A new report out from security testing firm Veracode suggests that reused and third party code is a big source of application insecurity.
Veracode Inc. released its second State of Software Security Report on Wednesday. The report, which was based on Veracode’s analysis of 2,922 applications, found that fully 60 percent those submitted to Veracode for security verification failed on their first submission – up from 58% in the first State of Software Security Report. As in that report: third party application code and reused code were a major source of application insecurity, Veracode found.
The second volume of Veracode’s semi annual report includes reports on 1,400 more applications than were analyzed for Volume 1, which was released in March, 2010. Fifty seven percent of the applications scanned failed to pass the Veracode quality test on their first submission, and more than 80 percent of Web applications failed to pass a scan for the OWASP Top 10 Web application errors.
Cross site scripting attacks continued to be the most prevalent type of security vulnerability, accounting for 51% of all vulnerabilities uncovered by Veracode. SQL injection is also a leading type of vulnerability and a top attack vector. Forty one percent of the applications scanned were found to have “cryptographic issues,” a category of vulnerability that could include sensitive data that was unencrypted or inadequately encrypted, the report found.
The security of Web applications has been in the headlines recently. Last week, researchers at a conference in Argentina demonstrated an attack that could circumvent security protections in millions of Web applications that use Microsoft’s ASP (Active Server Pages) .NET technology. Recent threats like the Stuxnet worm have also focused on compromising application holes – in the case of Stuxnet: a hard coded administrative password in Siemens industrial control software.
Veracode’s study combines the results of a variety of types of testing, including static binary analysis, dynamic code analysis and manual testing. The company said its larger application testing base – 200 percent larger than that used for Volume 1 of the State of Software Security – makes for a better picture of the application security space. In assigning “pass” versus “fail” grades, the company takes into account the application’s score on its various code analysis tests, as well as the application’s importance: how sensitive the data that it handles is.
The picture that emerged isn’t encouraging. Third party code was found to be a major source of application vulnerabilities – and to be ubiquitous. Between 30% and 70 of applications submitted to Veracode as “internally developed” were found to contain code from third party suppliers, said Chris Eng,Senior Director of Security Research at Veracode. Often, that code comes in the form of third party code libraries used to develop the applications, special purpose tools acquired for use internally, or applications inherited through mergers and acquisitions, he said.
Simple cutting and pasting of code is also common, Eng said, which means that mistakes made once can metastasize across a wide ecosystem of applications.
“Lots of time we see code copied from the documentation of an API and its a vulnerable piece of code,” Eng said.
Veracode said it found more evidence of back doors in the applications it analyzed, and some instances of malicious back doors, data stealing Trojans and logic bombs. Such suspect or malicious elements may account for as much as 2% of the vulnerabilities discovered, he said.
Still, inadvertent errors and poor implementation of features were the biggest source of vulnerabilities, Eng said. The prevalnce of cross site scripting and SQL injection holes points to the need for better developer education and training, he said.
In industry verticals that have emphasized secure coding, such as financial services and government, there appears to be a pay-off. Just forty percent of applications submitted by Veracode government customers failed to pass on their first scan, compared with 56 percent for financial services and 60% for the software vertical.