Risk
4/19/2011
11:41 AM
50%
50%

66% Of Security Software Submitted With Flaws

App testing firm Veracode reports that developers need significantly more training on secure-coding skills.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
More than two-thirds of security applications and 82% of customer-focused applications initially have an unacceptable level of security quality, compared with just 58% of applications in general.

That's according to a report from Veracode, which analyzed 4,835 applications that were submitted to its application testing service.

Seeing higher numbers of vulnerabilities in security software is especially surprising, since "you're buying these applications to perform a security function, so you'd expect that these applications would be more secure than others," said Sam King, VP of product marketing for Veracode, in an interview.

The report also found that 80% of all submitted Web applications failed to mitigate the top 10 most dangerous vulnerabilities, as identified by the Open Web Application Security Project (OWASP). Interestingly, the Payment Card Industry Data Security Standard also uses the OWASP top 10 list to assess compliance with the standard.

In addition, the report found that since the beginning of 2009, cross-site scripting vulnerability volume has remained constant, while SQL injection vulnerabilities have decreased by 2.4% per quarter. Unfortunately, that's not good news, since just one vulnerability can be exploited by an attacker multiple times, across multiple sites, and as numerous reports have found, the number of attacks against Web applications continue to increase.

The good news, however, is that more than 90% of all software products seen by Veracode were resubmitted and went on to achieve an acceptable quality level within a month, while security products reached an acceptable level, on average, in just three days.

That includes more than just Web applications. Overall, the applications assessed by the report were written in Java (52%), .Net (27%), C/C++ (12%), PHP (6%), and ColdFusion (2%), a mix that Veracode said reflects a typical company's application portfolio. In terms of the industries that submitted software, one-third had software designed for content management and collaboration software (33%), followed by operations (25%), security (13%), finance (12%), and customer-centric software (11%).

When it comes to coding clean software, the finance industry remains the sector to beat. Interestingly, the finance and software industries together account for more than 75% of the businesses that require their third-party software suppliers to undergo formal code evaluation. But aerospace and defense are also starting to require much more code verification of suppliers, said King.

Veracode pitches its report as a "before" picture, compared with reports that assess the damage caused by attackers who exploit software vulnerabilities, for example in the Verizon Data Breach Investigations Report.

One sure-fire technique for increasing the quality of code and cutting down on data breaches is to create a secure development program with top-level backing. But the former part of that equation requires knowledge and expertise on the part of coders. In other words, they need training.

According to the report, many developers don't have secure-coding skills when they get hired, as "application security training and education is not a formal part of most computer science curriculums and certainly not a consistent theme in the professional development opportunities made available to technology professionals in companies," it said.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-0121
Published: 2015-05-30
IBM Rational Requirements Composer 3.0 through 3.0.1.6 and 4.0 through 4.0.7 and Rational DOORS Next Generation (RDNG) 4.0 through 4.0.7 and 5.0 through 5.0.2, when LTPA single sign on is used with WebSphere Application Server, do not terminate a Requirements Management (RM) session upon LTPA token ...

CVE-2015-0191
Published: 2015-05-30
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-0191. Reason: This candidate is a duplicate of CVE-2014-0191. A typo caused the wrong ID to be used. Notes: All CVE users should reference CVE-2014-0191 instead of this candidate. All references and descriptions in this candid...

CVE-2015-0193
Published: 2015-05-30
Cross-site scripting (XSS) vulnerability in IBM Business Process Manager (BPM) 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.3, and 8.5.x through 8.5.5.0 and WebSphere Lombardi Edition (WLE) 7.2.x through 7.2.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL...

CVE-2015-0733
Published: 2015-05-30
CRLF injection vulnerability in the HTTP Header Handler in Digital Broadband Delivery System in Cisco Headend System Release allows remote attackers to inject arbitrary HTTP headers, and conduct HTTP response splitting attacks or cross-site scripting (XSS) attacks, via a crafted request, aka Bug ID ...

CVE-2015-0743
Published: 2015-05-30
Cisco Headend System Release allows remote attackers to cause a denial of service (DHCP and TFTP outage) via a flood of crafted UDP traffic, aka Bug ID CSCus04097.

Dark Reading Radio
Archived Dark Reading Radio
After a serious cybersecurity incident, everyone will be looking to you for answers -- but you’ll never have complete information and you’ll never have enough time. So in those heated moments, when a business is on the brink of collapse, how will you and the rest of the board room executives respond?