third Cyber Security Assessment Netherlands - NCSC
third Cyber Security Assessment Netherlands - NCSC
third Cyber Security Assessment Netherlands - NCSC
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Detailed section » 7 Vulnerability of IT<br />
Development in new web-based vulnerabilities 2005-2012<br />
1200<br />
1000<br />
800<br />
»<br />
600<br />
400<br />
200<br />
0<br />
y2005<br />
y2006<br />
y2007<br />
y2008<br />
y2009<br />
y2010<br />
y2011<br />
y2012<br />
XSS SQL injection CSRF<br />
Figure 7. Development in web-based vulnerabilities<br />
7.2.2 Impact of vulnerabilities in software<br />
An analysis of the CVE registrations and <strong>NCSC</strong> security advisories<br />
reveals that the majority of vulnerabilities have a moderate impact:<br />
this is true of approximately 40 to 61 per cent of all vulnerabilities<br />
(Figure 6). There has been little change in the impact of vulnerabilities<br />
over the previous four quarters.<br />
What is notable is that the proportion of vulnerabilities with the<br />
highest CVSS score (10) has increased in recent years. This means that<br />
an increasing proportion of the vulnerabilities are easy to exploit<br />
(remotely, not complex and without authentication) and they also<br />
have a high impact (availability, integrity and confidentiality are all<br />
compromised). This highlights the importance of patching software.<br />
7.2.3 Causes of vulnerabilities in software<br />
Table 8 describes the top 10 causes of vulnerabilities throughout the<br />
reporting period of this CSAN.<br />
Research shows that errors concerning memory management<br />
(primarily buffer overflow) in standard software have been the most<br />
common vulnerabilities for over 25 years, despite the raft of<br />
[55: VU 2012]<br />
measures that have been developed in the meantime.<br />
Description<br />
Number of registrations<br />
1 Buffer overflow 625<br />
2 Cross-site scripting (XSS) 556<br />
3 Insufficient input validation 503<br />
4<br />
Problem with authorisation and<br />
access control<br />
498<br />
5 Resource management 283<br />
6<br />
Accidental disclosure of<br />
information<br />
184<br />
7 SQL injection 146<br />
8<br />
Computing and conversion<br />
errors<br />
124<br />
9 Cross-site request forgery (CSRF) 122<br />
10 Code injection 105<br />
Table 8. Major causes of vulnerabilities<br />
It is notable that many of the vulnerabilities are related to web<br />
applications: cross-site scripting (XSS), SQL injection and cross-site<br />
request forgery (CSRF) are common in web applications and are<br />
therefore the cause of many vulnerabilities. There has been a clear<br />
decline in SQL injection following a peak in 2008 (Figure 7). There has<br />
unfortunately been an increase in XSS. This is noteworthy, certainly<br />
given the fact that developers now assume XSS to be a known<br />
vulnerability. The graph below outlines the trend in developments<br />
of these web-based vulnerabilities during recent years.<br />
81