News Vulnerability Management
Enterprises Pressure Software Vendors To Clean Up Their Apps
New Veracode software security report, BSIMM4 findings show enterprises driving third-party software vendors to write more secure code
Most vendor apps -- 62 percent -- fail compliance in their first tests. The top flaws discovered in both Web- and non-Web apps were more of the same old, same old. Web apps contained bugs such as information leakage (79 percent), cross-site scripting (71 percent), cryptographic issues (67 percent), directory traversal (67 percent), CRLF injection (63 percent), time and state (51 percent), insufficient input validation (48) percent, and SQL injection (40 percent).
Non-Web apps contained cryptographic issues (62 percent), error handling (58 percent), directory traversal (57 percent), numeric errors (43 percent), buffer management errors (42 percent), and buffer overflow flaws (41 percent), as well as other bugs.
More Security Insights
- A Smarter Approach: Inside IBM Business Analytics Solutions for Mid-Size Businesses
- Collective intelligence: Capitalizing on the crowd
- Informed CIO: SDN and Server Virtualization on a Collision Course
- Strategy: Building and Maintaining Database Access Control Permissions
- Mobile DevOps: Achieving continuous delivery with multiple front ends and complex backends in Banking, Financial Services, and Insurance
- How Cloud Facilitates an Agile Contact Center
Veracode's Wysopal says he was surprised that vendor software performed so poorly against the OWASP Top 10 vulnerabilities. "A lot of enterprises are putting in place fairly weak policies, weaker than the OWASP 10. Some say, 'Just don't have critical vulnerabilities in your apps,'" he says. "So that's allowing more vendors to pass ... and sell to them. My theory is that enterprises don't want to be too harsh. They want vendors to do some testing, and they want the egregious bugs to be taken out, but they don't want it to be too difficult to do business with them. Most businesses are practical and pragmatic."
The best bet is to have a policy for your software vendors, he says, and not an ad-hoc one. "Case by case does not work well," Wysopal says.
Veracode's Enterprise Testing of the Software Supply Chain report is available here for download.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.