Vulnerabilities / Threats
12/9/2011
12:27 PM
Connect Directly
RSS
E-Mail
50%
50%

84% Of Development Apps Sport Known Vulnerabilities

SQL injection vulnerabilities and other flaws increase in first-version code reviews, but overall bug levels decline, reports Veracode.

Beware insecure code: according to a new study, 84% of applications fail to pass security muster on the first try, not least because two-thirds contain cross-site scripting vulnerabilities, while one-third sport SQL injection vulnerabilities.

Those findings come from the fourth State of Software Security Report from Veracode, which is based on its analysis of 9,100 application builds that were submitted to the company's code-testing service over the past 18 months.

In Veracode's previous report, released in April, fewer applications--66%--failed to pass security muster. But the increased failure rate is due to Veracode no longer allowing an application to pass even if only a few SQL injection or cross-site scripting vulnerabilities were present. Instead, it's instituted a zero-tolerance policy, driven by the ease with which such vulnerabilities can be exploited by attackers.

[ It's been a busy year for cybercrime investigators. Check out the 8 Most Notorious Cybercrime Busts Of 2011. ]

Here's good news from the report: the overall bug volume in development code continues to decline. "When you look at the trend of SQL injection, in particular, over our entire dataset over the past three years, quarter by quarter it's trending downwards, which means people are becoming aware of this problem and fixing these applications," said Chris Wysopol, CTO of Veracode, in an interview.

There's one notable exception, however: government agencies. "When you look at the government applications, we found that the trend is staying flat; the problem is not going down," he said.

Why is that? Interestingly, compared with other sectors, more government applications get built using ColdFusion, which Sam King, VP of product marketing for Veracode, said is an easier language in which to program. But for that reason, it tends to be used by less-experienced developers. "So maybe those developers are less experienced overall, as well as when it comes to application security development principles," she said in an interview.

It's also likely that government agencies simply aren't budgeting for code security reviews . "The government is very regulation-driven, because their budgeting process doesn't allow them to do any activities that aren't required," said Wysopal.

"No matter how important the CISO or CSO of a government agency feels it is, he's not going to get budget for it if it's not a requirement. So, application security is lagging, because standards like FISMA [the Federal Information Security Management Act] that put in place the activities that a government agency must follow don't put in place application security testing," he said.

For the first time, Veracode's study also looked at Android applications, and found that mobile developers often make very similar errors to Web application developers. In particular, more than 40% of Android applications--compared with just 17% of Java applications--reviewed by Veracode contained at least one instance of a hardcoded key. "This problem of the hardcoded key is that every user of an app has the same credential for accessing the system," said Wysopal.

In Web applications, hardcoded keys only pose a moderate risk, owing to attackers not usually having access to the binary code in which the key is embedded, since it's on a server, he said. "But on a mobile device, the end user has access to the binary that's running on the device." Accordingly, an attacker could reverse-engineer the application to retrieve the hardcoded keys. "This is a sort of crypto worst practice, and it nullifies the use of cryptography to secure data transmitted to the device," he said.

More good news from the report, however, is that once organizations begin paying attention to code security, they typically get better at securing their code. Furthermore, fixing an application that fails to pass security tests often doesn't take much time. "On average, it takes four builds to go from no security to good security," said Wysopal, with that process typically only requiring about a week's time.

Role-based access control based on least user privilege is one of the most effective ways to prevent the compromise of corporate data. Our new report explains why proper provisioning is a growing challenging, due to the proliferation of "big data," NoSQL databases, and cloud-based data storage. Download the report now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
12/9/2011 | 10:46:23 PM
re: 84% Of Development Apps Sport Known Vulnerabilities
Good paper here from the SANS institute on threat modeling during the application development process.
http://www.sans.org/reading_ro...
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2010-5110
Published: 2014-08-29
DCTStream.cc in Poppler before 0.13.3 allows remote attackers to cause a denial of service (crash) via a crafted PDF file.

CVE-2012-1503
Published: 2014-08-29
Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote attackers to inject arbitrary web script or HTML via the comment section.

CVE-2013-5467
Published: 2014-08-29
Monitoring Agent for UNIX Logs 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP09, and 6.2.3 through FP04 and Monitoring Server (ms) and Shared Libraries (ax) 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP08, 6.2.3 through FP01, and 6.3.0 through FP01 in IBM Tivoli Monitoring (ITM)...

CVE-2014-0600
Published: 2014-08-29
FileUploadServlet in the Administration service in Novell GroupWise 2014 before SP1 allows remote attackers to read or write to arbitrary files via the poLibMaintenanceFileSave parameter, aka ZDI-CAN-2287.

CVE-2014-0888
Published: 2014-08-29
IBM Worklight Foundation 5.x and 6.x before 6.2.0.0, as used in Worklight and Mobile Foundation, allows remote authenticated users to bypass the application-authenticity feature via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.