Vulnerabilities / Threats
12:27 PM

84% Of Development Apps Sport Known Vulnerabilities

SQL injection vulnerabilities and other flaws increase in first-version code reviews, but overall bug levels decline, reports Veracode.

Beware insecure code: according to a new study, 84% of applications fail to pass security muster on the first try, not least because two-thirds contain cross-site scripting vulnerabilities, while one-third sport SQL injection vulnerabilities.

Those findings come from the fourth State of Software Security Report from Veracode, which is based on its analysis of 9,100 application builds that were submitted to the company's code-testing service over the past 18 months.

In Veracode's previous report, released in April, fewer applications--66%--failed to pass security muster. But the increased failure rate is due to Veracode no longer allowing an application to pass even if only a few SQL injection or cross-site scripting vulnerabilities were present. Instead, it's instituted a zero-tolerance policy, driven by the ease with which such vulnerabilities can be exploited by attackers.

[ It's been a busy year for cybercrime investigators. Check out the 8 Most Notorious Cybercrime Busts Of 2011. ]

Here's good news from the report: the overall bug volume in development code continues to decline. "When you look at the trend of SQL injection, in particular, over our entire dataset over the past three years, quarter by quarter it's trending downwards, which means people are becoming aware of this problem and fixing these applications," said Chris Wysopol, CTO of Veracode, in an interview.

There's one notable exception, however: government agencies. "When you look at the government applications, we found that the trend is staying flat; the problem is not going down," he said.

Why is that? Interestingly, compared with other sectors, more government applications get built using ColdFusion, which Sam King, VP of product marketing for Veracode, said is an easier language in which to program. But for that reason, it tends to be used by less-experienced developers. "So maybe those developers are less experienced overall, as well as when it comes to application security development principles," she said in an interview.

It's also likely that government agencies simply aren't budgeting for code security reviews . "The government is very regulation-driven, because their budgeting process doesn't allow them to do any activities that aren't required," said Wysopal.

"No matter how important the CISO or CSO of a government agency feels it is, he's not going to get budget for it if it's not a requirement. So, application security is lagging, because standards like FISMA [the Federal Information Security Management Act] that put in place the activities that a government agency must follow don't put in place application security testing," he said.

For the first time, Veracode's study also looked at Android applications, and found that mobile developers often make very similar errors to Web application developers. In particular, more than 40% of Android applications--compared with just 17% of Java applications--reviewed by Veracode contained at least one instance of a hardcoded key. "This problem of the hardcoded key is that every user of an app has the same credential for accessing the system," said Wysopal.

In Web applications, hardcoded keys only pose a moderate risk, owing to attackers not usually having access to the binary code in which the key is embedded, since it's on a server, he said. "But on a mobile device, the end user has access to the binary that's running on the device." Accordingly, an attacker could reverse-engineer the application to retrieve the hardcoded keys. "This is a sort of crypto worst practice, and it nullifies the use of cryptography to secure data transmitted to the device," he said.

More good news from the report, however, is that once organizations begin paying attention to code security, they typically get better at securing their code. Furthermore, fixing an application that fails to pass security tests often doesn't take much time. "On average, it takes four builds to go from no security to good security," said Wysopal, with that process typically only requiring about a week's time.

Role-based access control based on least user privilege is one of the most effective ways to prevent the compromise of corporate data. Our new report explains why proper provisioning is a growing challenging, due to the proliferation of "big data," NoSQL databases, and cloud-based data storage. Download the report now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
12/9/2011 | 10:46:23 PM
re: 84% Of Development Apps Sport Known Vulnerabilities
Good paper here from the SANS institute on threat modeling during the application development process.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Register for Dark Reading Newsletters
White Papers
Current Issue
E-Commerce Security: What Every Enterprise Needs to Know
The mainstream use of EMV smartcards in the US has experts predicting an increase in online fraud. Organizations will need to look at new tools and processes for building better breach detection and response capabilities.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio