Veracode State of Software Security Report Finds Eight Out of 10 Applications Fail to Meet New Security Standards
December 2011 by Veracode
Veracode, Inc., released its latest “State of Software Security Report.” Volume 4 results are based on more stringent analysis criteria, including a zero tolerance policy for Cross-Site Scripting (XSS) and SQL Injection. Considered “low hanging fruit” because of their prevalence in software applications, XSS and SQL Injection are two of the most frequently exploited vulnerabilities, often providing a gateway to customer data and intellectual property. When applying the new analysis criteria, Veracode reports eight out of 10 applications fail to meet acceptable levels of security, marking a significant decline from past reports.
The latest State of Software Security Report captures data collected over the past 18 months from the analysis of 9,910 applications (compared to 4,835 applications in Volume 3) that were submitted to Veracode’s cloud-based application security testing platform. The report examines the security quality of applications across a number of variables including supplier type, language and industry. For Volume 4, Veracode conducted a deep comparative analysis of government applications against other industries such as finance and software, and, for the first time, examined Android security trends.
One of the goals of the State of Software Security Report is to create greater awareness and security intelligence about the risks of unknown vulnerabilities lurking in everyday applications. The results are aimed at creating a greater sense of urgency around the problem of insecure software, while also giving organizations the information they need to quickly take action. Veracode also emphasizes the ease with which organizations can incorporate software testing into current development cycles. This version of the report clearly demonstrates the positive impact of developer training and education on the security quality of the applications they are developing. Following are highlights from the report.
Zero Tolerance for XSS and SQL Injection Errors Leads to Steep Decline in Application Security Performance: As a result of strengthening the overall analysis criteria, including a zero tolerance policy for XSS and SQL Injection errors, eight out of 10 applications across the Veracode dataset failed to meet acceptable security standards. Specifically for web applications, this report showed a high concentration of XSS and SQL Injection vulnerabilities, with XSS present in 68 percent of all web applications and SQL Injection present in 32 percent of all web applications. Data from the Web Hacking Incident Database supports the need for a zero tolerance policy with 20 percent of reported incidents attributed to a SQL Injection exploit. Given this threat environment, organizations should implement stricter security policies that allow for the discovery and timely remediation of these vulnerability types.
Veracode demonstrates that insecure software can be remediated quickly, without negatively impacting rapid development cycles. In fact, an overwhelming majority (more than 80 percent) of applications that failed to achieve acceptable security standards on initial submission were able to achieve a passing grade within one week. Veracode also revisited the impact of application security training and education finding that better trained developers do produce more secure software out of the gate.
Government Applications Are Less Resilient to Common Attacks Compared to Other Sectors: With an increasingly acute, global awareness of the potential impact of insecure software on national security, government agencies are following their private sector peers in the quest for more secure software. Veracode analyzed U.S. federal, state and local government applications, which operate critical systems and process critical data such as personally identifiable information (PII) and national security data, and found that they lag behind other industries in key areas.
For example, government web applications have a much higher incidence of XSS and SQL Injection compared to other sectors. Analysis showed that 40 percent of government web applications had SQL Injection issues as compared to 29 percent for finance and 30 percent for software. Of note, while SQL Injection was trending lower for the overall dataset, in government applications it remains flat. Given the gravity of cyber security risks and the potential impact on national assets, these results further reinforce the need for dedicated developer training and education, and the importance of instituting a programmatic approach to security testing within the government sector.
Common Application Development Mistakes Creep Into Mobile: With organizations seeking to balance employee mobility and productivity against mobile security risk in the “Bring Your Own Device” or BYOD era, Veracode included analysis of Android applications for the first time. Veracode found that mobile developers tend to make similar mistakes to enterprise developers, specifically with the use of hard-coded cryptographic keys. More than 40 percent of the Android applications analyzed had at least one instance of this flaw. The prevalence of cryptographic keys becomes a problem because all installed instances of the application use the same key making it easier for an attacker to initiate a broader assault.
“With the majority of recently reported breaches caused by attackers exploiting weaknesses in web applications or desktop software, often taking advantage of common XSS or SQL Injection flaws, we decided it was time to become even more stringent to reflect the realities of the threat landscape and raise the bar on what should be deemed secure software,” said Chris Wysopal, founder, CISO and CTO, Veracode. “We feel strongly that there must be a greater sense of urgency. Our hope with this report is that by raising the visibility of software-related business risk, we will encourage the industry to adopt a long-term commitment to protecting our software infrastructure.”