Show Me the Data: Analyzing Security Trends Across 100 Companies presented at Nullcon 2016

by Clint Gibler,

Summary : As security professionals, we’re aware of the types of security issues our company faces and we constantly read of breaches in the media. But how prevalent are specific types of vulnerabilities, such as cross-site scripting, in real companies today? We’re numbers people- we want hard data, not anecdotes.
While most would agree that publishing this information would be valuable to the community, few companies are willing to openly discuss their experiences.
In this talk, I’ll discuss insights gained from analyzing the results of running a commercial security scanner on 100 international companies across 10 industry verticals, including Financial Services, IT, and Healthcare, from 2014 through 2015, collectively representing about a million findings.
I'll examine questions such as:
What are the common types of vulnerabilities in real companies today? Does it vary by industry?
For a given type of vulnerability, how long does it take companies to remediate issues?
Does the time to fix depend on one or more of: the type of the vulnerability, its severity, or merely on its solution?
Do companies or industries tend to fix the same types of vulnerabilities in a similar time frame or is there significant variation?