A majority of Web applications are not being developed with security in mind, and security vendors are some of the big offenders.
than half of Web applications have some kind of serious security flaw after
development, according to a research report, suggesting that software
developers need to improve their security coding skills.
58 percent of Web applications generally fail a security audit the first time
around, according to Veracode's State
of Software Security report
, released April 19. Veracode analyzed
4,835 applications that were submitted to its cloud-based application testing
service for a security audit over a space of 18 months.
more worrying, 66 percent of applications developed by the software industry,
as opposed to other sectors, were initially found to have an unacceptable level
of security quality. Software organizations are turning out more insecure
applications than other companies, the study found. Of the applications from
the software companies, 72 percent of security products and 82 percent of
customer-focused applications submitted to Veracode were deemed unacceptable,
vendors tasked with protecting enterprises are often the most at risk due to
the poor quality of their very own software applications, Veracode found.
remains fundamentally flawed," and no industry sector is immune to application
security risk, the report found. However, the finance industry generally
produced the cleanest code, according to the report.
good news is that developers are learning from their mistakes quickly. More
than 90 percent of the software that failed the audit the first time addressed
the issues and passed a subsequent test within one month. Security products
were fixed even faster, becoming "acceptable" in just three days.
report has a slight reporting bias as the organizations voluntarily submitted
their applications to the testing service. However, the findings highlight how
widespread application insecurity has become if more than half of the
applications from companies in the security software business fail the audit. The
Verizon Data Breach Investigation Report
, released the same day, found that
Web application attacks accounted for 22 percent of all attacks that resulted
in a data breach, and were the source of 38 percent of leaked records.
80 percent of all submitted Web applications failed to mitigate the top 10 most
dangerous vulnerabilities as defined by the Open Web
Application Security Project
. The OWASP list includes SQL injection,
cross-site scripting, security misconfiguration, insecure storage and broken
authentication management, among other risks.
were less common, cross-site
remained a big problem, accounting for over 53 percent of
the vulnerabilities found by Veracode. SQL injection vulnerabilities have
decreased by 2.4 per quarter, according to the report. However, that doesn't
mean SQL injection or cross-site scripting attacks themselves have declined, as
an attacker can exploit the same vulnerability multiple times across multiple
are under pressure to launch applications faster, so code integrity is sometimes
sacrificed, Veracode said in its report. Very few companies have a thorough
secure development life cycle to regularly check for security flaws. As
application code gets shared and reused, the same security holes are repeated
throughout the application.
is also another area of concern. More than 50 percent of developers received a
grade of C or lower on the application security fundamentals exam administered
by Veracode as part of the study. More than 30 percent scored a D or lower.
suggested that a secure development program be instituted to review code.
Employees also need to be trained to improve their secure coding skills, since
computer security training is not generally included in professional
development opportunities in most companies, according to the report.
report focuses on analyzing the applications prior to a breach to identify
potential weaknesses as opposed to performing a "post mortem" analysis on
reported breaches and disclosed vulnerabilities, according to a company
spokesperson. Combining data from reports like Verizon's and Veracode's provides
a more complete view of application risk.