More than half of Web applications have some kind of serious security flaw after development, according to a research report which suggests that software developers need to improve their security coding skills.
About 58 percent of Web applications generally fail a security audit the first time around, according to Veracode’s State of Software Security report, released April 19. Veracode analysed 4,835 applications that were submitted to its cloud-based application testing service for a security audit over a space of 18 months.
Of the applications from the software companies, 72 percent of security products, and 82 percent of customer-focused applications submitted to Veracode were deemed unacceptable, security-wise.
Security vendors tasked with protecting enterprises are often the most at risk due to the poor quality of their very own software applications, Veracode found.
“Software remains fundamentally flawed”, and no industry sector is immune to application security risk, the report found. However, the finance industry generally produced the cleanest code, according to the report.
The good news is that developers are learning from their mistakes quickly. More than 90 percent of the software that failed the audit the first time addressed the issues and passed a subsequent test within one month. Security products were fixed even faster, becoming “acceptable” in just three days.
The report has a slight reporting bias as the organisations voluntarily submitted their applications to the testing service. However, the findings highlight how widespread application insecurity has become if more than half of the applications from companies in the security software business fail the audit. The Verizon Data Breach Investigation Report, released the same day, found that Web application attacks accounted for 22 percent of all attacks that resulted in a data breach, and were the source of 38 percent of leaked records.
Nearly 80 percent of all submitted Web applications failed to mitigate the top 10 most dangerous vulnerabilities as defined by the Open Web Application Security Project (OWASP). The list includes SQL injection, cross-site scripting, security misconfiguration, insecure storage and broken authentication management, among other risks.
While SQL injection vulnerabilities were less common, cross-site scripting issues remained a big problem, accounting for over 53 percent of the vulnerabilities found by Veracode. SQL injection vulnerabilities have decreased by 2.4 per quarter, according to the report. However, that does not mean SQL injection or cross-site scripting attacks themselves have declined, as an attacker can exploit the same vulnerability multiple times across multiple sites.
Developers are under pressure to launch applications faster so code integrity is sometimes sacrificed, Veracode said in its report. Very few companies have a thorough secure development life cycle to regularly check for security flaws. As application code gets shared and reused, the same security holes are repeated throughout the application.
Training is also another area of concern. More than 50 percent of developers received a grade of C or lower on the application security fundamentals exam administered by Veracode as part of the study. More than 30 percent scored a D or lower.
Researchers suggested that a secure development programme be instituted to review code. Employees also need to be trained to improve their secure coding skills, since computer security training is not generally included in professional development opportunities in most companies, according to the report.
Veracode’s report focuses on analysing the applications prior to a breach to identify potential weaknesses as opposed to performing a “post mortem” analysis on reported breaches and disclosed vulnerabilities, according to a company spokesperson. Combining data from reports like Verizon’s and Veracode’s provide a more complete view of application risk.
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…