iTnews

57% of apps contain flaws

By Dan Raywood on Sep 24, 2010 12:46PM

Veracode report finds widespread vulnerabilities.

An analysis of more than 2,900 applications has found that 57 per cent contain security vulnerabilities.

The State of Software Security Report from Veracode found that there was only a one per cent improvement from its last report in March, although 80 per cent of web applications would not pass a PCI DSS audit.

The report also found that third-party suppliers failed to achieve acceptable security standards 81 per cent of the time, and that 56 per cent of finance-related applications failed upon the first submission to Veracode's testing service. Applications from banking, insurance and financial services industries is also not commensurate with the security requirements expected for business critical applications, although the financial services industry performed better than banking and insurance overall.

A major problem lies with cross-site scripting, which accounts for 51 per cent of all vulnerabilities uncovered in the testing process. Also, .NET applications exhibited abnormally high cross-site scripting vulnerabilities, while potential backdoors entered the top ten most common vulnerabilities.

Veracode said that the findings are based on analysis of internally developed, open source, outsourced and commercial applications that have been submitted to Veracode for testing using its cloud-based platform over the past 18 months.

Matt Peachey, vice president of EMEA at Veracode, told SC Magazine that the data had been collected from its customers and the report was based on trends from the industry. He said: “We are now looking at around 3,000 applications and this shows that more people are aware of the issue, but based on the first scan which showed a 58 per cent fail, but with a bigger data set it only improved by one per cent which is still just as bad.

“We have seen an increase in non-web applications. People are really vulnerable in terms of the web, but the back end is just as vulnerable.”

Asked about the cause of security vulnerabilities in these applications, Peachey commented that often they are produced to tight deadlines but with a requirement for high performance, hence the flawed code.

“Security gets in the way of doing the job. Websites have new sites and brands introduced and you will not see it at the security level,” he said.

On a positive note, the report did find that security flaws are being repaired quicker than ever before, which indicates the positive impact of greater developer education and training, more mature tools, and increasing enterprise pressure. Veracode found that the time it took organisations to repair flaws to achieve acceptable levels of security decreased from between 36-82 days, to 16 days on average.

Peachey said: “A solution is about being smarter and doing things optimally and through a production lifecycle of an application.”

Tyler Shields, senior researcher for the Veracode Research Lab, said there is a need to validate and then enable, and it is a matter of educating as not all developers have the answers and customers do not buy security, they buy features.

See original article on scmagazineus.com

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:
applications finds getting in is of progressively quality report security that the worse

Partner Content

Putting cyber security basics in place
Partner Content Putting cyber security basics in place
One way SD-WAN can save business leaders' time
Partner Content One way SD-WAN can save business leaders' time
Setting a path to self-funded mainframe-to-cloud modernisation with Micro Focus
Promoted Content Setting a path to self-funded mainframe-to-cloud modernisation with Micro Focus
As Australian companies lean more heavily on the cloud, edge security is finding its stride
Partner Content As Australian companies lean more heavily on the cloud, edge security is finding its stride

Sponsored Whitepapers

DevSecOps: A framework for digital innovation
DevSecOps: A framework for digital innovation
Encryption: Protect your most critical data
Encryption: Protect your most critical data
Overcoming data security challenges in a hybrid, multicloud world
Overcoming data security challenges in a hybrid, multicloud world
Move beyond passwords
Move beyond passwords
The top 5 tech trends to deliver business outcomes
The top 5 tech trends to deliver business outcomes

Events

  • On-Demand Webinar: How Poly and Microsoft are Embracing Future Work Environments
By Dan Raywood
Sep 24 2010
12:46PM
0 Comments

Related Articles

  • eftpos applies to become first non-govt digital ID exchange operator
  • NSW govt's mandatory data breach reporting scheme unlikely before 2022
  • Okta to buy Auth0 for $8.3 billion
  • Avast boosted by work-from-home trend
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

TPG Telecom to start enticing NBN customers to move

TPG Telecom to start enticing NBN customers to move

CBA becomes first 'Big 4' data recipient under CDR

CBA becomes first 'Big 4' data recipient under CDR

NSW Police green-lights Mark43 for $1bn COPS overhaul

NSW Police green-lights Mark43 for $1bn COPS overhaul

Urgent patches out for exploited Exchange Server zero-days

Urgent patches out for exploited Exchange Server zero-days

You must be a registered member of iTnews to post a comment.
Log In | Register
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.