Dashboards and reporting are a significant feature of the SureCloud Platform. Here customers can easily see key metrics at the organisational level, as well as on a project basis and even against their own remediation activities such as within tasks. Taking this further, we have been analysing data within the SureCloud Platform from 2010 to date, across all of our activities including on-demand scanning, vulnerability assessments and assurance and penetration testing activities such as IT Health Checks (ITHC).
Unsurprisingly perhaps, patching and patch management turned out to be the root cause for around 96% of vulnerabilities discovered, with MS Windows updates, Java, and Adobe Acrobat versions holding prominent positions within the top 10 since 2010. The second most prolific root cause of identified vulnerabilities were configuration issues – software and devices left in their default or factory configuration (including default passwords). Beyond patch management and configuration issues, legacy systems and application security represent a significant volume of vulnerabilities, along with password policy weaknesses, and physical protection of information assets. Note that these figures are by frequency, rather than risk.
Looking at subsets of the data, and specifically to Internet facing assets such as web applications and infrastructure, Cross Site Scripting proved to be the most common identified vulnerability. Configuration of SSL/TLS endpoints has been a challenge over the past 12 months in particular, and we continue to see legacy protocols such as SSLv2 being supported. Weak ciphers and self-signed certificates, along with insecure logon forms are also within that category. Whilst legacy SSL features such as SSLv2 and very weak ciphers are unlikely to disappear any time soon, their risk will continue to diminish as browser versions improve, as modern browsers do not support these protocols by default.
Looking at vulnerability counts over time, Cross Site Scripting actually appears to be increasing in prevalence, though this may be due to an increase in demand for web application security testing which we have noticed over the past 12-18 months. This increase in demand may be due to various high profile disclosures and breaches, many of which have been related to high profile web sites.