Mobile, Java and Configuration are Top Bugaboos for Software Security

HP’s Cyber Risk Report 2013 found that the total number of publicly disclosed vulnerabilities decreased by 6% year over year
HP’s Cyber Risk Report 2013 found that the total number of publicly disclosed vulnerabilities decreased by 6% year over year

HP’s Cyber Risk Report 2013 found that the total number of publicly disclosed vulnerabilities decreased by 6% year over year, and the number of high-severity vulnerabilities declined for the fourth consecutive year, decreasing by 9%.

But that might not be good news: “Although unquantifiable, the decline may be an indication as to a surge in vulnerabilities that are not publicly disclosed but rather delivered to the black market for private and/or nefarious consumption,” the report postulated.

Sandbox bypass vulnerabilities caused by unsafe reflection are the most prolific issue in the Java framework, and sandbox bypass due to type confusion is the most exploited. Meanwhile, attackers are significantly escalating their exploitation of Java by simultaneously targeting multiple CVEs and using Java more often to successfully compromise victims’ computers. Increasingly, these vulnerabilities are exploited in combined attacks to compromise specific targets of interest.

HP also found that nearly 80% of applications reviewed contained vulnerabilities rooted outside their source code: many vulnerabilities seen in 2013 were related to server misconfiguration, improper file settings, sample content, outdated software versions and other items related to insecure deployment.

“Eliminating bugs and the resultant vulnerabilities from code won’t fix this – even perfectly coded software can be dangerously vulnerable when misconfigured,” HP noted in the report. “Don’t overlook this security gap. Dedicate resources to auditing software for misconfiguration as well as for more expected forms of vulnerability.”

Also, inconsistent and varying definitions of “malware” complicate risk analysis. In an examination of more than 500,000 mobile applications for Android, HP found major discrepancies between how antivirus engines and mobile platform vendors classify malware. “Limiting the number of apps available within an organization, monitoring approved apps, and thoroughly vetting EULAs are the absolute baseline for responsible defense,” it said.

Also on the mobile front, 46% of mobile applications studied use encryption improperly. HP research shows that mobile developers often fail to use encryption when storing sensitive data on mobile devices, rely on weak algorithms to do so, or misuse stronger encryption capabilities, rendering them ineffective.

Finally, echoing anecdotal evidence, HP found that supervisory control and data acquisition (SCADA) systems have indeed become increasingly tempting as a target. These control systems manage widespread or niche-based automated industrial processes such as those used for manufacturing processes, power generation, mining, water treatment, and possibly general quality control and monitoring processes, which have historically operated over separate networks and with proprietary protocols.

“Migration has begun to fold these systems into standard networks, and in some cases even via the internet to simplify asset management, billing, and operations,” HP said. “As these systems continue to migrate away from their separate isolated networks, certain security problems that were once masked by a restricted surface area for attack have begun to emerge.”

So what’s the takeaway? For one, organizations and developers alike must stay cognizant of security pitfalls in frameworks and other third-party code, particularly for hybrid mobile development platforms. HP suggested that robust security guidelines must be enacted to protect the integrity of applications and the privacy of users.

“While it is impossible to eliminate the attack surface without sacrificing functionality, a combination of the right people, processes and technology does allow organizations to effectively minimize the vulnerabilities surrounding it and dramatically reduce overall risk,” HP noted, adding that information-sharing will be crucial going forward. “Collaboration and threat intelligence sharing among the security industry helps gain insight into adversary tactics, allowing for more proactive defense, strengthened protections offered in security solutions, and an overall safer environment."

What’s hot on Infosecurity Magazine?