Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

10/20/2017
06:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Veracode: 75% Of Apps Have at Least One Vulnerability on Initial Scan

But developers not the only ones to blame, company says.

Application security continues to stink at many organizations, a new report from Veracode shows. But developers are not the only ones to blame. 

A failure by organizations to provide adequate security training and by operational teams to address vulnerabilities in the production environment have a big impact on application safety as well, the company said.

Veracode's State of Software Security 2017 report is based on a code-level analysis of nearly 250 billion lines of code across 400,000 assessments conducted for 1,400 customers between April 2016 and March 2017.

The analysis showed more than 75% of the applications having one or more security vulnerabilities in code written by the development team, on initial scan. About 12% had either a very-high-severity or a high-severity flaw on first scan. A startling 88%, nearly nine out of 10, Java applications had at least one serious component-level flaw.

[See Veracode's vice president of research Chris Eng discuss Security, Application Development and DevOps at DarkReading's upcoming INsecurity Conference, Nov. 29-30 in the D.C. area.]

Veracode's 2017 analysis found applications riddled with the same vulnerabilities that it uncovered last year. Information leakage flaws were most common and were present in more than 65% of the applications in which a security bug was found on initial scan. About 62% had cryptographic flaws while 56% had what Veracode described as code quality issues.

The Top 10 list of most frequent vulnerabilities on initial scan this year was identical to the list of top flaws last year and suggested that organizations are continuing to grapple with the same issues as they have been for quite some time.

"This year’s study included confirmation of trends we’ve seen for a while," says Tim Jarrett, senior director of product marketing at Veracode. But there were also some surprises, he says.

The analysis, for instance showed accelerating adoption of scanning earlier in the software development lifecycle, he says. The number of organizations doing at least 12 scans per year ticked up slightly from 10.5% to 11.1%. Over 36% though continued to do just one scan per year.

There was also evidence that findings, which are prioritized by a policy, for instance higher severity findings, get fixed about twice as often as do findings not prioritized by policy, Jarrett says.

"We see evidence that scan frequencies are increasing, with a 3% to 4% increase in applications scanning at least daily," he says. "[Such] frequent scanning is a sign of both early-lifecycle scanning and automated scanning." But the majority of applications are still only being tested quarterly—or less frequently. "There’s plenty of room for improvement," he notes.

Developers, according to Veracode, are not the only ones to blame for the continuing struggles with applications that many organizations appear to be having.

"It’s time to put the lazy developer trope to bed," the company noted in its report.  "It may be easy for cybersecurity pros to blame AppSec woes on indifferent, uncaring, or slothful coders." But the reality is very different, Veracode said.

Operational teams for instance have a part in undermining application security as well. When Veracode took a look at the overall hygiene of the production environments at the organizations in its survey the company found an "alarming number" of vulnerable servers running production applications.

When Veracode queried the public-facing web applications of the companies in its report, it discovered nearly 25% of the sites operating on web servers with one or more vulnerabilities with a CVSS rating of 6 or higher. Nearly 19% had web servers that were at least a decade old.

At many organizations developers also simply don't get the security training they require. Few managers consider a software developer's security skills as an important metric when evaluating performance, the application security vendor noted.

The Veracode report quoted a previous study the company had sponsored, in which 68 percent of developers and IT pros said their organizations did not provide adequate security training. Some 76% in that survey said they had not been required to take a single security course in college. Another study that Veracode conducted with analyst firm Enterprise Strategy Group showed a high-level of awareness about the importance of security knowledge among development teams. But only 18% said security was the most important metric for measuring developers’ performance, Veracode said.

Related content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/23/2017 | 4:38:11 PM
Re: What about the 25%?
Presumably, it's not engaging in the mistakes Veracode highlights. At least, that's how I read it.
sngs7dan
100%
0%
sngs7dan,
User Rank: Strategist
10/23/2017 | 10:15:20 AM
What about the 25%?
If 25% of apps did NOT have at least one vulnerability on initial scan, what is it about those applications that made them secure?

Rather than simply promoting Veracode's ability to detect vulnerabilities, why not share the 'secret sauce' to not introducing vulnerabilities? Any plans for follow up stories?
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16317
PUBLISHED: 2019-09-14
In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/ directory, a different vulnerabi...
CVE-2019-16318
PUBLISHED: 2019-09-14
In Pimcore before 5.7.1, an attacker with limited privileges can bypass file-extension restrictions via a 256-character filename, as demonstrated by the failure of automatic renaming of .php to .php.txt for long filenames, a different vulnerability than CVE-2019-10867 and CVE-2019-16317.
CVE-2019-16307
PUBLISHED: 2019-09-14
A Reflected Cross-Site Scripting (XSS) vulnerability in the webEx module in webExMeetingLogin.jsp and deleteWebExMeetingCheck.jsp in Fuji Xerox DocuShare through 7.0.0.C1.609 allows remote attackers to inject arbitrary web script or HTML via the handle parameter (webExMeetingLogin.jsp) and meetingKe...
CVE-2019-16294
PUBLISHED: 2019-09-14
SciLexer.dll in Scintilla in Notepad++ (x64) before 7.7 allows remote code execution or denial of service via Unicode characters in a crafted .ml file.
CVE-2019-16309
PUBLISHED: 2019-09-14
FlameCMS 3.3.5 has SQL injection in account/login.php via accountName.