Risk
11/13/2012
03:29 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Enterprises Pressure Software Vendors To Clean Up Their Apps

New Veracode software security report, BSIMM4 findings show enterprises driving third-party software vendors to write more secure code

Most vendor apps -- 62 percent -- fail compliance in their first tests. The top flaws discovered in both Web- and non-Web apps were more of the same old, same old. Web apps contained bugs such as information leakage (79 percent), cross-site scripting (71 percent), cryptographic issues (67 percent), directory traversal (67 percent), CRLF injection (63 percent), time and state (51 percent), insufficient input validation (48) percent, and SQL injection (40 percent).

Non-Web apps contained cryptographic issues (62 percent), error handling (58 percent), directory traversal (57 percent), numeric errors (43 percent), buffer management errors (42 percent), and buffer overflow flaws (41 percent), as well as other bugs.

Veracode's Wysopal says he was surprised that vendor software performed so poorly against the OWASP Top 10 vulnerabilities. "A lot of enterprises are putting in place fairly weak policies, weaker than the OWASP 10. Some say, 'Just don't have critical vulnerabilities in your apps,'" he says. "So that's allowing more vendors to pass ... and sell to them. My theory is that enterprises don't want to be too harsh. They want vendors to do some testing, and they want the egregious bugs to be taken out, but they don't want it to be too difficult to do business with them. Most businesses are practical and pragmatic."

The best bet is to have a policy for your software vendors, he says, and not an ad-hoc one. "Case by case does not work well," Wysopal says.

Veracode's Enterprise Testing of the Software Supply Chain report is available here for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DarkReadingTim
50%
50%
DarkReadingTim,
User Rank: Strategist
11/14/2012 | 1:57:26 AM
re: Enterprises Pressure Software Vendors To Clean Up Their Apps
Readers, do you think software developers should be required to get some sort of security certification?- (Posted by Tim Wilson, editor)
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4013
Published: 2014-07-14
SQL injection vulnerability in the Policy Manager in Aruba Networks ClearPass 5.x, 6.0.x, 6.1.x through 6.1.4.61696, 6.2.x through 6.2.6.62196, and 6.3.x before 6.3.4 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

CVE-2014-4944
Published: 2014-07-14
Multiple SQL injection vulnerabilities in inc/bsk-pdf-dashboard.php in the BSK PDF Manager plugin 1.3.2 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) categoryid or (2) pdfid parameter to wp-admin/admin.php.

CVE-2014-4945
Published: 2014-07-14
Multiple cross-site scripting (XSS) vulnerabilities in Horde Internet Mail Program (IMP) before 6.1.8, as used in Horde Groupware Webmail Edition before 5.1.5, allow remote attackers to inject arbitrary web script or HTML via an unspecified flag in the basic (1) mailbox or (2) message view.

CVE-2014-4946
Published: 2014-07-14
Multiple cross-site scripting (XSS) vulnerabilities in Horde Internet Mail Program (IMP) before 6.1.8, as used in Horde Groupware Webmail Edition before 5.1.5, allow remote attackers to inject arbitrary web script or HTML via (1) unspecified flags or (2) a mailbox name in the dynamic mailbox view.

CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.