57% of apps contain flaws

An analysis of more than 2,900 applications has found that 57 per cent contain security vulnerabilities.

The State of Software Security Report from Veracode found that there was only a one per cent improvement from its last report in March, although 80 per cent of web applications would not pass a PCI DSS audit.

The report also found that third-party suppliers failed to achieve acceptable security standards 81 per cent of the time, and that 56 per cent of finance-related applications failed upon the first submission to Veracode's testing service. Applications from banking, insurance and financial services industries is also not commensurate with the security requirements expected for business critical applications, although the financial services industry performed better than banking and insurance overall.

A major problem lies with cross-site scripting, which accounts for 51 per cent of all vulnerabilities uncovered in the testing process. Also, .NET applications exhibited abnormally high cross-site scripting vulnerabilities, while potential backdoors entered the top ten most common vulnerabilities.

Veracode said that the findings are based on analysis of internally developed, open source, outsourced and commercial applications that have been submitted to Veracode for testing using its cloud-based platform over the past 18 months.

Matt Peachey, vice president of EMEA at Veracode, told SC Magazine that the data had been collected from its customers and the report was based on trends from the industry. He said: “We are now looking at around 3,000 applications and this shows that more people are aware of the issue, but based on the first scan which showed a 58 per cent fail, but with a bigger data set it only improved by one per cent which is still just as bad.

“We have seen an increase in non-web applications. People are really vulnerable in terms of the web, but the back end is just as vulnerable.”

Asked about the cause of security vulnerabilities in these applications, Peachey commented that often they are produced to tight deadlines but with a requirement for high performance, hence the flawed code.

“Security gets in the way of doing the job. Websites have new sites and brands introduced and you will not see it at the security level,” he said.

On a positive note, the report did find that security flaws are being repaired quicker than ever before, which indicates the positive impact of greater developer education and training, more mature tools, and increasing enterprise pressure. Veracode found that the time it took organisations to repair flaws to achieve acceptable levels of security decreased from between 36-82 days, to 16 days on average.

Peachey said: “A solution is about being smarter and doing things optimally and through a production lifecycle of an application.”

Tyler Shields, senior researcher for the Veracode Research Lab, said there is a need to validate and then enable, and it is a matter of educating as not all developers have the answers and customers do not buy security, they buy features.

See original article on scmagazineus.com