Public sector orgs flunk OWASP Top 10

Powered by SC Magazine
 

Research finds 84 per cent of web apps deemed unacceptable against security benchmarks.

Security software used in public companies has as many application flaws as that used in other large enterprises, research found.

According to a 'State of Software Security Report' from Veracode, released this week, 84 per cent of web applications from public companies were deemed unacceptable when measured against the OWASP Top 10.

The research polled data from 126 public companies over the past 18 months from applications that were submitted to Veracode's cloud-based application security testing platform.

It found that backend operational systems and desktop commercial applications had a 63 per cent failure rate when measured against the CWE/SANS Top 25.

Only 16 per cent of public company web applications passed initial testing, compared with 14 per cent for all others,  despite that they generally have greater compliance requirements and usually more funding.

The performance for non-web applications is worse for public companies, with 38 per cent meeting the CWE/SANS industry standard, compared with 42 per cent for all companies.

“Companies can put all of the other cyber security controls in place, but if there are application weaknesses, hackers have the will and time to find and exploit them," Veracode founder Chris Wysopal said.

“The issue simply can not be neglected any more. Over the past year some of the most prominent breaches that were carried out against the most pre-eminent names in business took advantage of weaknesses in software applications to infiltrate traditional perimeter defence security controls.

"This should be a wake-up call. Particularly in public company disclosures, the issue needs to be discussed in much more detail.”

The report also found that only one in five public companies has performed a formal verification on a third-party application.

Veracode EMEA vice-president Matt Peachey said due diligence did not necessarily filter down to improving applications.

“The overall treatment of risk is very poor; we know it is very common stuff, but it is still not there. The time to remediate is less than people think, they are obliged to report it but fixing it is believed to be by hand. The average time to do this is in days, but that is nothing in the software development lifecycle.”

The two most frequently exploited vulnerability types – XSS and SQL injections – showed a statistically flat incidence rate from the first quarter of 2010 to the fourth quarter of 2011, suggesting that new vulnerabilities are being introduced at the same rate as known vulnerabilities are being remediated.

This article originally appeared at scmagazineuk.com

Copyright © SC Magazine, UK edition


Public sector orgs flunk OWASP Top 10
 
 
 
Top Stories
Meet FABACUS, Westpac's first computer
GE225 operators celebrate gold anniversary.
 
NSW Govt gets ready to throw out the floppy disks
[Opinion] Dominic Perrottet says its time for government to catch up.
 
iiNet facing new copyright battle with Hollywood
Fighting to protect customer details.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  26%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  21%
 
End user computing (desktops, mobiles, apps)
  15%
 
Software development
  26%
TOTAL VOTES: 341

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  58%
 
No
  42%
TOTAL VOTES: 143

Vote