Enterprises Pressure Software Vendors To Clean Up Their Apps

Most vendor apps -- 62 percent -- fail compliance in their first tests. The top flaws discovered in both Web- and non-Web apps were more of the same old, same old. Web apps contained bugs such as information leakage (79 percent), cross-site scripting (71 percent), cryptographic issues (67 percent), directory traversal (67 percent), CRLF injection (63 percent), time and state (51 percent), insufficient input validation (48) percent, and SQL injection (40 percent).

Non-Web apps contained cryptographic issues (62 percent), error handling (58 percent), directory traversal (57 percent), numeric errors (43 percent), buffer management errors (42 percent), and buffer overflow flaws (41 percent), as well as other bugs.

Veracode's Wysopal says he was surprised that vendor software performed so poorly against the OWASP Top 10 vulnerabilities. "A lot of enterprises are putting in place fairly weak policies, weaker than the OWASP 10. Some say, 'Just don't have critical vulnerabilities in your apps,'" he says. "So that's allowing more vendors to pass ... and sell to them. My theory is that enterprises don't want to be too harsh. They want vendors to do some testing, and they want the egregious bugs to be taken out, but they don't want it to be too difficult to do business with them. Most businesses are practical and pragmatic."

The best bet is to have a policy for your software vendors, he says, and not an ad-hoc one. "Case by case does not work well," Wysopal says.

Veracode's Enterprise Testing of the Software Supply Chain report is available here for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.