Application Security

6/23/2015
12:00 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
100%
0%

Government, Healthcare Particularly Lackluster In Application Security

Veracode's State of Software Security Report lays out industry-specific software security metrics.

Healthcare organizations and government agencies still continue to struggle with application security, leaving as much as 73 percent of their identified vulnerabilities unremediated in some instances, according to a new study.

The silver lining is that across industries, the work of reducing risk in software is accelerating and many organizations are making headway in fixing their software flaws, according to the new State of Software Security Report released by Veracode today. 

"It may be tempting in the face of repeated breaches--OPM, Target and Sony--to throw up one’s hands, not to bother building secure applications, and to give up on fixing vulnerabilities in the applications you’ve already deployed," says Chris Wysopal, CTO and CISO of Veracode, in the report. "The data in this report clearly shows that, by addressing the problem systematically and at scale, enterprises can significantly reduce application risk."

In the wake of the OPM breach, it probably won't come as a surprise to many that government organizations fare the worst in many key metrics of application security. For example, only 24 percent of government applications pass OWASP Top 10 compliance upon their first assessment, a rate that's half as effective as the financial services industry. And only 27 percent of government flaws identified in an initial assessment are fixed in subsequent assessments, compared to 81 percent for manufacturing and 65 percent for financial services.

Healthcare also fared poorly in several key areas. For example, only 43 percent of known vulnerabilities are remediated by healthcare organizations. And most troubling, 80 percent of healthcare applictiaions exhibit cryptographic issues such as weak algorithms. This is concerning given the sensitivity of health data and the push toward electronic health records.

Meanwhile, across all industries, Veracode found applications were suffering from software supply chain issues. It found that three-quarters of applications produced by third-party software vendors fail the OWASP Top 10 at initial assessment. That jibes with a study done last week by Sonatype conducted among 106,000 organizations, finding that many of the third-party and open source components that organizations lean on in the development process are not tracked and are embedded into enterprise software with known vulnerabilities. Approximately 59 percent of known vulnerabilities on these dependencies remain unfixed, according to Sonatype.

The positive news is that according to Veracode, headway is being made on application security issues, albeit gradually. The rate at which found vulnerabilities are fixed has increased by 10 percentage points across all industries since 2006, from 60 percent at that time to 70 percent now. 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Traffic IQ
50%
50%
Traffic IQ,
User Rank: Apprentice
6/24/2015 | 1:35:07 PM
Vulnerabilities vs Exploits
I would suggest that vulnerabilities need patch management and exploits need pen testing.
If something is vulnerable then you need to change it, trying to guess what the exploit will look like is often impossible or it just cannot be done from an external attack. 
I would rather defend against an attack that is out there in the wild than something I might be vulnerable. I want to know does my IDS recognise real attacks and not spend my time guessing what an attack might look like. So, I defed against  knives and guns but the Martian ray gun, not until one exists.

RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/24/2015 | 8:11:00 AM
Unfortunately True
I can attest to these statements seeing it first hand in a previous line of work. Unfortunately, Zero days were the only vulnerabilities that were on the radar and unfortunately they were only a blip. I think in the wake of such large breaches we need to understand that handling application security is iterative, as is vulnerability management as a whole. Focusing on vulnerabilities in a traditional methodology is incredibly cumbersome. An agile mindset is a much better way of handling these.
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-18913
PUBLISHED: 2019-03-21
Opera before 57.0.3098.106 is vulnerable to a DLL Search Order hijacking attack where an attacker can send a ZIP archive composed of an HTML page along with a malicious DLL to the target. Once the document is opened, it may allow the attacker to take full control of the system from any location with...
CVE-2018-20031
PUBLISHED: 2019-03-21
A Denial of Service vulnerability related to preemptive item deletion in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor ...
CVE-2018-20032
PUBLISHED: 2019-03-21
A Denial of Service vulnerability related to message decoding in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor daemon t...
CVE-2018-20034
PUBLISHED: 2019-03-21
A Denial of Service vulnerability related to adding an item to a list in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor ...
CVE-2019-3855
PUBLISHED: 2019-03-21
An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.