In the HP 2012 Cyber Risk Report, HP Enterprise Security provides a broad view of the vulnerability landscape, ranging from industry-wide data down to a focused look at different technologies, including Web and mobile. The goal of this report is to provide the kind of actionable security that intelligence organizations need to understand the vulnerability landscape as well as best deploy their resources to minimize security risk.
Critical vulnerabilities are on the decline, but still pose a significant threat
High-severity vulnerabilities (CVSS4 score of 8 to 10) made up 23 percent of the total scored vulnerabilities submitted to OSVDB in 2011 and dropped to 20 percent in 2012. While this reduction is significant, the data shows that nearly one in five vulnerabilities can still allow attackers to gain total control of the target.
Mature technologies introduce continued risk
As demonstrated by the recent Department of Homeland Security announcement recommending that the Oracle Java SE platform be universally disabled in Web browsers, seemingly mature technologies still suffer from new exploits. In particular, 2012 data show the number of vulnerabilities disclosed in Supervisory Control And Data Acquisition (SCADA) systems increased from 22 in 2008 to 191 in 2012 (a 768 percent increase).
Mobile platforms represent a major growth area for vulnerabilities
The explosive adoption of mobile devices and the applications that drive them has resulted in a corresponding boom in mobile vulnerabilities. The last five years have seen a 787 percent increase in mobile application vulnerability disclosures, with novel technologies, such as near- field communications (NFC), introducing previously unseen vulnerability types.
Web applications remain a substantial source of vulnerabilities
OSVDB data from 2000–2012 shows that of the six most submitted vulnerability types, four— SQL injection, cross-site scripting, cross-site request forgery, and remote file includes—exist primarily or exclusively in Web applications.
Cross-site scripting remains a major threat to organizations and users
Cross-site scripting (XSS) remains a widespread problem, with 44.5 percent and 44 percent of the applications in our data sets suffering from the vulnerability. In one case, analysis of a multinational corporation showed that just under half (48.32 percent) of their Web applications were vulnerable to some form of XSS. Furthermore, new methods of exploiting this vulnerability continue to be found, as demonstrated by the large portion of ZDI vulnerability submissions focused on XSS.
Effective mitigation for cross-frame scripting remains noticeably absent
The first documented cross-frame scripting (XFS) vulnerability, the root cause behind clickjacking attacks, was discovered over 10 years ago. Since then, clickjacking has become a household name, yet less than one percent of 100,000 URLs tested included the best-known mitigation, the X-Frame-Options header.
Click below to download the full report and review its recommendations