Risk
11/13/2012
03:29 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

Enterprises Pressure Software Vendors To Clean Up Their Apps

New Veracode software security report, BSIMM4 findings show enterprises driving third-party software vendors to write more secure code

Most vendor apps -- 62 percent -- fail compliance in their first tests. The top flaws discovered in both Web- and non-Web apps were more of the same old, same old. Web apps contained bugs such as information leakage (79 percent), cross-site scripting (71 percent), cryptographic issues (67 percent), directory traversal (67 percent), CRLF injection (63 percent), time and state (51 percent), insufficient input validation (48) percent, and SQL injection (40 percent).

Non-Web apps contained cryptographic issues (62 percent), error handling (58 percent), directory traversal (57 percent), numeric errors (43 percent), buffer management errors (42 percent), and buffer overflow flaws (41 percent), as well as other bugs.

Veracode's Wysopal says he was surprised that vendor software performed so poorly against the OWASP Top 10 vulnerabilities. "A lot of enterprises are putting in place fairly weak policies, weaker than the OWASP 10. Some say, 'Just don't have critical vulnerabilities in your apps,'" he says. "So that's allowing more vendors to pass ... and sell to them. My theory is that enterprises don't want to be too harsh. They want vendors to do some testing, and they want the egregious bugs to be taken out, but they don't want it to be too difficult to do business with them. Most businesses are practical and pragmatic."

The best bet is to have a policy for your software vendors, he says, and not an ad-hoc one. "Case by case does not work well," Wysopal says.

Veracode's Enterprise Testing of the Software Supply Chain report is available here for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DarkReadingTim
50%
50%
DarkReadingTim,
User Rank: Strategist
11/14/2012 | 1:57:26 AM
re: Enterprises Pressure Software Vendors To Clean Up Their Apps
Readers, do you think software developers should be required to get some sort of security certification?- (Posted by Tim Wilson, editor)
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-0360
Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

CVE-2012-1317
Published: 2014-04-23
The multicast implementation in Cisco IOS before 15.1(1)SY allows remote attackers to cause a denial of service (Route Processor crash) by sending packets at a high rate, aka Bug ID CSCts37717.

CVE-2012-1366
Published: 2014-04-23
Cisco IOS before 15.1(1)SY on ASR 1000 devices, when Multicast Listener Discovery (MLD) tracking is enabled for IPv6, allows remote attackers to cause a denial of service (device reload) via crafted MLD packets, aka Bug ID CSCtz28544.

CVE-2012-3062
Published: 2014-04-23
Cisco IOS before 15.1(1)SY, when Multicast Listener Discovery (MLD) snooping is enabled, allows remote attackers to cause a denial of service (CPU consumption or device crash) via MLD packets on a network that contains many IPv6 hosts, aka Bug ID CSCtr88193.

CVE-2012-3918
Published: 2014-04-23
Cisco IOS before 15.3(1)T on Cisco 2900 devices, when a VWIC2-2MFT-T1/E1 card is configured for TDM/HDLC mode, allows remote attackers to cause a denial of service (serial-interface outage) via certain Frame Relay traffic, aka Bug ID CSCub13317.

Best of the Web