Developers have botched encryption in seven out of eight Android apps and 80 percent of iOS apps, according to Veracode’s State of Software Security report.
PHP—and less popular Web development languages ColdFusion and Classic ASP—are the riskiest programming languages for the Web, while Java and .NET are safest, according to the Veracode report.
The report, which summarizes the results of application security tests conducted by the company, found that four encryption issues undermined the data protection of more than 87 percent of Android applications—and 80 percent of iOS applications.
On the Web side, SQL injection vulnerabilities affected 64 percent of applications written in Microsoft’s legacy Active Service Pages—known as Classic ASP, 62 percent of ColdFusion apps and 56 percent of PHP applications.
Microsoft’s .NET and Oracle’s Java, meanwhile, were far less likely to have a SQL injection vulnerability, with the firm finding 29 percent and 21 percent of applications, respectively, having at least one such vulnerability.
SQL injection vulnerabilities, which allow an attacker to directly interact with a Web site’s database, have been blamed for the breaches at toymaker Vtech and telecommunications firm TalkTalk.
“It is a persistent weakness in the Internet that is not going away,” Wysopal said.
While software security and vulnerabilities have garnered a great deal of attention as major breaches and compromises of critical infrastructure become more common, the overall picture has not significantly changed. Many companies’ security programs have become more mature, but a large number of smaller software startups have cropped up, with novice programmers in many cases, Wysopal said.
“For every company that is tackling application security there are a bunch of new startups that are not,” he said.
Mobile application development is case and point. Four encryption flaws affect the vast majority of apps developed for Android and iOS phones, according to Veracode’s report. Two-thirds of applications use insufficient entropy to keep data secure—a problem that requires a single line of code to fix, Wysopal said. The other top issues include failing to properly validate certificates, clear text storage of information, and the use of broken or weak cryptographic algorithms.
“These things are easy to fix, but they are so pervasive it goes to show that the mobile developers are really ignorant about how to write good crypto code,” he said.
Many companies may be at an ideal turning point to instill in their developers a greater focus on security. Because many companies are transitioning to agile development methods with a focus on making code that can be quickly modified and updated, they can simultaneously train the developers to write more secure code, the company stated in the report.
Training and online learning appear to have a strong correlation with better code, Wysopal said. Whether the training actually works, or companies that train their developers in security have a better overall focus in security, is unknown.
“One of the theories we have is, if you are spending on training, you are likely taking application security more seriously,” he said. “It is either one or the other, or it could be both. Your developers may be more educated or the company as a whole focuses its efforts on risk reduction and not just check-box compliance.”
