[Owasp-ireland] And while talking about reports... here goes the IBM X-Force Report

Fabio Cerullo fcerullo at owasp.org
Fri Mar 23 12:54:18 UTC 2012

Here you could download the full report:


Some highlights regarding the appsec industry highlited in *red below*

According to the report, there are positive trends as it appears companies
implemented better security practices in 2011:

· *Thirty percent decline in the availability of exploit code* – When
security vulnerabilities are disclosed, exploit code is sometimes released
that attackers can download and use to break into computers. Approximately
30 percent fewer exploits were released in 2011 than were seen on average
over the past four years. This improvement can be attributed to
architectural and procedural changes made by software developers that help
make it more difficult for attackers to successfully exploit

· *Decrease in unpatched security vulnerabilities* – When security
vulnerabilities are publicly disclosed, it is important that the
responsible software vendor provide a patch or fix in a timely fashion.
Some security vulnerabilities are never patched, but the percentage of
unpatched vulnerabilities has been decreasing steadily over the past few
years. In 2011 this number was down to 36 percent from 43 percent in 2010.

· *Fifty percent reduction in cross site scripting (XSS) vulnerabilities
due to improvements in software quality* - The IBM X-Force team is seeing
significant improvement in the quality of software produced by
organizations that use tools like IBM AppScan OnDemand service to analyze,
find, and fix vulnerabilities in their code.  IBM found XSS vulnerabilities
are half as likely to exist in customers' software as they were four years
ago. However, XSS vulnerabilities still appear in about 40 percent of the
applications IBM scans. This is still high for something well understood
and able to be addressed.

· *Decline in spam* – IBM’s global spam email monitoring network has seen
about half the volume of spam email in 2011 that was seen in 2010. Some of
this decline can be attributed to the take-down of several large spam
botnets, which likely hindered spammers’ ability to send emails. The IBM
X-Force team witnessed spam evolve through several generations over the
past seven years as spam filtering technology has improved and spammers
have adapted their techniques in order to successfully reach readers.

*Attackers Adapt Their Techniques in 2011
Even with these improvements, there has been a rise in new attack trends
and an array of significant, widely reported external network and security
breaches.  As malicious attackers become increasingly savvy, the IBM
X-Force documented increases in three key areas of attack activity:

· *Attacks targeting shell command injection vulnerabilities more than
double* - For years, SQL injection attacks against web applications have
been a popular vector for attackers of all types. SQL injection
vulnerabilities allow an attacker to manipulate the database behind a
website. As progress has been made to close those vulnerabilities – the
number of SQL injection vulnerabilities in publicly maintained web
applications dropped by 46 percent in 2011– some attackers have now started
to target shell command injection vulnerabilities instead. These
vulnerabilities allow the attacker to execute commands directly on a web
server. Shell command injection attacks rose by two to three times over the
course of 2011. Web application developers should pay close attention to
this increasingly popular attack vector.

· *Spike in automated password guessing* – Poor passwords and password
policies have played a role in a number of high-profile breaches during
2011. There is also a lot of automated attack activity on the Internet in
which attacks scan the net for systems with weak login passwords. IBM
observed a large spike in this sort of password guessing activity directed
at secure shell servers (SSH) in the later half of 2011.

· *Increase in phishing attacks* that impersonate social networking sites
and mail parcel services – The volume of email attributed to phishing was
relatively small over the course of 2010 and the first half of 2011, but
phishing came back with a vengeance in the second half, reaching volumes
that haven’t been seen since 2008. Many of these emails impersonate popular
social networking sites and mail parcel services, and entice victims to
click on links to web pages that may try to infect their PCs with malware.
Some of this activity can also be attributed to advertising click fraud,
where spammers use misleading emails to drive traffic to retail websites.
Emerging Technologies Create New Avenues for Attacks
New technologies such as mobile and cloud computing continue to create
challenges for enterprise security.

· *Publicly released mobile exploits rise 19 percent in 2011* – This year’s
IBM X-Force report focused on a number of emerging trends and best
practices to manage the growing trend of “Bring your Own Device,” or BYOD,
in the enterprise. IBM X-Force reported a 19 percent increase over the
prior year in the number of exploits publicly released that can be used to
target mobile devices. There are many mobile devices in consumers' hands
that have unpatched vulnerabilities to publicly released exploits, creating
an opportunity for attackers. IT managers should be prepared to address
this growing risk.

· *Attacks increasingly relate to social media* - With the widespread
adoption of social media platforms and social technologies, this area has
become a target of attacker activity. IBM X-Force observed a surge in
phishing emails impersonating social media sites. More sophisticated
attackers have also taken notice. The amount of information people are
offering in social networks about their personal and professional lives has
begun to play a role in pre-attack intelligence gathering for the
infiltration of public and private sector computing networks.

· *Cloud computing presents new challenges* - Cloud computing is moving
rapidly from emerging to mainstream technology, and rapid growth is
anticipated through the end of 2013. In 2011, there were many high profile
cloud breaches affecting well-known organizations and large populations of
their customers. IT security staff should carefully consider which
workloads are sent to third-party cloud providers and what should be kept
in-house due to the sensitivity of data. Cloud security requires foresight
on the part of the customer as well as flexibility and skills on the part
of the cloud provider. The IBM X-Force report notes that the most effective
means for managing security in the cloud may be through Service Level
Agreements (SLAs) because of the limited impact that an organization can
realistically exercise over the cloud computing service. Therefore, careful
consideration should be given to ownership, access management, governance
and termination when crafting SLAs. The IBM X-Force report encourages cloud
customers to take a lifecycle view of the cloud deployment and fully
consider the impact to their overall information security posture.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-ireland/attachments/20120323/53575ac8/attachment-0001.html>

More information about the Owasp-ireland mailing list