Veracode: Top 5 Most Exploited App Security Flaws

BURLINGTON, Mass., Oct 28, 2011 (BUSINESS WIRE) -- As Halloween approaches, Veracode, Inc., provider of the world's only independent, cloud-based application risk management platform, is highlighting the top five scariest software application flaws that could be lurking in your organization's software portfolio. By pinpointing these commonly exploited vulnerabilities, developers, security teams and IT managers can more effectively prioritize and protect against these haunting threats.

According to Veracode, the top five scariest application security flaws for enterprises are:

-- SQL Injection: When an application uses untrusted input to generate an ad-hoc SQL query, allowing an attacker to manipulate the query. The Attacker may then be able to bypass authentication checks, retrieve or modify data he shouldn't have access to, determine the entire database schema and extract the contents, and even execute system commands on the database server.

-- Cross-Site Scripting (XSS): When an application uses untrusted input to dynamically generate a web page, allowing an attacker to inject malicious executable content such as JavaScript code.

-- Information Leakage: When an application discloses too much detail about product functionality, environment or other sensitive info. While often not exploitable in and of itself, the leak, such as an error message, default error page, stack trace or directory listing info leak, is something an attacker can use to formulate and refine their attack strategy.

-- Cryptographic Issues: A broad category covering all sorts of ways to misuse cryptography including missing encryption, insufficient entropy and hard-copied crypto key.

-- Directory Traversal: When an application uses untrusted input to specify the target of a file I/O operation (such as open, read, write, delete).

To learn more about these top software vulnerabilities, the impact potential attacks could have on a company's application portfolio and its customers, and guidelines for developing a programmatic approach to verifying the security of critical applications, go to http://info.veracode.com/10611TopFiveMostPrevalentApp_TopFiveMostPrevalentApp.html and view the "Top 5 Most Prevalent Web Application Vulnerabilities" webcast delivered by Chris Eng, vice president of research, Veracode. For a general overview of application security risks faced by organizations today, go to http://info.veracode.com/082911-ApplicationSecurityFundamentals-ChrisWysopal_webinarApplicationSecurityFundamentals.html and view the "Application Security Fundamentals" webcast delivered by Chris Wysopal, CTO & CISO, Veracode.

About Veracode

Veracode is the only independent provider of cloud-based application intelligence and security verification services. The Veracode platform provides the fastest, most comprehensive solution to improve the security of internally developed, purchased or outsourced software applications and third-party components. By combining patented static, dynamic and manual testing, extensive eLearning capabilities, and advanced application analytics, Veracode enables scalable, policy-driven application risk management programs that help identify and eradicate numerous vulnerabilities by leveraging best-in-class technologies from vulnerability scanning to penetration testing and static code analysis. Veracode delivers unbiased proof of application security to stakeholders across the software supply chain while supporting independent audit and compliance requirements for all applications no matter how they are deployed, via the web, mobile or in the cloud. Veracode works with customers in more than 80 countries worldwide including Global 2000 brands such as Barclays PLC and Computershare as well as the California Public Employees' Retirement System (CalPERS) and the Federal Aviation Administration (FAA). For more information, visit www.veracode.com , follow on Twitter: @Veracode or read the ZeroDay Labs blog.