Application Security

10/20/2017
06:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Veracode: 75% Of Apps Have at Least One Vulnerability on Initial Scan

But developers not the only ones to blame, company says.

Application security continues to stink at many organizations, a new report from Veracode shows. But developers are not the only ones to blame. 

A failure by organizations to provide adequate security training and by operational teams to address vulnerabilities in the production environment have a big impact on application safety as well, the company said.

Veracode's State of Software Security 2017 report is based on a code-level analysis of nearly 250 billion lines of code across 400,000 assessments conducted for 1,400 customers between April 2016 and March 2017.

The analysis showed more than 75% of the applications having one or more security vulnerabilities in code written by the development team, on initial scan. About 12% had either a very-high-severity or a high-severity flaw on first scan. A startling 88%, nearly nine out of 10, Java applications had at least one serious component-level flaw.

[See Veracode's vice president of research Chris Eng discuss Security, Application Development and DevOps at DarkReading's upcoming INsecurity Conference, Nov. 29-30 in the D.C. area.]

Veracode's 2017 analysis found applications riddled with the same vulnerabilities that it uncovered last year. Information leakage flaws were most common and were present in more than 65% of the applications in which a security bug was found on initial scan. About 62% had cryptographic flaws while 56% had what Veracode described as code quality issues.

The Top 10 list of most frequent vulnerabilities on initial scan this year was identical to the list of top flaws last year and suggested that organizations are continuing to grapple with the same issues as they have been for quite some time.

"This year’s study included confirmation of trends we’ve seen for a while," says Tim Jarrett, senior director of product marketing at Veracode. But there were also some surprises, he says.

The analysis, for instance showed accelerating adoption of scanning earlier in the software development lifecycle, he says. The number of organizations doing at least 12 scans per year ticked up slightly from 10.5% to 11.1%. Over 36% though continued to do just one scan per year.

There was also evidence that findings, which are prioritized by a policy, for instance higher severity findings, get fixed about twice as often as do findings not prioritized by policy, Jarrett says.

"We see evidence that scan frequencies are increasing, with a 3% to 4% increase in applications scanning at least daily," he says. "[Such] frequent scanning is a sign of both early-lifecycle scanning and automated scanning." But the majority of applications are still only being tested quarterly—or less frequently. "There’s plenty of room for improvement," he notes.

Developers, according to Veracode, are not the only ones to blame for the continuing struggles with applications that many organizations appear to be having.

"It’s time to put the lazy developer trope to bed," the company noted in its report.  "It may be easy for cybersecurity pros to blame AppSec woes on indifferent, uncaring, or slothful coders." But the reality is very different, Veracode said.

Operational teams for instance have a part in undermining application security as well. When Veracode took a look at the overall hygiene of the production environments at the organizations in its survey the company found an "alarming number" of vulnerable servers running production applications.

When Veracode queried the public-facing web applications of the companies in its report, it discovered nearly 25% of the sites operating on web servers with one or more vulnerabilities with a CVSS rating of 6 or higher. Nearly 19% had web servers that were at least a decade old.

At many organizations developers also simply don't get the security training they require. Few managers consider a software developer's security skills as an important metric when evaluating performance, the application security vendor noted.

The Veracode report quoted a previous study the company had sponsored, in which 68 percent of developers and IT pros said their organizations did not provide adequate security training. Some 76% in that survey said they had not been required to take a single security course in college. Another study that Veracode conducted with analyst firm Enterprise Strategy Group showed a high-level of awareness about the importance of security knowledge among development teams. But only 18% said security was the most important metric for measuring developers’ performance, Veracode said.

Related content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/23/2017 | 4:38:11 PM
Re: What about the 25%?
Presumably, it's not engaging in the mistakes Veracode highlights. At least, that's how I read it.
sngs7dan
100%
0%
sngs7dan,
User Rank: Strategist
10/23/2017 | 10:15:20 AM
What about the 25%?
If 25% of apps did NOT have at least one vulnerability on initial scan, what is it about those applications that made them secure?

Rather than simply promoting Veracode's ability to detect vulnerabilities, why not share the 'secret sauce' to not introducing vulnerabilities? Any plans for follow up stories?
Microsoft Word Vuln Went Unnoticed for 17 Years: Report
Kelly Sheridan, Associate Editor, Dark Reading,  11/14/2017
Companies Blindly Believe They've Locked Down Users' Mobile Use
Dawn Kawamoto, Associate Editor, Dark Reading,  11/14/2017
121 Pieces of Malware Flagged on NSA Employee's Home Computer
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/16/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.