Report: Application Security Still Mostly Sucks

The third State of Software Security (SOSS) report finds that software developers are still doing a poor job of making applications secure.

The third State of Software Security (SOSS) report finds that software developers are still doing a poor job of making applications secure.

Application testing firm Veracode, which compiled the report, found that 58% of almost 5,000 applications failing a security audit on the first pass – about the same level as prior SOSS reports. Problems such as SQL injection and cross site scripting vulnerabilities still tripping up many applications that Veracode tested.

The report, the third of its kind, analyzed the outcome of 4835 application audits by Veracode. Three quarters of those were Web applications, with half writing in Java and 30% in .NET. The study, which spans 18 months, found that, while SQL injection vulnerabilities were less common than in the past, the general trend in application was unchanged. Cross site scripting holes alone accounted for 53% of the vulnerabilities discovered by Veracode, said Chris Eng, Veracode’s Director of Research.

The Veracode data, coupled with the just-released Verizon Data Breach Investigation Report (DBIR) suggests that poor application security is a ubiquitous problem that contributes to the overall problem of data insecurity. The Verizon DBIR found that Web application attacks accounted for 22% of all the attacks that led to data breaches, and were the source of 38% of leaked records.

A number of factors contribute to the application security problem. Among them are commercial pressures within organizations to get products released, regardless of the integrity of the code. Few companies have a thorough secure development life cycle (sdlc) program and few develop security specifications to go along with the functional and technical specifications that are critical in shaping application development early on, Eng said.

Even common sources of security holes, such as input validation, often fail to be accounted for early on in the development cycle. The company says that shared and re-used application code continues to be a source of vulnerabilities. Previous SOSS reports have called out the problem of code re-use as a major contributor to application insecurity.

“They’ll just test (the application) to make sure it works. Security is whatever can be fit in, or whatever a developer manages to think about,” Eng said.

The more valuable the data, the more likely that firms have invested in application security, Veracode found. Financial services firms generally did a better job than other industries when it comes to application security, said Sam King, Veracode’s Vice President of Marketing. 

However, other industries may be finding religion about application security, especially with headlines about sophisticated attacks against EMC, Google and other firms dominating the headlines. King said that aerospace and defense firms are increasingly contracting with Veracode for application audits, joining industries like finance and software.   

Suggested articles