Top 10 Vulnerable Products and their Vendors in 2016.
Sl. No.
Product
Vendor
Number of Vulnerabilities
1
Android
Google
515
2
Debian Linux
Debian
314
3
Ubuntu Linux
Canonical
272
4
Leap
Novell
257
5
Flash Player
Adobe
249
6
Opensuse
Novell
228
7
Acrobat Reader Dc
Adobe
227
8
Acrobat Dc
Adobe
227
9
Acrobat
Adobe
224
10
Mac OS X
Apple
215
CVE Details Top 10 Vulnerable Products and their Vendors in 2016
Here are the list of security vulnerabilities during the period 01-Dec-2016 to 09-Dec-2016 as reported by CVEDetails. A total of 11 security vulnerabilities were reported.
CVE Details 01-Dec To 09-Dec-2016
Here are the list of Threats during the period 01-Dec-2016 to 09-Dec-2016 as reported by Symantec. A total of 14 threats (includes Trojans, Viruses and Worms) were reported.
Symantec 01-Dec To 09-Dec-2016
— SecureFirst Solutions Private Limited is a security centric Product-cum-Services Organization assisting its Clients to develop and maintain security applications. Our offerings are classified broadly into two categories:
1. Product: Vulnerability Management System (VMS)
2. Services: Security as a Service (SaaS)
Here are the list of security vulnerabilities during the period 21-Nov-2016 to 27-Nov-2016 as reported by CVEDetails. A total of 105 security vulnerabilities were reported.
CVEDetails_21-Nov-2016 to 27-Nov-2016
Here are the list of Threats during the period 21-Nov-2016 to 27-Nov-2016 as reported by Symantec. A total of 14 threats were reported.
Symantec_21-Nov-2016 to 27-Nov-2016
— SecureFirst Solutions Private Limited is a security centric Product-cum-Services Organization assisting its Clients
to develop and maintain security applications. Our offerings are classified broadly into two categories:
1. Product: Vulnerability Management System (VMS)
2. Services: Security as a Service (SaaS)
2. Threat Modeling:System Design or the Design phase is a crucial phase in SDLC where the Architects prepare a blueprint of the hosting environment for the application to be developed.
System Design Phase: Threat Model
Typical three-tier architecture consists of the following layers:
User Interface
Application Logic and
Server
Three Tier Architecture
Given the Architecture diagram and functional requirement specification document, it is a pain taking activity to identify the possible security threats to the proposed architecture while this is still on paper. So here is where our Security professional’s vast experience comes into picture as s/he has to identify the possible threats and propose a secure environment setup so that the application will be hosted securely.
Is there any Industry Standard or Process to identify and rank Threats? By whom? What actually happens in this process? Let’s try to figure out if we can get some answers to the above questions.
OWASP and Microsoft have provided some excellent guidance on this Threat Modeling process. Below is an extract from Microsoft website that shows the steps involved in this process.
Microsoft Threat Modeling Process
Identify Assets: Identify which are the critical assets / information / files/ locations containing sensitive or private information
Create an Architecture Overview: Create an architecture diagram to provide a clear understanding of the proposed application and its hosting environment
Decompose the Application: Decompose the architecture diagram to identify the various entry and exit criteria
Identify the Threats: Determine the possible threats using STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Elevation of Privileges) and from whom these threats could occur
Document the Threats: Identify the various Assets, Threats and Controls. Capture the list of threats that are missing security controls and provide suitable fix recommendations for each
Rate the Threats: After a discussion with the respective Client/Customer follow the DREAD (Damage potential, Reproducibility, Exploitability, Affected Users, Discoverability) model to rate each of the identified threat
Carry forward all artifacts and observations to the next phase of SDLC
Benefits of integrating Security in Phase2:
Crucial Assets and its compensating Controls are clearly depicted
Threats to each Asset is identified and compensating Controls are recommended
Assists in identified additional security vulnerabilities in the next phase of SDLC
Major Advantage: By precisely identifying the Threats and mitigating right in the Design phase helps Organizations save at least 30% of the operational cost that shall be incurred by not conducting the Threat Modeling in this phase. How did we arrive at this 30%? (Please contact SecureFirst Solutionsfor more details)