84% Of Development Apps Sport Known Vulnerabilities

SQL injection vulnerabilities and other flaws increase in first-version code reviews, but overall bug levels decline, reports Veracode.

Mathew J. Schwartz, Contributor

December 9, 2011

4 Min Read

Beware insecure code: according to a new study, 84% of applications fail to pass security muster on the first try, not least because two-thirds contain cross-site scripting vulnerabilities, while one-third sport SQL injection vulnerabilities.

Those findings come from the fourth State of Software Security Report from Veracode, which is based on its analysis of 9,100 application builds that were submitted to the company's code-testing service over the past 18 months.

In Veracode's previous report, released in April, fewer applications--66%--failed to pass security muster. But the increased failure rate is due to Veracode no longer allowing an application to pass even if only a few SQL injection or cross-site scripting vulnerabilities were present. Instead, it's instituted a zero-tolerance policy, driven by the ease with which such vulnerabilities can be exploited by attackers.

[ It's been a busy year for cybercrime investigators. Check out the 8 Most Notorious Cybercrime Busts Of 2011. ]

Here's good news from the report: the overall bug volume in development code continues to decline. "When you look at the trend of SQL injection, in particular, over our entire dataset over the past three years, quarter by quarter it's trending downwards, which means people are becoming aware of this problem and fixing these applications," said Chris Wysopol, CTO of Veracode, in an interview.

There's one notable exception, however: government agencies. "When you look at the government applications, we found that the trend is staying flat; the problem is not going down," he said.

Why is that? Interestingly, compared with other sectors, more government applications get built using ColdFusion, which Sam King, VP of product marketing for Veracode, said is an easier language in which to program. But for that reason, it tends to be used by less-experienced developers. "So maybe those developers are less experienced overall, as well as when it comes to application security development principles," she said in an interview.

It's also likely that government agencies simply aren't budgeting for code security reviews . "The government is very regulation-driven, because their budgeting process doesn't allow them to do any activities that aren't required," said Wysopal.

"No matter how important the CISO or CSO of a government agency feels it is, he's not going to get budget for it if it's not a requirement. So, application security is lagging, because standards like FISMA [the Federal Information Security Management Act] that put in place the activities that a government agency must follow don't put in place application security testing," he said.

For the first time, Veracode's study also looked at Android applications, and found that mobile developers often make very similar errors to Web application developers. In particular, more than 40% of Android applications--compared with just 17% of Java applications--reviewed by Veracode contained at least one instance of a hardcoded key. "This problem of the hardcoded key is that every user of an app has the same credential for accessing the system," said Wysopal.

In Web applications, hardcoded keys only pose a moderate risk, owing to attackers not usually having access to the binary code in which the key is embedded, since it's on a server, he said. "But on a mobile device, the end user has access to the binary that's running on the device." Accordingly, an attacker could reverse-engineer the application to retrieve the hardcoded keys. "This is a sort of crypto worst practice, and it nullifies the use of cryptography to secure data transmitted to the device," he said.

More good news from the report, however, is that once organizations begin paying attention to code security, they typically get better at securing their code. Furthermore, fixing an application that fails to pass security tests often doesn't take much time. "On average, it takes four builds to go from no security to good security," said Wysopal, with that process typically only requiring about a week's time.

Role-based access control based on least user privilege is one of the most effective ways to prevent the compromise of corporate data. Our new report explains why proper provisioning is a growing challenging, due to the proliferation of "big data," NoSQL databases, and cloud-based data storage. Download the report now. (Free registration required.)

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights