Vulnerabilities / Threats
12/9/2011
12:27 PM
Connect Directly
RSS
E-Mail
50%
50%

84% Of Development Apps Sport Known Vulnerabilities

SQL injection vulnerabilities and other flaws increase in first-version code reviews, but overall bug levels decline, reports Veracode.

Beware insecure code: according to a new study, 84% of applications fail to pass security muster on the first try, not least because two-thirds contain cross-site scripting vulnerabilities, while one-third sport SQL injection vulnerabilities.

Those findings come from the fourth State of Software Security Report from Veracode, which is based on its analysis of 9,100 application builds that were submitted to the company's code-testing service over the past 18 months.

In Veracode's previous report, released in April, fewer applications--66%--failed to pass security muster. But the increased failure rate is due to Veracode no longer allowing an application to pass even if only a few SQL injection or cross-site scripting vulnerabilities were present. Instead, it's instituted a zero-tolerance policy, driven by the ease with which such vulnerabilities can be exploited by attackers.

[ It's been a busy year for cybercrime investigators. Check out the 8 Most Notorious Cybercrime Busts Of 2011. ]

Here's good news from the report: the overall bug volume in development code continues to decline. "When you look at the trend of SQL injection, in particular, over our entire dataset over the past three years, quarter by quarter it's trending downwards, which means people are becoming aware of this problem and fixing these applications," said Chris Wysopol, CTO of Veracode, in an interview.

There's one notable exception, however: government agencies. "When you look at the government applications, we found that the trend is staying flat; the problem is not going down," he said.

Why is that? Interestingly, compared with other sectors, more government applications get built using ColdFusion, which Sam King, VP of product marketing for Veracode, said is an easier language in which to program. But for that reason, it tends to be used by less-experienced developers. "So maybe those developers are less experienced overall, as well as when it comes to application security development principles," she said in an interview.

It's also likely that government agencies simply aren't budgeting for code security reviews . "The government is very regulation-driven, because their budgeting process doesn't allow them to do any activities that aren't required," said Wysopal.

"No matter how important the CISO or CSO of a government agency feels it is, he's not going to get budget for it if it's not a requirement. So, application security is lagging, because standards like FISMA [the Federal Information Security Management Act] that put in place the activities that a government agency must follow don't put in place application security testing," he said.

For the first time, Veracode's study also looked at Android applications, and found that mobile developers often make very similar errors to Web application developers. In particular, more than 40% of Android applications--compared with just 17% of Java applications--reviewed by Veracode contained at least one instance of a hardcoded key. "This problem of the hardcoded key is that every user of an app has the same credential for accessing the system," said Wysopal.

In Web applications, hardcoded keys only pose a moderate risk, owing to attackers not usually having access to the binary code in which the key is embedded, since it's on a server, he said. "But on a mobile device, the end user has access to the binary that's running on the device." Accordingly, an attacker could reverse-engineer the application to retrieve the hardcoded keys. "This is a sort of crypto worst practice, and it nullifies the use of cryptography to secure data transmitted to the device," he said.

More good news from the report, however, is that once organizations begin paying attention to code security, they typically get better at securing their code. Furthermore, fixing an application that fails to pass security tests often doesn't take much time. "On average, it takes four builds to go from no security to good security," said Wysopal, with that process typically only requiring about a week's time.

Role-based access control based on least user privilege is one of the most effective ways to prevent the compromise of corporate data. Our new report explains why proper provisioning is a growing challenging, due to the proliferation of "big data," NoSQL databases, and cloud-based data storage. Download the report now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
12/9/2011 | 10:46:23 PM
re: 84% Of Development Apps Sport Known Vulnerabilities
Good paper here from the SANS institute on threat modeling during the application development process.
http://www.sans.org/reading_ro...
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-6651
Published: 2014-07-31
Multiple directory traversal vulnerabilities in the Vitamin plugin before 1.1.0 for WordPress allow remote attackers to access arbitrary files via a .. (dot dot) in the path parameter to (1) add_headers.php or (2) minify.php.

CVE-2014-2970
Published: 2014-07-31
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-5139. Reason: This candidate is a duplicate of CVE-2014-5139, and has also been used to refer to an unrelated topic that is currently outside the scope of CVE. This unrelated topic is a LibreSSL code change adding functionality ...

CVE-2014-3488
Published: 2014-07-31
The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.

CVE-2014-3554
Published: 2014-07-31
Buffer overflow in the ndp_msg_opt_dnssl_domain function in libndp allows remote routers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DNS Search List (DNSSL) in an IPv6 router advertisement.

CVE-2014-5171
Published: 2014-07-31
SAP HANA Extend Application Services (XS) does not encrypt transmissions for applications that enable form based authentication using SSL, which allows remote attackers to obtain credentials and other sensitive information by sniffing the network.

Best of the Web
Dark Reading Radio