More Than Half of Web Apps Fail Security Audit Prior to Deployment

More than half of Web applications have some kind of serious security flaw after development, according to a research report, suggesting that software developers need to improve their security coding skills.

About 58 percent of Web applications generally fail a security audit the first time around, according to Veracode's State of Software Security report, released April 19. Veracode analyzed 4,835 applications that were submitted to its cloud-based application testing service for a security audit over a space of 18 months.

Even more worrying, 66 percent of applications developed by the software industry, as opposed to other sectors, were initially found to have an unacceptable level of security quality. Software organizations are turning out more insecure applications than other companies, the study found. Of the applications from the software companies, 72 percent of security products and 82 percent of customer-focused applications submitted to Veracode were deemed unacceptable, securitywise.

Security vendors tasked with protecting enterprises are often the most at risk due to the poor quality of their very own software applications, Veracode found.

"Software remains fundamentally flawed," and no industry sector is immune to application security risk, the report found. However, the finance industry generally produced the cleanest code, according to the report.

The good news is that developers are learning from their mistakes quickly. More than 90 percent of the software that failed the audit the first time addressed the issues and passed a subsequent test within one month. Security products were fixed even faster, becoming "acceptable" in just three days.

The report has a slight reporting bias as the organizations voluntarily submitted their applications to the testing service. However, the findings highlight how widespread application insecurity has become if more than half of the applications from companies in the security software business fail the audit. The Verizon Data Breach Investigation Report, released the same day, found that Web application attacks accounted for 22 percent of all attacks that resulted in a data breach, and were the source of 38 percent of leaked records.

Nearly 80 percent of all submitted Web applications failed to mitigate the top 10 most dangerous vulnerabilities as defined by the Open Web Application Security Project. The OWASP list includes SQL injection, cross-site scripting, security misconfiguration, insecure storage and broken authentication management, among other risks.

While SQL injection vulnerabilities were less common, cross-site scripting issues remained a big problem, accounting for over 53 percent of the vulnerabilities found by Veracode. SQL injection vulnerabilities have decreased by 2.4 per quarter, according to the report. However, that doesn't mean SQL injection or cross-site scripting attacks themselves have declined, as an attacker can exploit the same vulnerability multiple times across multiple sites.

Developers are under pressure to launch applications faster, so code integrity is sometimes sacrificed, Veracode said in its report. Very few companies have a thorough secure development life cycle to regularly check for security flaws. As application code gets shared and reused, the same security holes are repeated throughout the application.

Training is also another area of concern. More than 50 percent of developers received a grade of C or lower on the application security fundamentals exam administered by Veracode as part of the study. More than 30 percent scored a D or lower.

Researchers suggested that a secure development program be instituted to review code. Employees also need to be trained to improve their secure coding skills, since computer security training is not generally included in professional development opportunities in most companies, according to the report.

Veracode's report focuses on analyzing the applications prior to a breach to identify potential weaknesses as opposed to performing a "post mortem" analysis on reported breaches and disclosed vulnerabilities, according to a company spokesperson. Combining data from reports like Verizon's and Veracode's provides a more complete view of application risk.