Security Statistics: Safety in Numbers
A belated happy new year to all! It's common at this time of year to look back at the year behind us. News about interesting statistics seem to pop up all over in January. So, let's jump on the trend!
Statistics save lives
In the 1840s, Dr. Ignaz Semmelweis was working at the First Obstetrical Clinic of the Vienna General Hospital. He was wondering why women at his clinic had a much higher risk (10%) of dying in childbirth, than in the Second Clinic (less than 4%). This fact was well known, and some poor women preferred to give birth in the streets rather than go to the First Clinic. Even they fared better.
He began looking systematically for differences between the clinics. Techniques were the same, as well as religious practices and even the local climate. But one thing stood out: Only midwives worked at the Second Clinic. At the First, there were also students of general medicine. Those students also did autopsies on dead bodies. Semmelweis suspected a connection, and instructed those who did autopsies to wash their hands with chlorine afterwards. The mortality rate dropped by 90%! Eventually the medical world discovered bacteria and viruses, and the importance of hygiene.
I've looked at the statistics of the security advisories we have published at eZ Systems, back to 2012. I didn't expect to save lives with this but hoped to learn something. I'd like to share some findings with you.
There is nothing new under the sun
The OWASP Top Ten, which I have written about before, is a consensus list of the most critical security risks to web applications. It turns out that 83% of our advisories are about issues within the Top Ten. Seven of the Ten are found among our advisories. This goes to show that there is nothing new under the sun, and most security risks are known issues. It's a matter of education, attention to detail, and applying known solutions to known problems.
In particular, we've had many cases of the seventh of the Top Ten: Cross Site Scripting (XSS). Emphasis on had, because there's good news: The rate of XSS issues dropped 87% from eZ Publish Legacy (I refer this as Legacy throughout my blog) to eZ Platform. Why? This may be a matter of using best practices. In Legacy, we protected templates against injection by using the wash operator. We had to remember to use it wherever we output data from users. In eZ Platform, we use Twig, which has output escaping enabled by default. Much safer!
Other repeat offenders in Legacy are the fifth: Broken access control, and the second: Broken authentication. These are obviously essential for security. Why did Legacy suffer from them? One possible cause is fragmented and duplicated code. Legacy v3, v4 and v5 were a lot better in this regard than the ancient v2, but still worse than eZ Platform is. It's easier to get one section of code right, than five.
Note that the Legacy permission model, which is also used in eZ Platform, has held up very well, despite being originally designed for Legacy v3, a long time ago. It's the application of the model that has failed in a few cases, not the model itself. It grants zero access by default, and then we use roles and policies to grant limited rights to limited groups of users. This deny-by-default, whitelisting, positive security model is an industry best practice. Kudos to those who designed it!
Legacy also has quite a few cases of the Numero Uno of the Top Ten: Injection. Yet this is not observed in eZ Platform at all. Why is that? Better tools. We use Doctrine, which includes injection protection by default. Again, it's much easier to stay out of trouble when following the recommended best practices!
The big picture
How do eZ Publish Legacy and eZ Platform compare in general, in number of issues? This is tricky to report correctly. Legacy has been around for longer, so obviously it has a larger total. I could look at issues per year, and expect that if eZ Platform is more secure, then there should be less issues. But as our user base switches over to eZ Platform, both our attention and theirs is focused more on it than on Legacy, and so the number of issues found in Platform grows.
It's the same if you have two similar cities with similar crime rates, and then you triple the police resources in one of them. You can expect them to discover more crime! The effect is visible in our yearly trends, most discovered issues are in eZ Platform, since 2019. But the total number of issues in eZ Platform in 2019 is lower than the average in Legacy from 2012-2018, and much lower than in the worst years.
Understanding of severity
As I go back in time, I see that the kind of issue we now report as high severity, was in some cases reported as medium or low back then. This I think reflects our growing understanding of software security, in eZ Systems and elsewhere. Something that seems not so important can be critical once you understand consequences better.
What to look out for
I mention some types of vulnerabilities that have plummeted since eZ Platform. But have any threats increased? I find that OWASP Top Ten number nine, Using components with known vulnerabilities, is on the rise. It went from next to nothing in Legacy, to 35% of issues in eZ Platform. This is also to be expected. As we do less reinventing of the wheel, and use external components more, we will be more affected by issues in them. This is why we collaborate with Symfony on disclosure, use the Symfony security checker in our Composer install, and why we report our own issues into the Friends of PHP security advisories repository. Shared reporting keeps everyone safe!
Note that usually, the "components with known vulnerabilities" have only been known for a very short time, so it may not be entirely correct to use this label in all cases. Once the fix is released, these are easy to report and patch against. The lesson here is twofold: Use industry best practices to discover and report such issues; and consider if there may be components not covered by these best practices. Example: Underlying libraries, like libxml.
Beyond that, eZ Platform vulnerabilities seem varied, with no clear trend. We must keep a broad view on security in the future and avoid blind spots. It's clear to me that eZ Platform is more secure than Legacy, yet computer security professionals, unlike Superman, can never fly away saying "My work here is done". (But don't let that stop you from wearing your favorite cape and spandex suit!)
Security policy and responsible disclosure
In closing: We published an up-to-date eZ Systems security policy last year. You can find it here: https://ez.no/Software-information/Security-policy
Please also remember our guidelines for safely reporting security issues in eZ Systems' products: https://doc.ezplatform.com/en/master/guide/reporting_issues/
Have a great 2020 and stay safe, folks!