►
From YouTube: Hacker-Powered Data: The Most Common Security Weaknesses and How to Avoid Them - David Horvath
Description
Vulnerabilities are a fact of life. Regardless of how skilled a developer is or how mature an organizations' security posture, vulnerabilities will occur. In this session, HackerOne will present data on the most common critical vulnerabilities based on data from over 1,400 bug bounty and vulnerability disclosure programs. Attendees will discover common weaknesses that they won’t find on the OWASP top ten — such as Violation of Secure Design Principles, Information Disclosure, Denial of Service, Cryptographic Issues and more — and how attackers could exploit these prevalent vulnerabilities. Whether you run an active security program or if your security@ email address is routed to /dev/null, this session topic will arm attendees with insights into the most common security weaknesses to better defend against them — both in development ecosystems and post-launch.
A
Good
afternoon
my
name
is
David
Horvath
and
I'm,
a
product
manager
at
hacker.
One
today
I'm
very
excited
to
talk
to
you
about
hacker
powered
data,
specifically,
why
the
most
common
vulnerabilities
aren't
what
you
think
they
are
a
bit
about
myself.
I've
generally
worked
in
the
security
industry
for
a
bit
of
time,
I
worked
at
octa,
which
is
an
identity
and
access
management
space
for
four
years
and
I
was
the
first
product
manager
hired
on
a
hacker.
A
So
one
thing
that
I
strongly
believe
is
that
data
will
transform
security
operations,
even
though
it
seems
like
that
statement
might
be
often
overhyped
and
what
I
mean
by
this
is
not
that
we
necessarily
need
to
use
AI
and
machine
learning
for
everything
in
security,
but
data
can
really
help
us
in
certain
areas.
It
can
help
with
better
anomaly
detection.
A
Make
us
help
us
make
improvements
to
our
scanners
and
help
us
make
important
decisions
like
whether
to
patch
a
vulnerability
and
whether
or
not
to
and
today
I'm
going
to
talk
about
a
somewhat
ancient
technique
involving
data,
and
that
is
counting
counting
has
been
around
for
40,000
years
and
a
hacker
one.
We've
done
our
fair
share
of
counting
on
the
bug,
bounty
programs
that
run
on
our
platform-
and
we
think
that
the
day
that
we
have
is
interesting
or
can
be
interesting
to
everybody.
A
It
can
help
us
all
make
better
decisions
about
risk
trade-offs
before
I
get
into
those
details.
I'd
love
to
learn
a
little
bit
more
about
everybody
in
the
audience.
So
I'm
gonna
ask
a
couple
of
questions,
and
if
the
statement
applies
to
you,
please
raise
your
hands
first
question:
does
your
company
a
project
have
a
channel
for
vulnerabilities
to
be
reported
cool?
A
A
Okay,
we
got
a
few
cool
thanks
for
thanks
for
sharing,
so
it
seems,
like
most
of
you
are
familiar
with
bug
bounty
in
general,
and
some
of
you
have
probably
heard
of
hacker
one
before,
but
here's
a
brief
overview
for
anyone
that
doesn't
know
at
hacker
one.
We
work
with
a
community
of
over
500,000
ethical
hackers.
A
Security
teams
can
create
either
public
or
private
programs,
which
hackers
submit
real
vulnerabilities
to
and
most
of
those
programs
will
pay
out
a
bounty
to
reward
and
incentivize
the
hacking
on
the
platform
and
those
bounties
can
range
anywhere
from
$50
all
the
way
up
to
$100,000.
So
there's
quite
a
large
range
and
the
nodejs
community
actually
runs
two
programs
in
hacker
one.
This
is
the
program
for
third
party
modules
and
there's
another
program,
a
core
program
for
security
vulnerabilities
on
the
node
runtime.
A
So
over
time
we
found
that
companies
working
with
hackers
is
less
bleeding-edge
than
it
may
be
used
to
be,
as
you
can
see,
from
the
Google
search.
Autocomplete
results
for
the
phrase
should
hackers
be
2/3
of
the
responses
are
related
to
hackers
being
hired
by
companies
or
them
being
protected,
and
only
1/3
is
related
to
them
actually
being
punished
by
companies.
A
So
hacker
one
is
in
a
pretty
interesting
position.
We
have
lots
of
cool
data.
We
have
1700
programs
that
are
running
on
our
platform.
Those
programs
have
found
over
a
hundred
and
forty
thousand
valid
vulnerabilities
and
have
paid
over
seventy
five
million
dollars
in
bounties
to
hackers
over
the
last
seven
years
that
our
company
has
been
in
existence
and
I
think
this
is
one
of
the
most
comprehensive
data
sets
about
what
types
of
vulnerabilities
hackers
actually
find
and
when
hacker
finds
an
issue,
it
represents
real
risk.
A
This
is
something
that
a
criminal
hacker
could
find
and
actually
exploit.
Today
on
the
vulnerabilities,
we
also
have
some
interesting
metadata
like
what
is
the
skill
and
performance
level
of
the
particular
hacker
that
found
it.
What
severity
did
the
team
assess
it
with?
What
type
of
asset
was
it
on
and
what
type
of
industry
is
the
program
in
so
at
hacker?
One.
A
You
can
access
this
full
report
today
on
our
website,
but
I'm
going
to
go
through
a
lot
of
the
highlights
and
the
rest
of
my
talk.
So
here
is
the
hacker
one.
Top
ten
of
note
is
that
companies
pay
out
for
cross-site
scripting,
far
more
than
any
other
owner
type.
It
accounts
for
over
30
percent
or
about
30%
of
the
total
bounties
that
are
played
out
paid
out
platform
wide.
A
Some
companies
we
know,
are
not
as
interested
in
cross-site
scripting
because
it
doesn't
always
expose
user
data
and
mass,
like
other
vulnerability
types
do,
but
from
our
data
that
seems
like
it's
here
to
stay
at
the
top
of
the
pack.
The
second
most
common
is
improper
authentication,
followed
by
information
disclosure.
Then
we
have
privilege
escalation
and
then
sequel,
injection
and
code
injection.
The
next
one
is
number
at
number:
the
number
8
spot,
SS
RF.
We
think
that
that's
going
to
grow
in
the
coming
years
is
war.
A
Vulnerability
over
33%
of
the
time,
whereas
generic
cross-site
scripting
is
only
higher
critical
about
6
percent
of
the
time
and
accordingly,
the
bounties
paid
the
average
bombing
paid
to
those
is
pretty
different.
Stored
pays
out
481
dollars
on
average,
while
generic
only
pays
up
288
stored
is
harder
to
find,
which
means
it
only
accounts
for
a
smaller
portion
of
the
total
cross
site.
Scripting
phones
I
think
it's
about
like
18%
right
now.
So
why
does
this
comparison
between
the
different
types
of
XSS
matter?
I?
A
So,
in
a
world
where
security
teams
are
low
bandwidth
and
also
embrace
risk,
we
think
this
data
can
help
prioritize
whether
companies
need
to
patch
a
bone
or
they
can
leave
it
or
at
a
very
minimum.
What
needs
to
be
patched
immediately
and
what
might
be
able
to
wait
a
couple
of
days
so
an
another
interesting
thing
that
our
platform
tracks
are
hackers,
skills
and
performance
over
time.
This
is
Pete.
You
or
Sookie
he's
one
of
the
top
hackers
on
our
platform.
You
can
see.
He's
got
really
good
stats.
A
He's
a
93rd
percentile
signal
hacker,
which
means
he's
in
our
top
10%
and
I
was
interested
to
look
at
whether
there's
a
difference
and
the
types
of
vulnerabilities
that
are
top
hackers
like
Pete,
find
and
whether
there's
between
sort
of
less
skilled,
newer,
newer
hackers.
Is
there
a
difference,
and
the
answer
is
yes.
There
is,
there
are
some
differences,
so
this
shows
the
top
bounties
awarded
split
up
by
our
most
skilled
and
least
skilled
hackers.
A
You'll
notice
that,
for
both
of
these
groups,
cross-site
scripting
pays
out
more
bounties
than
any
other
vulnerability
type
I
thought
that
was
pretty
interesting.
I'm
surprising,
the
other
thing
to
note
here
is
that
our
most
skilled
hackers
tend
to
focus
on
pretty
specialized
in
difficult
to
find
vulnerabilities
like
SS
RF
code,
injection
and
or
bees
typically
pay
out
lot
higher
bounties,
but
are
more
difficult
to
find,
which
makes
a
lot
of
sense.
So.
A
So
I
also
looked
at
some
trends.
What
is
the
growth
or
decline
in
weakness
types
over
time
and
we
started
tracking
this
in
2017
before
that?
Our
data?
It
was
not
as
great
so
on
the
down
trend,
side,
our
vulnerability
types
like
violation
of
secure
design
and
CSRF,
but
probably
more
interestingly,
is
that
our
top
two
vulnerability
types
cross-site
scripting
and
information
disclosure.
Those
have
still
been
on
the
rise
the
last
couple
of
years,
but
the
highest
growth.
A
So
there
is
a
very
big
difference
between
an
editorial
list
of
the
most
popular
or
the
best
musical
artist
of
the
year
and
the
most
streamed
artist
on
Spotify,
for
example,
at
the
bottom
left,
you
have
Kendrick
Lamar
and
Kendrick
Lamar
received
eight
Grammy
nominations
in
2019,
more
than
any
other
artist,
but
he
was
nowhere
near
the
top
of
the
Spotify
streaming
charts
on
the
other
end
of
the
spectrum.
Ariana
grande
was
the
most
streamed
female
artist
in
2019
on
Spotify,
but
sadly
to
some
myself
included.
A
A
So
here's
a
comparison
between
our
two
lists.
You
will
see
a
lot
of
similarities.
One
major
difference
is
the
relative
position
of
cross-site
scripting,
so
at
the
top
of
our
list
kind
of
middle-of-the-pack
on
the
low
side,
so
I'm
going
to
dig
into
the
data
a
little
bit
on
our
end,
but
as
an
ethical
data
minded
product
manager,
I
wouldn't
be
doing
my
job
if
I
didn't
explain,
but
there
are
some
limitations
in
the
data
that
we
do
have.
A
The
other
assumption
that
we're
making
is
that
the
types
of
vulnerabilities
that
white
hat
hackers
find
are
the
same
or
similar
to
the
types
of
bones
that
black
hat
hackers
find.
We
think
that
this
is
probably
a
reasonable
assumption
to
make
but
wanted
to
call
it
out.
So,
with
those
two
caveats,
I'll
get
into
some
more
comparisons
of
the
data
between
our
list
and
the
wasp
top
10.
A
So
I
think
this
is
one
of
the
most
interesting
charts
in
the
deck
and
it
shows
the
market
share
for
vulnerabilities
found
or
the
discoverability
of
them
as
classified
by
the
wasp
top
10.
And
what
you
can
see
here
is
it
shows
that
of
all
of
our
bounties
ever
paid
out
on
the
platform.
The
top
10
has
a
coverage
rate
about
50%.
A
A
So
this
chart
is
the
same
idea,
but
instead
we're
looking
at
the
ship
market
share
of
bounties
paid,
not
just
vulnerabilities
found
on
the
platform,
and
here
you
can
see
that
the
OS
top-10
coverage
is
even
higher
and
it's
a
it's
add
about
thirty
percent.
For
the
record
personally
I
thought
this
was
surprisingly
high
coverage.
It
was
great,
but
again
70
percent
covered
means
30%
uncovered.
So
how?
A
How
great
really
is
that
a
couple
of
other
things
to
note
on
this
graph
that
are
interesting
are
even
though
cross-site
scripting
is
on
the
rise
overall,
its
market
share
of
bounties
paid
is
declining
over
time
and
compared
to
all
the
other
options,
and
then
you'll
see
a
little
green
blip
in
2018,
and
that
is
xx.
E
and
I
will
get
into
that
vulnerability
type
in
just
a
couple
minutes,
so
another
question
I
had
was
what
do?
A
Programs
pay
out
a
lot
for
that's
not
on
the
top
ten,
those
vulnerability
types
are
CSRF,
SS,
RF,
open,
redirect
and
hide,
or
and
conversely,
what
is
in
the
OS
top
ten
that
is
much
lower
down
on
our
list
and
that's
xxe
and
security.
Miss
configuration
so
I
wanted
to
understand
a
little
bit
more
about
the
disparity
specifically
with
xxe,
so
I
will
get
into
that
xx.
E
stands
for
external
entity
processing
and
it's
been
on
the
rise
over
the
last
couple
of
years.
It's
that
purple
line
at
the
very
bottom
of
the
graph.
A
It's
not
an
often
found
vulnerability,
but
when
it
is,
it's
almost
always
a
higher
critical
vulnerability
based
off
of
impact
and
it's
our
highest
paid
bounty
type
on
hacker
1
coming
out
to
1600
US
dollars.
A
pop,
a
hacker
has
to
have
a
lot
of
skill
to
find
an
x,
XZ
vuln.
Typically,
when
they
do,
they
can
find
it
a
number
of
places,
which
is
why
we
see
a
lot
of
our
top
most
skilled
hackers
specializing
in
this
type
of
vulnerability.
A
A
A
And
what
this
means
is
that
what
scanners
find
is
very
different,
that
when
hackers
find
human
criminals
use
hackers
or
use
scanners
to
so
we're
not
saying
that
they're
useless,
they
definitely
have
a
time
and
place,
but
like
more
generally,
what's
what's
the
point
of
sharing
all
this
information
about
the
data
we
have?
Why
does
it
matter
to
you
and
I
think
it
matters,
because
data
can
lead
to
better
conversations
with
development
teams.
A
We
were
on
a
survey
of
our
customers
every
year
and
90%
of
our
customers
said
one
of
the
most
important
thing
for
them
to
be
successful
is
for
them
to
have
better
a
better
relationship
with
their
development
teams.
We
find
that,
even
if
security
teams
know
what
to
patch,
they
can't
necessarily
always
get
the
buy-in
for
the
development
teams
to
work
on
it.
A
Typically,
the
security
development
team
conversations
go
something
like
this.
They
say:
hey,
you're,
gonna
patch,
this
now
it's
important
and
the
development
team
comes
back
with.
Well,
you
say
that
every
time
how
does
this
fit
in
with
our
current
priorities
and
what
we
really
want
to
do
with
the
day
that
we
have
is
to
enable
some
mutual
understanding
between
these
teams.
So
the
conversation
goes
something
more
like
this.
The
security
team
says
hey.
A
This
vulnerability
is
highly
exploitable
by
a
hacker
of
low
skill
and
when
exploited,
it's
often
critical
and
impactful,
and
the
development
team
says
something
like
hey.
I
understand,
we'll
fix
it
today.
So
we
hope
that,
with
this,
better
understanding
comes
ownership
and
with
ownership
comes
patching,
if
not
everywhere
at
least
words
most
needed
thanks
for
listening.
That's
all
I
had
I
have
a
couple
of
minutes
for
questions.
If
folks
happening.
A
A
Yeah
for
companies
that
use
our
our
product,
they
have
like
they
can
track,
or
even
you
like,
you
can
track
what
types
of
vulnerabilities
your
you're
receiving
or
like
most
common,
and
we
have
some
details
around
like
who
those
are
typically
found
by.
So
we
expose
some
of
that
in
the
product
to
customers
to
like
help
them
make
better
decisions.