Applications Riddled With SQL Injection, XSS, Remote Code Execution Flaws

The majority of the applications scanned by Veracode's cloud-based software testing tool had some kind of security flaw, such as SQL injection or cross-site scripting.

Developers need to be trained to think about security while building applications, and security testing needs to be part of the development lifecycle, Veracode said in its semi-annual software security report.

More than 80 percent of approximately 10,000 applications examined in Veracode's fourth "State of Software Security" report failed security testing on their first attempt, Veracode said Dec. 7. Just 16 percent of applications received a passing security grade on the first attempt, compared with the 42 percent that passed on the first try in the previous report, released in April.

The dramatic drop is most likely the result of "more stringent criteria" for passing the security test, as Veracode had instituted a "zero-tolerance policy" for cross-site scripting and SQL injection flaws. Considered to be the "low-hanging fruit" because they are fairly easy for attackers to exploit, these two types of vulnerabilities were among the top 25 Web vulnerabilities as identified by the SANS Institute earlier this year. Malicious perpetrators can gain access to customer data and intellectual property via SQL injection and XSS attacks, as was amply demonstrated in various Web attacks this year.

"With the majority of recently reported breaches caused by attackers exploiting weaknesses in Web applications or desktop software, often taking advantage of common XSS or SQL Injection flaws, we decided it was time to become even more stringent to reflect the realities of the threat landscape and raise the bar on what should be deemed secure software," said Chris Wysopal, founder, CISO and CTO of Veracode.

Veracode found that 68 percent of all Web applications tested had at least one XSS flaw and 32 percent had SQL injection holes.

The report also examined the security quality of government Web applications against other industries and found continued problems in government applications. Approximately 40 percent of government Websites contained SQL injection vulnerabilities the first time they were tested, compared with 29 percent for Websites for firms in the financial sector and 30 percent for the software vertical, according to the report. About 75 percent of the government Websites tested by Veracode had XSS flaws the first time they were tested, compared with 67 percent of finance sites containing at least one XSS flaw and 55 percent of software industry Websites.

For the first time, Veracode also examined Android applications in its report because organizations have to think about mobile-security risks as more employees use personal devices to access corporate resources. Mobile developers tend to make similar mistakes to enterprise developers, and they were sloppy when implementing encryption in the applications, Veracode found. More than 40 percent of Android applications that failed initial testing had at least one instance of cryptographic keys hard-coded into the application, Veracode found.

"The problem is, once these keys are compromised, any security mechanisms that depend on the secrecy of the keys are then rendered ineffective," Veracode said.

Veracode also found that remote-code-execution vulnerabilities and bugs that open backdoors were "far more" prevalent in commercial software. Organizations buying commercial software should explicitly test for these issues beforehand, Veracode recommended.

The applications included in the report were submitted to Veracode's cloud-based application-security-testing platform over the past 18 months. The number of applications tested in Volume 4 was more than double the number tested in Volume 3, according to Veracode.

One of the goals of the report is to show how regular testing during development and time spent training developers can result in more secure code, Veracode said. Organizations can integrate security testing within the coding process to identify basic errors with "minimal impact" on development lifecycles. More than 80 percent of applications that failed to initially pass Veracode's security audit were resubmitted and passed with an acceptable grade within one week, according to Veracode.