Report: Application Security Still Mostly Sucks

The third State of Software Security (SOSS) report finds that software developers are still doing a poor job of making applications secure.

The third State of Software Security (SOSS) report finds that software developers are still doing a poor job of making applications secure.

Application testing firm Veracode, which compiled the report, found that 58% of almost 5,000 applications failing a security audit on the first pass – about the same level as prior SOSS reports. Problems such as SQL injection and cross site scripting vulnerabilities still tripping up many applications that Veracode tested.

The report, the third of its kind, analyzed the outcome of 4835 application audits by Veracode. Three quarters of those were Web applications, with half writing in Java and 30% in .NET. The study, which spans 18 months, found that, while SQL injection vulnerabilities were less common than in the past, the general trend in application was unchanged. Cross site scripting holes alone accounted for 53% of the vulnerabilities discovered by Veracode, said Chris Eng, Veracode’s Director of Research.

The Veracode data, coupled with the just-released Verizon Data Breach Investigation Report (DBIR) suggests that poor application security is a ubiquitous problem that contributes to the overall problem of data insecurity. The Verizon DBIR found that Web application attacks accounted for 22% of all the attacks that led to data breaches, and were the source of 38% of leaked records.

A number of factors contribute to the application security problem. Among them are commercial pressures within organizations to get products released, regardless of the integrity of the code. Few companies have a thorough secure development life cycle (sdlc) program and few develop security specifications to go along with the functional and technical specifications that are critical in shaping application development early on, Eng said.

Even common sources of security holes, such as input validation, often fail to be accounted for early on in the development cycle. The company says that shared and re-used application code continues to be a source of vulnerabilities. Previous SOSS reports have called out the problem of code re-use as a major contributor to application insecurity.

“They’ll just test (the application) to make sure it works. Security is whatever can be fit in, or whatever a developer manages to think about,” Eng said.

The more valuable the data, the more likely that firms have invested in application security, Veracode found. Financial services firms generally did a better job than other industries when it comes to application security, said Sam King, Veracode’s Vice President of Marketing. 

However, other industries may be finding religion about application security, especially with headlines about sophisticated attacks against EMC, Google and other firms dominating the headlines. King said that aerospace and defense firms are increasingly contracting with Veracode for application audits, joining industries like finance and software.   

Suggested articles


  • Hope Stuckman on

    I have had problems with my computers for over 2 years now  we took to in to get fixed cost 500.00 dollars I actually have tons of case numbers from microsoft, hp  and nobody see the things I see going on everytime I get on the computer  my settings have changed then all the internets I try to get on redirect me  pages look fake I bought  this new computer a week ago and i had this thing that kept appearing in my credentials on my old computer and when I bought this one it was on it to like its following me my family thought I was going crazy until my boyfriend was reading on microsoft a bunch of other people had the problem too no one knew how to get rid of it since I loaded Kaspersky it came a few times I kept removing it and I havent got on my hotmail because my boyfriend said it was from that so it hasnt came back. now I am getting this 86 family contoler and it will not let me load any thing nobody can help me I first started with computers 2 years ago I have learned alot from this stuff going on alot of reading I have allready set my new computer back a few times to factory settings I hate to have to do it but everyone just thinks I am nuts I dont have anything for anyone to take I get on facebook and play games my passwords change all the time and I write them in my little book I am so password out I cant think of anymore me and my boyfriend fight constantly because I am thinking he is doing it I just really dont know what to do right now it would be nice to get a real web site and stay but it is impossible I dont see why anyone would mess with me i have nothingbut I sure would like to sue someone for driving me crazy like my family says sometimes I am feeeling like it. I am the only one who has the problem my boyfriend doesnt on his computer and we live together I just hope some can really help me  get these files off I do not want family controller on my computer but it keeps getting on here somehow it put my 32 bit all filesto 86 and hides the 32  have a hp laptop 64 bit anyways sorry for taking up your time.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.