Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Subscribe
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Subscribe
    Home Cloud
    • Cloud
    • Cybersecurity
    • Development

    More Than Half of Web Apps Fail Security Audit Prior to Deployment

    Written by

    Fahmida Y. Rashid
    Published April 21, 2011
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      More than half of Web applications have some kind of serious security flaw after development, according to a research report, suggesting that software developers need to improve their security coding skills.

      About 58 percent of Web applications generally fail a security audit the first time around, according to Veracode’s State of Software Security report, released April 19. Veracode analyzed 4,835 applications that were submitted to its cloud-based application testing service for a security audit over a space of 18 months.

      Even more worrying, 66 percent of applications developed by the software industry, as opposed to other sectors, were initially found to have an unacceptable level of security quality. Software organizations are turning out more insecure applications than other companies, the study found. Of the applications from the software companies, 72 percent of security products and 82 percent of customer-focused applications submitted to Veracode were deemed unacceptable, securitywise.

      Security vendors tasked with protecting enterprises are often the most at risk due to the poor quality of their very own software applications, Veracode found.

      “Software remains fundamentally flawed,” and no industry sector is immune to application security risk, the report found. However, the finance industry generally produced the cleanest code, according to the report.

      The good news is that developers are learning from their mistakes quickly. More than 90 percent of the software that failed the audit the first time addressed the issues and passed a subsequent test within one month. Security products were fixed even faster, becoming “acceptable” in just three days.

      The report has a slight reporting bias as the organizations voluntarily submitted their applications to the testing service. However, the findings highlight how widespread application insecurity has become if more than half of the applications from companies in the security software business fail the audit. The Verizon Data Breach Investigation Report, released the same day, found that Web application attacks accounted for 22 percent of all attacks that resulted in a data breach, and were the source of 38 percent of leaked records.

      Nearly 80 percent of all submitted Web applications failed to mitigate the top 10 most dangerous vulnerabilities as defined by the Open Web Application Security Project. The OWASP list includes SQL injection, cross-site scripting, security misconfiguration, insecure storage and broken authentication management, among other risks.

      While SQL injection vulnerabilities were less common, cross-site scripting issues remained a big problem, accounting for over 53 percent of the vulnerabilities found by Veracode. SQL injection vulnerabilities have decreased by 2.4 per quarter, according to the report. However, that doesn’t mean SQL injection or cross-site scripting attacks themselves have declined, as an attacker can exploit the same vulnerability multiple times across multiple sites.

      Developers are under pressure to launch applications faster, so code integrity is sometimes sacrificed, Veracode said in its report. Very few companies have a thorough secure development life cycle to regularly check for security flaws. As application code gets shared and reused, the same security holes are repeated throughout the application.

      Training is also another area of concern. More than 50 percent of developers received a grade of C or lower on the application security fundamentals exam administered by Veracode as part of the study. More than 30 percent scored a D or lower.

      Researchers suggested that a secure development program be instituted to review code. Employees also need to be trained to improve their secure coding skills, since computer security training is not generally included in professional development opportunities in most companies, according to the report.

      Veracode’s report focuses on analyzing the applications prior to a breach to identify potential weaknesses as opposed to performing a “post mortem” analysis on reported breaches and disclosed vulnerabilities, according to a company spokesperson. Combining data from reports like Verizon’s and Veracode’s provides a more complete view of application risk.

      Fahmida Y. Rashid
      Fahmida Y. Rashid

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.