated  Impact of platform  And so on…  Include data on logical vulnerabilities 28
  • 29. Apply  Review your existing vulnerability data  Create a “back of the envelope” plan to address open vulnerabilities  Run different scenarios: “All critical and high” “All public-facing apps” and so on  Talk to developers  How do they set up development environments?  When do they do planned releases?  Fix some vulnerabilities!  Application-level vulnerabilities persist for a long time 29
  • 30. Remediation Resource Center  Resources for remediating software security vulnerabilities  Videos  How-to Guide  Blog posts denimgroup.com/remediation 30