Ninety-six percent of applications tested have at least one security vulnerability, according to a study published by application security firm Cenzic earlier this week. This figure has dropped slightly -- the same study turned up flaws in 99% of apps in 2011 and 1012 -- but the vulnerabilities remain nearly ubiquitous.
In fact, the median number of vulnerabilities per application found in this year's study – 14 – is actually greater than it was in the previous year – 13.
"While some improvements in the development process have been made, other newer areas of vulnerability have emerged," says Bala Venkat, chief marketing officer at Cenzic, which compiled the numbers through an analysis of production applications scanned by its tools. "It's a graphic illustration of the gigantic game of whack-a-mole that enterprises and software developers are playing – and a clear message that it's time to rethink the way we develop and test our applications."
Information leakage -- in which an application exposes information about itself, its connections, or its users -- was the primary category of vulnerability in this year's study, accounting for almost one quarter (23 percent) of security flaws. This category displaced older vulnerabilities such as cross-site scripting (XSS), which still is found in almost as many applications.
"We found that the growth of mobile and cloud applications is causing a slight shift in the types of vulnerabilities we are finding," Venkat says. "But the prevalence of vulnerabilities has not changed significantly."
Enterprises and their software development teams need to rethink their processes, Venkat says, focusing more attention on security during the development cycle.
"Web application firewalls can also help enterprises identify vulnerabilities early and prevent them from leading to greater damage," Venkat says. Closer attention to basic issues such as server configuration can also help enterprises to minimize the impact of vulnerabilities in their applications, he adds.
"One of the chief obstacles that remain is to get software developers and enterprises to stop thinking of vulnerability scanning as a one-time project," Venkat stated. "As web applications evolve and make their journey traversing various production environments, the incidence of vulnerabilities is growing, not shrinking. Applications development and security teams must get together and implement a plan for continuous proactive monitoring of vulnerabilities, rather than the traditional, annual quality assessment."
Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.