版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领
文档简介
$DUCK·
2024
SoftwareVulnerabilitySnapshot
InsightsintoCriticalVulnerabilitiesfromover200,000ApplicationSecurityScansbyBlackDuck
Tableofcontents
ExecutiveSummary 1
AboutBlackDuck 1
KeyFindings 1
PotentialBusinessImpactSuggestedbytheData 3
Recommendations 4
IndustrySectorsRepresentedinThisReport 5
FundamentalsofDynamicApplicationSecurityTesting 6
KeyCharacteristicsofDAST 6
DASTintheModernSecurityLandscape 6
DASTandOtherTestingMethodologies 6
DASTinPreproductionandProduction 7
VulnerabilityLandscapeAnalysis 8
Top10VulnerabilityClassesIdentified 8
Critical-RiskandUrgentVulnerabilities 10
OWASPTop10CategoryAnalysis 11
Industry-SpecificVulnerabilityTrends 12
TheInterplayofDAST,SAST,andSCA 15
ComparativeStrengthsinDetectingSpecificVulnerabilities 15
SynergiesBetweenTestingMethodologies 16
Conclusion 17
BlackD
ExecutiveSummary
Thisreportanalyzesdatafromover200,000dynamicapplicationsecuritytesting(DAST)scansconductedbyBlackDuckonapproximately1,300applicationsacross19industrysectorsfromJune2023toJune2024.
Thefindingsprovideinsightsintothecurrentstateofsecurityforweb-basedapplicationsandsystems,andthepotentialimpactofsecurityvulnerabilitiesonbusinessoperationsinhigh-risksectorssuchasFinance,Insurance,andHealthcare.
ThereportalsoexamineshowDASToffersacrucialcomplementtoothersecuritytestingmethods,suchasstaticapplicationsecuritytesting(SAST)andsoftwarecompositionanalysis(SCA),andprovidesauniqueperspectiveonapplicationsecuritybymimickingreal-worldattackscenarios.
AboutBlackDuck
FormerlytheSynopsysSoftwareIntegrityGroup,BlackDuckoffersthemostcomprehensive,powerful,
andtrustedportfolioofAppSecsolutionsintheindustry.Wehaveanunmatchedtrackrecordofhelping
organizationssecuretheirsoftwarequickly,integratesecurityefficientlyintheirdevelopmentenvironments,andsafelyinnovatewithnewtechnologies.
KeyFindings
TheVulnerabilityLandscape
Atotal96,917vulnerabilitieswereidentifiedinscansconducted2023–24.Thesearethetopcritical-riskvulnerabilitiesidentified.
InjectionVulnerabilities
Thisisatypeofsecurityvulnerabilitythatallows
anattackertoinsertmaliciouscodeorcommandsintoanapplication,trickingitintoexecuting
unintendedactionsoraccessingdatawithoutproperauthorization.Theanalysisfound4,814Injection
vulnerabilities,withahighprevalenceof59%per
client.Thiscategoryhadthesecond-highestnumberofcriticalvulnerabilities(2,491),indicatingits
potentialforcausingseveresecuritybreaches.
CryptographicFailures(SensitiveDataExposure)Theseareweaknessesinhowanapplication
securessensitiveinformation.Thiscategory
includesissueslikenotencryptingimportantdata
whenit’sbeingsentovertheinternet,usingoutdatedorweakencryptionmethods,andfailingtoproperlyprotectpasswordsorothersecretinformation.
Thesefailurescanleadtodatabreaches,where
attackerscanstealortamperwithsensitive
informationsuchaspersonaldetails,financialdata,orlogincredentials.
Injectionvulnerabilitiesoftenoccurwhenuser
inputisnotproperlyvalidatedorsanitizedbefore
beingusedindatabasequeries,operatingsystem
commands,orwebpagecontent.CommonInjectionattacksincludeSQLInjection,CommandInjection,andCross-SiteScripting(XSS),withsuccessful
attacksleadingtodatatheft,unauthorizeddatamanipulation,orevenfullsystemcompromise.
TopreventInjectionvulnerabilities,organizations
needtoimplementproperinputvalidation,use
parameterizedqueries,andfollowsecurecoding
practices.WhilebothSASTandDASTcandetect
Injectionvulnerabilities,DASTisparticularlyeffectiveatidentifyingcomplex,runtime-dependentissues.
Regularsecuritytesting,especiallyusingDAST,canhelpidentifyandaddressthesevulnerabilities.
Thiscategoryofweaknesswasfoundtobe
widespreadinourDASTanalysis,affecting86%ofclientsandaccountingfor30,726vulnerabilities,
including4,882critical-riskinstances.Thismakes
itoneofthemostcommonandserioussecurity
issuesacrossindustries.Toaddressthese
vulnerabilities,organizationsneedtoimplement
strongencryptionpractices,useup-to-datesecurityprotocols,andensurethatsensitivedataisproperlyprotectedbothwhenit’sbeingtransmittedandwhenit’sstored.
BlackD|1
BlackD|2
Industry-SpecificInsights
High-risksectorsincludedFinanceandInsurance(1,299criticalvulnerabilities),Healthcareand
SocialAssistance(992criticalvulnerabilities),andInformationServices(446criticalvulnerabilities).TheFinanceandInsuranceindustry(FSI)hadthehighestnumberofcriticalvulnerabilitiesacrossallsitecomplexities,with565criticalvulnerabilitiesidentifiedforsmallFSIsites,580formediumsites,and154forlargesites.Thenext-highestindustrywasHealthcareandSocialAssistance,with367,486,and139criticalvulnerabilitiesforsmall,
medium,andlargesitesrespectively.
Thedataindicatesthatsmallandmedium-sizedsitestendtohavemorecriticalvulnerabilitiesthanlargersites,particularlyintheFSIsector.
Time-to-CloseAnalysis
Thedatashowssignificantvariationsacross
industrieswhenitcametovulnerabilitytime-to-
close.Forcriticalvulnerabilities,theUtilitiesindustryhadthelongesttime-to-closeacrossallsites.Theextendedtime-to-closeforsmall(107days)and
medium(876days)sitesversuslarger(1day)intheUtilitiessectormaybeduetolimitedcybersecurityresourcesandbudgetconstraints.Utilitiesoften
operatewithlegacysystemsthataredifficultto
patchandupdate.Largesitesmighthavededicatedsecurityteamsandmorerobustprocesses,allowingthemtoaddressvulnerabilitiesmorequickly.
Thenext-longesttime-to-closewastheEducationalServicessectorwithclosuretimesas342daysforsmallsites,111daysformediumsites,and1dayforlargesites.Smalleducationalinstitutionsoftenfacebudgetlimitationsandmaylackdedicated
cybersecuritypersonnel,leadingtolongertimestoaddressvulnerabilities.Largeeducational
institutionssuchasmajoruniversities,however,arelikelytohavebetter-fundedITdepartmentsandmoreresourcestoquicklymitigatecriticalvulnerabilities.
Conversely,FinanceandInsuranceclosedcritical
vulnerabilitiesforsmallsitesinjust28days,mediumsitesin53days,andlargesitesin78days.This
sectorisheavilyregulatedanddealswithhighly
sensitivedata,necessitatingarapidresponseto
vulnerabilities.Theseorganizationstypicallyhavesubstantialcybersecuritybudgetsanddedicated
teamstoensurecompliancewithregulationslikePaymentCardIndustryDataSecurityStandard(PCIDSS)andtoprotectfinancialdata.
OrganizationsintheHealthcareandSocial
Assistancesectortookanaverageof87daysto
closecriticalvulnerabilitiesforsmallsites,30daysformediumsites,and20daysforlargesites.TheHealthcaresectorisalsohighlyregulated(e.g.,theHealthInsurancePortabilityandAccountabilityAct[HIPAA])andhandlessensitivepatientdata,whichdrivestheneedforpromptvulnerabilityremediation.LargerHealthcareorganizationsoftenhavemore
resourcesanddedicatedsecurityteams,enablingfasterclosuretimes.
Thevariationsintime-to-closemetricsacross
differentsectorshighlighttheimpactofresource
allocationandthechallengeslegacysystemscan
haveonsecurityinitiatives.Sectorswithsignificantregulatorypressuresandsensitivedatatendtoactswiftlytomitigatevulnerabilities,reflectingtheir
proactivestance.Ontheotherhand,sectorswith
limitedresourcesandbudgetconstraintsfacelongerexposuretimes,underscoringtheneedfortailoredcybersecuritystrategiesandincreasedinvestmentinunder-resourcedindustries.
BlackDuckanalystsuseaproprietarymetrictoranktherelative“sitecomplexity”of
applicationsassessedbyBlackDuck®ContinuousDynamicscanning.Thismetricisbased
onthenumberandsophisticationofinteractionsperformedduringthescanningprocess.
Applicationswithlesscomplexitymayhaveminimalinteractivityandasimplecrawltree—thatis,anapplicationwithastraightforwardstructureofURLs.Higher-complexityapplicationsmayhavemanyinteractiveelementsanddynamicallygeneratedcontent.
Thismetricallowsourspecialiststocustomizescanbehaviors,adjustingthedepthand
aggressionofscansbasedonthecomplexityoftheapplication.Thecomplexitymetriccanalsobeweightedacrossindustriesforcomparisonandbaselining.
BlackD|3
PotentialBusinessImpactSuggestedbytheData
Thesearesomeoftherisksofthesevulnerabilities.
DataBreaches:SensitiveDataExposureand
Injectionvulnerabilitiesposesignificantthreats
tosensitivedataacrossallindustries,potentially
leadingtodataleaks,fines,financiallosses,and
reputationaldamage.SensitivedataatriskincludespersonallyidentifiableinformationsuchasSocialSecuritynumbers,bankinginformation,login
credentials,creditcardnumbers,medicalrecords,andtradesecrets.
RegulatoryNoncompliance:High-risksectorsfaceincreasedexposuretononcompliancewithdata
protectionregulations,riskingseverepenalties.Forexample,theCyberIncidentReportingforCritical
InfrastructureActof2022(CIRCIA)appliestocriticalinfrastructuresectors(includingFSI,Healthcare,
andWasteManagementamongothers)and
requirescoveredentitiestoreportcoveredcyberincidentsandransomwarepaymentstoCISA.
PCIDSSappliestoallorganizationsthathandlecreditcardinformationandmandatessecuritystandardsforprotectingcardholderdata.HIPAArequiresprotectionofpatienthealthinformationandmandatesreportingofdatabreaches.FororganizationshandlingthedataofEUcitizens,theGeneralDataProtectionRegulation(GDPR)
requiresstrictdataprotectionmeasuresandbreach
reporting.
OperationalDisruptions:Widespreadsecurity
misconfigurationsandDenial-of-Service
vulnerabilitiesacrossindustrysectorsthreatenbusinesscontinuityandserviceavailability.
Operationaldisruptionscausedbyvulnerabilitiesandmisconfigurationscanhavesignificant
consequencesacrosssectors.IntheHealthcaresectorforexample,someofthepotentialcriticaldisruptionsinclude
•DisruptionofLife-SavingEquipment:A
cyberattackthattargetsahospital’snetworkcouldleadtotheshutdownofcriticalmedicaldevices
suchasventilators,infusionpumps,andheart
monitors.Patientsrelyingonthesedevicesfor
lifesupportcouldfaceimmediatelife-threateningsituations.Forexample,ifventilatorsareturnedoff,patientswhocannotbreatheindependentlymay
sufferseverehealthconsequencesorevendeath.
•CompromiseofElectronicHealthRecords:A
ransomwareattackthatencryptspatientrecordswouldmaketheminaccessibletohealthcare
providers.Theinabilitytoaccesspatienthistories,medicationrecords,andtreatmentplanscould
leadtodelaysincare,incorrecttreatments,andmedicationerrors.Thiscanseverelyimpact
patientoutcomes,particularlyinemergencysituationswheretimelyaccesstoaccurateinformationiscritical.
•MedicationErrorsDuetoPharmacySystem
Interruptions:Anexploitedvulnerabilityina
pharmacysystemcouldcausethesystemto
gooffline.Interruptionsinthepharmacysystemcanleadtodelaysindispensingmedications,
incorrectdosages,ormissedtreatments.Thiscanbeparticularlydangerousforpatientswithcriticalconditionsrequiringprecisemedicationmanagement.
ExtendedVulnerabilityExposure:LongclosuretimesinsectorslikeUtilitiesandEducational
Servicesincreasetheriskofexploitationandpotentialbusinessimpact.Forexample,a
vulnerabilityinthepowergridcontrolsystem
thatremainsunpatchedcouldleadtoprolonged
poweroutagesaffectingmillionsofhouseholds
andbusinesses.Inextremecases,itcouldresult
incascadingfailuresacrossinterconnectedpowersystems,potentiallycausingblackoutsacrossentireregions.Avulnerabilityinawatertreatmentplant’scontrolsystemgoingunaddressedcouldpotentiallyalterchemicaltreatmentprocesses,leadingtowatercontamination.Thiscouldresultinwidespread
illness,theneedforextensivesystemflushing,andalossofpublictrustinwatersafety.
IntheEducationalServicessector,anunaddressedvulnerabilityinastudentinformationsystem
couldleadtotheexposureofsensitivestudent
data,includingpersonalinformation,academic
records,andfinancialdetails.Suchabreach
couldresultinidentitytheft,academicfraud,andviolationofprivacylawslikeFERPA,leadingtolegalconsequencesandlossoftrustintheinstitution.
Recommendations
Basedonthefindingsdatafromtheover200,000scansconductedbyBlackDuck,organizations
shouldprioritizeaddressingSensitiveDataExposure(calledCryptographicFailuresintheOWASP2021taxonomy)andInjectionvulnerabilities,includingSQLInjectionandCross-SiteScripting,especiallyinhigh-risksectors.
Organizationsinallsectorsshouldfocusonreducingtime-to-closeforcriticalvulnerabilities,particularlyinsectorsthatpermitlongremediationtimes.Securitymisconfigurationsacrossallindustriesshould
beaddressedtominimizepotentialinformationdisclosureandreputationaldamage.
Overall,developmentandsecurityteamsshouldimplementamultifacetedsecurityapproach
integratingDAST,SAST,andSCAtoachievethemostcomprehensivecoveragethroughoutthesoftwaredevelopmentlifecycle.Thefindingsindicatethatifsuchafullspectrumapproachtoapplication
securitytestingwereapplied,potentialexposuretocriticalvulnerabilitieswouldbemarkedlyreduced.
BlackDuck|
BlackD|5
IndustrySectorsRepresentedinThisReport
Construction
Mining/Quarrying,Oil/GasExtraction
WholesaleTrade
Agriculture,Forestry,FishingandHunting
Managementof
Companies&Enterprises
Manufacturing
RealEstateRentalandLeasing
AdministrativeSupport&WasteManagement
EducationalServices
AccommodationandFoodServices
FinanceandInsurance
Arts,Entertainment,andRecreation
InformationServices
OtherServices
HealthcareandSocialAssistance
Professional,Scientific,andTechnicalServices
PublicAdministration
TransportationandWarehousing
Utilities
RetailTrade
BlackD|6
FundamentalsofDynamicApplicationSecurityTesting
DASTisacriticalcomponentintheapplication
securitylandscape,particularlyasorganizations
grapplewithincreasinglycomplexandvulnerablewebapplications.Thissectionprovidesa
comprehensiveoverviewofDAST,itssignificance,anditsroleinarobustapplicationsecuritystrategy.
KeyCharacteristicsofDAST
DASTisablack-boxsecuritytestingmethodology
thatanalyzesapplicationsintheirrunningstate,
withoutanyprivilegedaccesstothatapplication’s
design,architecture,orinternals.UnlikeSAST,
whichexaminessourcecode,DASTsimulates
real-worldattacksonaliveapplication,identifying
vulnerabilitiesthatmaymanifestonlyduringruntimeorininteractionsbetweenmultiplesubsystems.
ThisapproachallowsDASTtodetectissuessuchasauthenticationproblems,serverconfigurationerrors,andCross-SiteScriptingvulnerabilitiesthatmightbemissedbyothertestingmethods.
DASTintheModernSecurity
Landscape
TherelevanceofDASThasgrownsignificantlyduetoseveralfactors.
•Theincreasingcomplexityofwebapplications:Withtheriseofthemicroservicesarchitecture,API-drivendevelopment,andcloud-native
applications,attacksurfaceshaveexpandedconsiderably.
•Evolvingcyberthreats:Asattackersbecomemoresophisticated,DAST’sabilitytosimulatereal-worldattacksbecomesinvaluable.
•Regulatorycompliance:RegulatoryframeworkslikeGDPRandPCIDSSrequirerobust,continuoussecuritytesting,makingDASTanessentialtoolforcompliance.
•DevSecOpsintegration:DAST’sabilitytobe
integratedwithincontinuousintegration/
continuousdeployment(CI/CD)pipelinesalignswithmodernDevSecOpspractices.
•Costimplications:Earlydetectionof
vulnerabilitiescansignificantlyreducethecostoffixingsecurityissuesafterdeployment.
DASTandOtherTestingMethodologies
WhileDASTispowerful,it’smosteffectivewhen
usedinconjunctionwithothersecuritytesting
methods.Forexample,SAST’sstrengthsinclude
earlydetectionofcodingflaws,butitmaymiss
runtimevulnerabilitiesorunintendedinteractions
betweencomponents,whichcanbefoundbyDAST.Likewise,SCAidentifiesvulnerabilitiesinthird-partycomponents;DASTcanverifyifthesevulnerabilitiesareexploitableinarunningapplication.
ByimplementingDASTinconjunctionwith
othertestingmethodologies,organizationscansignificantlyenhancetheirsecuritypostureinacomplexonlineapplicationlandscape.
ThekeycharacteristicsofDASTinclude
•Externalperspectivetesting,mimickinganattacker’sview
•Visibilityintotrendingbehaviors
•Runtimeanalysisofapplications
•Continuoustesting
•Abilitytotestwithoutaccesstosourcecode
•Developer-friendliness:IntegrationwithIDEsandCI/CDpipelinesmakessecuritytestinganaturalpartofthedevelopmentprocess.
•Compliance:Manyregulatorystandardspreferorrequiretestingbeforeproductiondeployment.
•Comprehensivetesting:Preproduction
environmentsenablemorethoroughand
aggressivetestingwithoutfearofimpactingusersordata.
DASTtestinginproductioncanalsobebeneficialinseveralscenarios.
•Continuoussecurityvalidation:Itcanactasanadditionallayerofsecuritytocatchanyissuesthatmighthaveslippedthroughpreproductiontesting.
•Detectionofemergingthreats:DASTcanautomaticallydetectemergingthreats.
•Cloud-nativeapplications:Itisusefulin
productionenvironmentsthatmayhaveuniqueconfigurationsthataredifficulttoreplicateintesting.
•Legacysystems:ProductionDASTmaybemoreeffectivedealingwitholderapplicationsthatlackcomprehensivepreproductionenvironments.
ThestrategicimplementationofDASTinboth
preproductionandproductionenvironments
offersabalancedapproach,allowingforthoroughtestingwithoutcompromisingsystemintegrity
oruserexperience.Thismultifacetedstrategy
notonlyenhancesvulnerabilitydetectionacross
variousstagesoftheapplicationlifecyclebutalsoaddressestheuniquechallengesposedbydiverseapplicationarchitectures,fromlegacysystemstocloud-nativeapplications.Ultimately,thisapproachenablesorganizationstobuildamoreresilient
securityposturecapableofadaptingtotheevolvingthreatlandscape.
DASTinPreproductionandProduction
DASTsolutionscanbeintegratedintoCI/CD
pipelinestoidentifyvulnerabilitiesearly,acceleratingremediationandreducingthecostoffixes.This
approachisparticularlyvaluablefordetectingissuesthatmaymanifestonlyinarunningapplication,
suchascertaintypesofInjectionvulnerabilitiesorunexpectedinteractionsbetweenservicesandcomponents.
DASTsolutionsusedinproductionofferadditionalbenefits,especiallyfororganizationsdealing
withcomplex,dynamicapplicationsorthosein
highlyregulatedindustries.Thiscanalsoprovidecontinuousmonitoring,detectingvulnerabilities
thatmayariseduetoconfigurationchanges,newlydiscoveredexploits,orchangesintheapplication’sruntimeenvironment.It’sparticularlyvaluableforidentifyingissueswiththird-partycomponentsthatmaybecomevulnerableovertime,andforverifyingtheeffectivenessofpatches.
Acombinationofpreproductionandproduction
DASTtestingmayprovidethemostcomprehensivesecuritycoverageforsomeorganizations.TheidealscenariointhesecasesisimplementingextensivepreproductionDASTtesting,andusingproductiontestingasasupplementarymeasureratherthantheprimarysecuritystrategy.Thecombinationoffersbenefitsincluding
•Riskmitigation:Preproductiontestingeliminatestheriskofunplanneddowntimeordatacorruptioninliveenvironments.
•Cost-effectiveness:Fixingvulnerabilitiesearlierinthedevelopmentcycleistypicallymuchlessexpensivethanaddressingtheminproduction.
BlackD|7
BlackD|8
VulnerabilityLandscapeAnalysis
Theanalysisofover200,000DASTscansacrossapproximately1,300applicationsrevealsaconcerningvulnerabilitylandscape.Thissectiondelvesintothemostprevalentandcriticalvulnerabilities,their
2
3
4
5
6
7
8
9
10
distributionacrossindustries,andtheirpotentialimpactonbusinessoperations.
Top10VulnerabilityClassesIdentified
VulnerabilityClassDescription
Vulnerabilities
Identified
Insufficient
1
TransportLayer
Protection
Failuretoproperlyencryptdataintransit,allowinginterceptionandtampering.
30,712
MissingSecureHeaders
Absenceofimportant
HTTPsecurityheadersthathelpprotectagainst
variousweb-basedattacks.ExamplesincludeX-XSS-Protection
,X-Frame-Options,andContent-Security-Policy.
22,321
InformationLeakage
Unintentionalexposureofsensitiveinformationthrougherrormessages,comments,orotherapplicationresponsesthatcanbeleveragedby
attackerstogaininsightsintothesystem’sarchitectureorvulnerabilities.
8,097
Predictable
ResourceLocation
Resourcesorfilesbeingstoredinlocationsthatcanbeeasilyguessedorpredictedbyattackers,potentiallyallowingunauthorizedaccesstosensitiveinformationorfunctionality.
5,468
FrameableResource
Avulnerabilityinwhichawebpagecanbeembeddedinaniframeon
anothersite,potentiallyleadingtoclickjackingattacks.ThisoccurswhentheX-Frame-Optionsheaderismissingorimproperlyconfigured.
4,481
VulnerableLibrary
Theuseofthird-partylibrariesorcomponentswithknownsecurity
vulnerabilities,whichcanintroduceweaknessesintotheapplicationthatusesthem.
4,215
Fingerprinting
Attackersgaininginformationaboutthetechnologystack,versions,orconfigurationsofasystem,whichcanbeusedtoidentifypotentialvulnerabilitiesorplanmore-targetedattacks.
3,700
Cross-SiteScripting
Avulnerabilitythatallowsattackerstoinjectmaliciousscriptsintowebpagesviewedbyotherusers,potentiallyleadingtotheftofsensitive
informationorsessionhijacking.
2,415
Insufficient
Authorization
Inadequateaccesscontrolsthatallowuserstoperformactionsor
accessresourcesbeyondtheirintendedprivileges,oftenduetoimproper2,396
implementationofauthorizationchecks.
SusceptibilitytoBruteForce
Anattackmethodinwhichattackerssystematicallyattemptmanypasswordsorpassphraseswiththehopeofeventuallyguessingcorrectly,oftenexploitingweakpasswordpoliciesorlackofaccountlockoutmechanisms.
2,235
Figure1.Vulnerabilityfrequency
BlackD|9
Ouranalysisidentifiedatotalof96,917
vulnerabilities.Figure1showsthevulnerabilitiesidentifiedmostfrequently,andFigure2liststhepercentageofclientswitheachvulnerability.
InsufficientTransportLayerProtection,themostprevalentissue,exposesorganizationstodata
interceptionandtampering,potentiallyleadingtodatabreachesandcomplianceviolations.MissingSecureHeaders,thesecond-most-common
vulnerability,leavesapplicationssusceptibletovariousweb-basedattacks,underminingoverallsecurityposture.
InformationLeakageandPredictableResourceLocationrepresentsignificantvulnerabilitiesthatoftenprovideattackerswithaneasyentrypointintosystems.InformationLeakage,rankedthirdwith8,097identifiedvulnerabilities,involvestheunintentionalexposureofsensitiveinformation
througherrormessages,comments,orapplicationresponses.Thiscanprovideattackerswithvaluableinsightsintosystemarchitectureorvulnerabilities.
PredictableResourceLocation,fourthwith5,468vulnerabilities,occurswhenresourcesorfilesarestoredineasilyguessablelocations,potentiallyallowingunauthorizedaccesstosensitive
informationorfunctionality.
Boththesevulnerabilityclasseshighlightacommonissue:theinadvertentdisclosureofinformationthatcanbeleveragedbyattackers.Thesevulnerabilitiesareparticularlyconcerningbecausetheyoftenresultfromoversightorinadequatesecuritypractices
ratherthancomplextechnicalissues,makingthembothcommon,and,atleasttheoretically,more
straightforwardtoaddresswithpropersecurityawarenessandprotocols.
VulnerabilityClassPercentageofClientswithVulnerability
MissingSecureHeaders97%
InsufficientTransportLayerProtection87%
InformationLeakage66%
FrameableResource60%
VulnerableLibrary57%
InsufficientAuthorization50%
Fingerprinting46%
Cross-SiteScripting41%
ImproperInputHandling40%
PredictableResourceLocation35%
Figure2.Percentageofclientsexperiencingoneormoreofagivenvulnerabilityclass
Critical-RiskandUrgentVulnerabilities
Critical-Risk
VulnerabilitiesUrgentNeedofAttention
VulnerabilityClass
InsufficientTransportLayerProtection4,8822
Cross-SiteScripting2,2561
InformationLeakage
510
-
Cross-SiteRequestForgery
434
-
AbuseofFunctionality248
温馨提示
- 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
- 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
- 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
- 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
- 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
- 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
- 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
最新文档
- 煤矿安全培训
- 2020安全月宣讲课件
- 2025年济南天桥区泺口实验中学七年级下学期数学期中前测考试试卷(含答案)
- 烟台职业学院《电信号检测技术》2023-2024学年第二学期期末试卷
- 广西经贸职业技术学院《中医全科医学概论(含整合医学概论)》2023-2024学年第一学期期末试卷
- 宁夏民族职业技术学院《供应链管理实验》2023-2024学年第二学期期末试卷
- 湄洲湾职业技术学院《化工原理下》2023-2024学年第二学期期末试卷
- 河南省鹤壁市一中2024-2025学年高三教学质量监测化学试题试卷含解析
- 江苏省句容市、丹阳市达标名校2024-2025学年初三下学期第一次统一考试(5月)物理试题试卷含解析
- 中央美术学院《融媒体采编与实践》2023-2024学年第二学期期末试卷
- 《游园》课件统编版高中语文必修下册
- 肺栓塞的护理诊断
- 幼教培训课件:《幼儿园主题墙的创设》
- 《自然教育》课件-自然记录
- (高清版)TDT 1015.1-2024 地籍数据库 第1部分:不动产
- 2024年安徽省中考英语真题(原卷版+解析版)
- 轴承压装力计算软件
- 2024年佛山市高三二模普通高中教学质量检测二 数学试卷(含答案)
- 摩托艇经营合作协议书模板
- 2024年浙江首考高考英语卷试题真题及答案解析(含听力原文+作文范文)
- 2024年高考一轮复习精细讲义第25讲 实验:验证动量守恒定律(原卷版+解析)
评论
0/150
提交评论