Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11:58 AM
Connect Directly

Veracode Launches Free XSS Bug Scanning Service

Offering detects cross-site scripting flaws in Java applications, provides reports, remediation information

Cross-site scripting may typically be one of the easiest vulnerabilities to detect and fix, but it remains one of the most pervasive. Veracode turned up the heat on the bug today with a free service that scans for XSS in Java-based applications.

Veracode's new, cloud-based Free XSS Detection Service offers a free XSS scan for one Java-based application per user, and is available for 30 days to anyone who signs up for it. "We want to eradicate XSS. It sounds like a lofty goal, but we felt it was about time someone took this issue more seriously," says Sam King, vice president of product marketing for Veracode.

XSS long has been at the top of the list of most common flaws found in applications. According to Veracode's recent State of Software Security Report, XSS was the No. 1 flaw in all applications: It accounted for 51 percent of all vulnerabilities found by Veracode.

"It doesn't have to be this way," King says. "Most cross-site scripting issues are relatively easy to find and easy to fix."

And King says the free XSS scan may be only the beginning: Veracode is considering doing the same for the SQL injection, another common bug in apps, and other vulnerabilities. Veracode went with Java apps initially because Java is the most common development platform its customers submit for the company's security scanning service.

The free service includes a detailed report on the XSS flaws, as well as information on how to fix them and free access to Veracode's XSS e-learning courses. "It's a one-time offer; you can upload one application, and we provide the results" of the scan as well as remediation information, says Fergal Glynn, senior product manager for Veracode.

While the free service also offers Veracode potential for new customers, it's also a significant step toward more widespread XSS awareness among developers, especially ones from smaller organizations. "I think the uptick will be good," says Chenxi Wang, vice president and principal analyst with Forrester Research, who first came up with the idea for a free XSS scan.

Wang says she thinks the move by Veracode could encourage other security vendors to also offer free scanning services for XSS. Eliminating the majority of XSS bugs in apps would be a big step in making Web apps more secure. "If you do anything in software security in 2011, [you should] do this," she says.

This isn't the first free scanning offering for finding vulnerabilities in applications: WhiteHat Security has done so in the past. But the offers typically didn't generate many new regular customers for the firm, notes Jeremiah Grossman, founder and CTO at WhiteHat. Grossman says that may be because those who were serious about securing their apps were more likely to sign on as paying customers. "But maybe our [experience] was the exception" and Veracode's standing free service will attract more customers, he says.

WhiteHat would consider offering another free service of its own if the Veracode service takes off, he says. "We give away free assessments all the time. But we've never stood up a long-term service like [Veracode] has," Grossman says.

Whether users of the free service will actually go and fix the XSS bugs Veracode finds for them is unclear. Veracode detects up to tens of thousands of XSS vulnerabilities in a week, according to the company, and while some customers fix them and then upload a new build to Veracode the next day, others don't bother correcting the XSS flaws at all.

Wang says Veracode's free scan is more likely to be used by developers who will follow through with fixing their XSS bugs. "It won't get people who don't want to fix [the vulnerabilities]," she says.

Why has XSS been so hard to kill? It's the volume of XSS bugs an organization harbors, WhiteHat's Grossman says. While it's easy to fix the bugs when they are discovered, it's not so simple to do so when they span a large number of sites companywide, he says.

Veracode's new service is available for sign-up here.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS Build 20210202 and later Q...
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
PUBLISHED: 2021-04-16
jose-node-cjs-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
PUBLISHED: 2021-04-16
Portofino is an open source web development framework. Portofino before version 5.2.1 did not properly verify the signature of JSON Web Tokens. This allows forging a valid JWT. The issue will be patched in the upcoming 5.2.1 release.