Government, Healthcare Particularly Lackluster In Application Security
Healthcare organizations and government agencies still continue to struggle with application security, leaving as much as 73 percent of their identified vulnerabilities unremediated in some instances, according to a new study.
The silver lining is that across industries, the work of reducing risk in software is accelerating and many organizations are making headway in fixing their software flaws, according to the new State of Software Security Report released by Veracode today.
"It may be tempting in the face of repeated breaches--OPM, Target and Sony--to throw up one’s hands, not to bother building secure applications, and to give up on fixing vulnerabilities in the applications you’ve already deployed," says Chris Wysopal, CTO and CISO of Veracode, in the report. "The data in this report clearly shows that, by addressing the problem systematically and at scale, enterprises can significantly reduce application risk."
In the wake of the OPM breach, it probably won't come as a surprise to many that government organizations fare the worst in many key metrics of application security. For example, only 24 percent of government applications pass OWASP Top 10 compliance upon their first assessment, a rate that's half as effective as the financial services industry. And only 27 percent of government flaws identified in an initial assessment are fixed in subsequent assessments, compared to 81 percent for manufacturing and 65 percent for financial services.
Healthcare also fared poorly in several key areas. For example, only 43 percent of known vulnerabilities are remediated by healthcare organizations. And most troubling, 80 percent of healthcare applictiaions exhibit cryptographic issues such as weak algorithms. This is concerning given the sensitivity of health data and the push toward electronic health records.
Meanwhile, across all industries, Veracode found applications were suffering from software supply chain issues. It found that three-quarters of applications produced by third-party software vendors fail the OWASP Top 10 at initial assessment. That jibes with a study done last week by Sonatype conducted among 106,000 organizations, finding that many of the third-party and open source components that organizations lean on in the development process are not tracked and are embedded into enterprise software with known vulnerabilities. Approximately 59 percent of known vulnerabilities on these dependencies remain unfixed, according to Sonatype.
The positive news is that according to Veracode, headway is being made on application security issues, albeit gradually. The rate at which found vulnerabilities are fixed has increased by 10 percentage points across all industries since 2006, from 60 percent at that time to 70 percent now.
Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading. View Full BioComment |
Print |
More Insights
Comments
Newest First | Oldest First | Threaded View
Vulnerabilities vs Exploits
I would suggest that vulnerabilities need patch management and exploits need pen testing.
If something is vulnerable then you need to change it, trying to guess what the exploit will look like is often impossible or it just cannot be done from an external attack.
I would rather defend against an attack that is out there in the wild than something I might be vulnerable. I want to know does my IDS recognise real attacks and not spend my time guessing what an attack might look like. So, I defed against knives and guns but the Martian ray gun, not until one exists.
If something is vulnerable then you need to change it, trying to guess what the exploit will look like is often impossible or it just cannot be done from an external attack.
I would rather defend against an attack that is out there in the wild than something I might be vulnerable. I want to know does my IDS recognise real attacks and not spend my time guessing what an attack might look like. So, I defed against knives and guns but the Martian ray gun, not until one exists.
Unfortunately True
I can attest to these statements seeing it first hand in a previous line of work. Unfortunately, Zero days were the only vulnerabilities that were on the radar and unfortunately they were only a blip. I think in the wake of such large breaches we need to understand that handling application security is iterative, as is vulnerability management as a whole. Focusing on vulnerabilities in a traditional methodology is incredibly cumbersome. An agile mindset is a much better way of handling these.
White Papers
Video
3 Comments
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Hey Bill, did you get the report from our vulnerability scan?"
"Yep. Looking at the holes as we speak."
Latest Comment: "Hey Bill, did you get the report from our vulnerability scan?"
"Yep. Looking at the holes as we speak."
Current Issue
Five Emerging Security Threats - And What You Can Learn From ThemAt Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
DevOps’ Impact on Application Security
Managing the interdependency between software and infrastructure is a thorny challenge. Often, it’s a “developers are from Mars, systems engineers are from Venus” situation.
Slideshows
Twitter Feed
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...
CVE-2015-4948The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.
CVE-2015-5660netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.
CVE-2015-6003Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.
CVE-2015-6333Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.
Archived Dark Reading Radio
Dark Reading editors are live at Black Hat 2016. In this special episode of Dark Reading Radio, join executive editor Kelly Jackson Higgins and senior editor Sara Peters as they bring you conversations with speakers from the Black Hat 2016 conference.
- Terms of Service
- Privacy Statement
- Copyright © 2016 UBM, All rights reserved
Tweet This