This analysis yielded the following high level points:
- The number of vulnerabilities discovered in application assessments remains consistent at around 9 findings per test, but infrastructure engagements show a decline in the number of vulnerabilities discovered (23.3 to 12.1 per test for external infrastructure, and 32.8 to 23.0 per test for internal infrastructure).
- The proportion of high impact of vulnerabilities has also remained consistent for applications (16%), but again infrastructure shows a steady decline from an initially high starting point (20.2% to 8.2% for external infrastructure, and 28.9% to 15.9% for internal infrastructure).
- The proportion of high impact vulnerabilities that are considered easy to exploit has remained consistent for both applications (~35%) and internal infrastructure (~85%) engagements, but external infrastructure, while still quite high (57%), has dropped in 2015.
So far in 2015, our statistics suggest that approximately 1 in every 2 application or external infrastructure tests possess an easily exploitable, high impact vulnerability. For internal infrastructure, there are over 3 high impact, easily exploited vulnerabilities per test.
This average has been consistent for application assessments since 2013, suggesting that application security is neither getting substantially worse nor better. However, both external and internal infrastructure tests have been showing improved security postures, with decreasing numbers of total findings and a smaller share of high impact findings present.
Context attributes this change to the remediation advice we provide to our customers. Most assurance work we undertake, particularly for new customers, will typically be for web applications. These applications may not have received assurance work before, and as a result will often have more serious vulnerabilities. This balances out against the improving security observed with existing customers, leading to consistent statistics over the timeframe.
Infrastructure work on the other hand is more often requested by customers Context has a prior working relationship with, and over time the security measures in place will begin to improve as they follow our remediation advice.
Average Number of Vulnerabilities
An assessment of the average number of vulnerabilities per test for web application assessments was carried out. The following table shows the result:
These results show that the average number of findings, proportion of high impact findings and easily exploited high impact findings has remained relatively consistent over the period analysed for web application assessments.
Contrastingly, the results for infrastructure assessments – which can be split into external and internal infrastructure – suggest that these numbers are reducing:
The results suggest that external infrastructure engagements are beginning to resemble application security assessments in terms of the number and severity of findings. However, any high impact findings discovered for an external infrastructure test are still much more likely to be easily exploited (35.6% to 57.4%). This may be due to the consistently active development of attack frameworks such as Metasploit which make the process of exploiting an infrastructure vulnerability and simple exercise available to attackers without an in-depth understanding of the vulnerability itself.
The trends have also shown that internal infrastructure engagements have on average fewer vulnerabilities than in previous years, though these are still substantially higher than other tests, averaging 9 for applications, 12 for external infrastructure and 23 for internal infrastructure in 2015.
One possible explanation for the prevalence of vulnerabilities within internal infrastructure would be the implicit trust given to employees, with administrators more concerned about external threats. This would explain why the number of external infrastructure vulnerabilities has dropped significantly, but it also suggests that a malicious insider remains a substantial threat to the security of an organisation’s networks.
High Impact Findings
Context assigns impact ratings for each finding, with the most common being Critical, High, Medium and Low. High impact vulnerabilities are those that would normally result in an attacker gaining unauthorised access, or compromise of user data/application functionality that could lead to financial or legal impact.
Since 2013, application findings graded as having a high impact or above have remained constant, at around 16% each year. This averages out to just over 1 high impact finding for each application test.
In addition to the decreasing number of vulnerabilities discovered in infrastructure tests, the proportion of these findings that have a high impact has also been decreasing. This decrease has taken the proportion of high impact findings for external infrastructure from 20.2% in 2013 to only 8.2% in 2015.
Internal infrastructure has also shown a similar decrease; high impact findings make up 28.9% of all vulnerabilities in 2013, which is down to 15.9% in 2015.
High & Easily Exploited Vulnerabilities
Identified findings are rated according to impact; however an “ease of exploitation” is also assigned to each finding describing the skill or knowledge level required to exploit the relevant issue. Easily exploitable vulnerabilities are those that can be exploited by an attacker possessing a low-level of knowledge or beginner skillset, possibly using a well-publicised exploit, within a short period of time.
Across all three years, application and internal infrastructure engagements have yielded consistent difficulty ratings for high impact findings. For applications, approximately 35% of high impact findings are considered easy to exploit; for internal infrastructure, typically 80% to 90% of high impact vulnerabilities are easily exploitable.
External infrastructure again shows a decrease, with the proportion of easily exploited high impact findings going from around 75% down to under 60%.
Contact and Follow-Up
Steve is a part of our Assurance team based in our Cheltenham office.