Veracode adopted a more stringent, zero-policy approach to testing applications for cross-site scripting (XSS) and SQL injection flaws this time in its newly published State of Software Security Report, which analyzed testing data from the past 18 months for 9,910 applications submitted to the testing firm.
Why the zero-tolerance approach to XSS and SQL injection now? "It's not acceptable anymore" to have these low-hanging fruit vulnerabilities, says Sam King, vice president of product marketing at Veracode. "More than eight in 10 applications failed with the new policy."
That's down from the 68 percent pass rate for apps under Veracode's previously more permissive policy that allowed for a minimal number of the flaws. "Our objective is increasing the sense of urgency for people to take action," King says.
Government applications had more vulnerabilities, with 40 percent of agency Web apps containing SQL injection issues versus 29 percent of apps in the finance industry and 30 percent in the software industry. One bit of good news: SQL injection overall is diminishing in all apps, but remained flat in government compared to previous reports. SQL injection vulnerabilities in apps had dropped from 38 percent two years ago to around 32 percent, according to Chris Wysopal, CTO of Veracode.
"SQL injection is trending downward [due to more] awareness of it. More organizations are doing something about it," Wysopal says. "Cross-site scripting, on the other hand, is flat … the same number of apps are affected by it."
Another bright spot in the report: Eighty percent of the organizations were able to fix their software's flaws within one week. "If you take action, it's not hard to improve app security," Wysopal says.
Bob Tarzey, director and analyst with Quocirca, says Veracode’s report shows that there are a lot of vulnerabilities in applications today, but that they “can be fixed pretty quickly.”
Meanwhile, Veracode’s King says the relatively poorer performance by government apps was a bit unsettling. “Those are alarming findings,” she says. “In more instances, they were more frequently exploited than other industries were.”
One explanation, she says, might have to do with the mix of Web programming languages employed in government agencies. “They tend to make greater use of ColdFusion as a Web app development language, which tends to be used by less experienced developers,” King says.
Among other findings by Veracode: More than 40 percent of Android apps contain hard-coded encryption keys in them, while around 17 percent of other Java apps did. Because Android apps are simple to decompile, an attacker could easily grab and leak the keys, for instance, according to Veracode. “In Web apps, an embedded encryption key is risky, but only the admin has access to that key,” Veracode’s Wysopal says. “With mobile apps, every single user who installs the app has access to the key, so it’s a more serious problem.”
This could expose a healthcare patient app, for instance, he says. “People don’t like to type in a password on a mobile device every time, so for usability, a lot of app developers are embedding the key that give access to the back-end Web service,” Wysopal says. “But that’s inherently insecure. Anyone who gets access to the app can authenticate to that service, which is OK if it’s a public app, but not if it [handles] patient information.”
As mobile app adoption increases by enterprises, so will the number of flaws, Quocirca’s Tarzey says. “Look for a continued increase in mobile application and firmware vulnerabilities,” he says.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.