84% Of Development Apps Sport Known Vulnerabilities

SQL injection vulnerabilities and other flaws increase in first-version code reviews, but overall bug levels decline, reports Veracode.

Beware insecure code: according to a new study, 84% of applications fail to pass security muster on the first try, not least because two-thirds contain cross-site scripting vulnerabilities, while one-third sport SQL injection vulnerabilities.
Those findings come from the fourth
State of Software Security Report
from Veracode, which is based on its analysis of 9,100 application builds that were submitted to the companys code-testing service over the past 18 months.
In Veracodes
previous report
, released in April, fewer applications--66%--failed to pass security muster. But the increased failure rate is due to Veracode no longer allowing an application to pass even if only a few
SQL injection
or
cross-site scripting vulnerabilities
were present. Instead, its instituted a zero-tolerance policy, driven by the ease with which such vulnerabilities can be
exploited by attackers
.
[ Its been a busy year for cybercrime investigators. Check out the
8 Most Notorious Cybercrime Busts Of 2011
. ]
Heres good news from the report: the overall bug volume in development code continues to decline. When you look at the trend of SQL injection, in particular, over our entire dataset over the past three years, quarter by quarter its trending downwards, which means people are becoming aware of this problem and fixing these applications, said Chris Wysopol, CTO of Veracode, in an interview.
Theres one notable exception, however:
government agencies
. When you look at the government applications, we found that the trend is staying flat; the problem is not going down, he said.
Why is that? Interestingly, compared with other sectors, more government applications get built using ColdFusion, which Sam King, VP of product marketing for Veracode, said is an easier language in which to program. But for that reason, it tends to be used by less-experienced developers. So maybe those developers are less experienced overall, as well as when it comes to application security development principles, she said in an interview.
Its also likely that government agencies simply arent budgeting for
code security reviews
. The government is very regulation-driven, because their budgeting process doesnt allow them to do any activities that arent required, said Wysopal.
No matter how important the CISO or CSO of a government agency feels it is, hes not going to get budget for it if its not a requirement. So, application security is lagging, because standards like
FISMA
[the Federal Information Security Management Act] that put in place the activities that a government agency must follow dont put in place application security testing, he said.
For the first time, Veracodes study also looked at Android applications, and found that mobile developers often make very similar errors to Web application developers. In particular, more than 40% of Android applications--compared with just 17% of Java applications--reviewed by Veracode contained at least one instance of a hardcoded key. This problem of the hardcoded key is that every user of an app has the same credential for accessing the system, said Wysopal.
In Web applications, hardcoded keys only pose a moderate risk, owing to attackers not usually having access to the binary code in which the key is embedded, since its on a server, he said. But on a mobile device, the end user has access to the binary thats running on the device. Accordingly, an attacker could reverse-engineer the application to retrieve the hardcoded keys. This is a sort of crypto worst practice, and it nullifies the use of cryptography to secure data transmitted to the device, he said.
More good news from the report, however, is that once organizations begin paying attention to code security, they typically get better at securing their code. Furthermore, fixing an application that fails to pass security tests often doesnt take much time. On average, it takes four builds to go from no security to good security, said Wysopal, with that process typically only requiring about a weeks time.
Role-based access control based on least user privilege is one of the most effective ways to prevent the compromise of corporate data. Our new report explains why proper provisioning is a growing challenging, due to the proliferation of big data, NoSQL databases, and cloud-based data storage.
Download the report now
. (Free registration required.)

Last News
▸ Gawker Media Sites Hacked, 1.3 Million Passwords at Risk ◂ Discovered: 05/01/2025 Category: security	▸ Gawker Media Breached ◂ Discovered: 05/01/2025 Category: security	▸ WikiLeaks Botnet Still Targeting MasterCard Website. ◂ Discovered: 05/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
84% Of Development Apps Sport Known Vulnerabilities