Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

6/23/2015
12:00 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Government, Healthcare Particularly Lackluster In Application Security

Veracode's State of Software Security Report lays out industry-specific software security metrics.

Healthcare organizations and government agencies still continue to struggle with application security, leaving as much as 73 percent of their identified vulnerabilities unremediated in some instances, according to a new study.

The silver lining is that across industries, the work of reducing risk in software is accelerating and many organizations are making headway in fixing their software flaws, according to the new State of Software Security Report released by Veracode today. 

"It may be tempting in the face of repeated breaches--OPM, Target and Sony--to throw up one’s hands, not to bother building secure applications, and to give up on fixing vulnerabilities in the applications you’ve already deployed," says Chris Wysopal, CTO and CISO of Veracode, in the report. "The data in this report clearly shows that, by addressing the problem systematically and at scale, enterprises can significantly reduce application risk."

In the wake of the OPM breach, it probably won't come as a surprise to many that government organizations fare the worst in many key metrics of application security. For example, only 24 percent of government applications pass OWASP Top 10 compliance upon their first assessment, a rate that's half as effective as the financial services industry. And only 27 percent of government flaws identified in an initial assessment are fixed in subsequent assessments, compared to 81 percent for manufacturing and 65 percent for financial services.

Healthcare also fared poorly in several key areas. For example, only 43 percent of known vulnerabilities are remediated by healthcare organizations. And most troubling, 80 percent of healthcare applictiaions exhibit cryptographic issues such as weak algorithms. This is concerning given the sensitivity of health data and the push toward electronic health records.

Meanwhile, across all industries, Veracode found applications were suffering from software supply chain issues. It found that three-quarters of applications produced by third-party software vendors fail the OWASP Top 10 at initial assessment. That jibes with a study done last week by Sonatype conducted among 106,000 organizations, finding that many of the third-party and open source components that organizations lean on in the development process are not tracked and are embedded into enterprise software with known vulnerabilities. Approximately 59 percent of known vulnerabilities on these dependencies remain unfixed, according to Sonatype.

The positive news is that according to Veracode, headway is being made on application security issues, albeit gradually. The rate at which found vulnerabilities are fixed has increased by 10 percentage points across all industries since 2006, from 60 percent at that time to 70 percent now. 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Traffic IQ
50%
50%
Traffic IQ,
User Rank: Apprentice
6/24/2015 | 1:35:07 PM
Vulnerabilities vs Exploits
I would suggest that vulnerabilities need patch management and exploits need pen testing.
If something is vulnerable then you need to change it, trying to guess what the exploit will look like is often impossible or it just cannot be done from an external attack. 
I would rather defend against an attack that is out there in the wild than something I might be vulnerable. I want to know does my IDS recognise real attacks and not spend my time guessing what an attack might look like. So, I defed against  knives and guns but the Martian ray gun, not until one exists.

RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/24/2015 | 8:11:00 AM
Unfortunately True
I can attest to these statements seeing it first hand in a previous line of work. Unfortunately, Zero days were the only vulnerabilities that were on the radar and unfortunately they were only a blip. I think in the wake of such large breaches we need to understand that handling application security is iterative, as is vulnerability management as a whole. Focusing on vulnerabilities in a traditional methodology is incredibly cumbersome. An agile mindset is a much better way of handling these.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10696
PUBLISHED: 2020-03-31
A path traversal flaw was found in Buildah in versions before 1.14.5. This flaw allows an attacker to trick a user into building a malicious container image hosted on an HTTP(s) server and then write files to the user's system anywhere that the user has permissions.
CVE-2020-5344
PUBLISHED: 2020-03-31
Dell EMC iDRAC7, iDRAC8 and iDRAC9 versions prior to 2.65.65.65, 2.70.70.70, 4.00.00.00 contain a stack-based buffer overflow vulnerability. An unauthenticated remote attacker may exploit this vulnerability to crash the affected process or execute arbitrary code on the system by sending specially cr...
CVE-2020-5292
PUBLISHED: 2020-03-31
Leantime before versions 2.0.15 and 2.1-beta3 has a SQL Injection vulnerability. The impact is high. Malicious users/attackers can execute arbitrary SQL queries negatively affecting the confidentiality, integrity, and availability of the site. Attackers can exfiltrate data like the users' and admini...
CVE-2020-7009
PUBLISHED: 2020-03-31
Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API key being generated with elevated privileges.
CVE-2019-13495
PUBLISHED: 2020-03-31
In firmware version 4.50 of Zyxel XGS2210-52HP, multiple stored cross-site scripting (XSS) issues allows remote authenticated users to inject arbitrary web script via an rpSys.html Name or Location field.