Applications Riddled With Security Flaws: Veracode

Developers need to be trained to think about security while building applications, and security testing needs to be part of the development lifecycle, Veracode said in its semi-annual software security report.

More than 80 percent of approximately 10,000 applications examined in Veracode’s fourth State of Software Security report failed security testing on their first attempt, Veracode said. That left just 16 percent of applications receiving a passing security grade on the first attempt, compared with a 42 percent pass-rate on the first try in the previous report, released in April.

Tighter security requirements

The dramatic drop is most likely the result of “more stringent criteria” for passing the security test, as Veracode had instituted a “zero-tolerance policy” for cross-site scripting and SQL injection flaws. Considered to be the “low-hanging fruit” because they are fairly easy for attackers to exploit, these two types of vulnerabilities were among the top 25 Web vulnerabilities as identified by the SANS Institute earlier this year.

Malicious perpetrators can gain access to customer data and intellectual property via SQL injection and XSS attacks, as was amply demonstrated in various Web attacks this year.

“With the majority of recently reported breaches caused by attackers exploiting weaknesses in Web applications or desktop software, often taking advantage of common XSS or SQL Injection flaws, we decided it was time to become even more stringent to reflect the realities of the threat landscape and raise the bar on what should be deemed secure software,” said Chris Wysopal, founder, CISO and CTO of Veracode.

Veracode found that 68 percent of all Web applications tested had at least one XSS flaw and 32 percent had SQL injection holes.

The report also examined the security quality of government Web applications against other industries and found continued problems in government applications. Approximately 40 percent of these Websites contained SQL injection vulnerabilities the first time they were tested, compared with 29 percent for Websites for firms in the financial sector, and 30 percent for the software vertical, according to the report.

About 75 percent of the government Websites tested by Veracode had XSS flaws the first time they were tested, compared with 67 percent of finance sites containing at least one XSS flaw and 55 percent of software industry Websites.

Taking in Android

For the first time, Veracode also examined Android applications in its report because organisations have to think about mobile-security risks as more employees use personal devices to access corporate resources.

Mobile developers tend to make similar mistakes to enterprise developers, and they were sloppy when implementing encryption in the applications, Veracode found. More than 40 percent of Android applications that failed initial testing had at least one instance of cryptographic keys hard-coded into the application, Veracode found.

“The problem is, once these keys are compromised, any security mechanisms that depend on the secrecy of the keys are then rendered ineffective,” Veracode said.

Veracode also found that remote-code-execution vulnerabilities and bugs that open backdoors were “far more” prevalent in commercial software. Organisations buying commercial software should explicitly test for these issues beforehand, Veracode recommended.

Cloud accumulated

The applications included in the report were submitted to Veracode’s cloud-based application-security-testing platform over the past 18 months. The number of applications tested in Volume 4 was more than double the number tested in Volume 3, according to Veracode.

One of the goals of the report is to show how regular testing during development and time spent training developers can result in more secure code, Veracode said. Organisations can integrate security testing within the coding process to identify basic errors with “minimal impact” on development lifecycles.

More than 80 percent of applications that failed to initially pass Veracode’s security audit were resubmitted and passed with an acceptable grade within one week, the company reported.

Fahmida Y Rashid eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved.

Share
Published by
Fahmida Y Rashid eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago