A handful of common and understood Web application software flaws continue to pose huge problems for organizations across multiple sectors.
Security firm Veracode reviewed data from over 208,000 application analyses that it conducted on behalf of clients over the past 18 months. The analysis, titled “State of Software Security,” showed that cryptographic errors, command injection flaws, cross-site scripting (XSS) and SQL injection errors dominate the list of the most frequently encountered flaws in modern application software.
The prevalence of these flaws in applications tended to vary by industry. Cryptographic issues, or algorithmic flaws that weaken the encryption used to protect data, were a particularly big problem in the health care sector. About 80 percent of all health care applications tested had cryptographic issues, an especially troublesome fact considering the huge amount of highly personal data collected, shared and stored by health care organizations, the company noted.
Retail and technology services organizations also appeared to have a hard time overcoming crypto flaws, with well over 60 percent of applications in each sector exhibiting cryptographic vulnerabilities, according to the analysis.
XSS flaws, one of most commonly exploited in Web attacks, are a big problem for government agencies. Nearly 70 percent of applications tested in government agencies had at least one XSS-related issue, drastically outpacing other industries. Organizations across all the sectors struggled with operating system command injection flaws. More than half of the applications in the retail, technology and financial sectors had flaws that make them susceptible to attacker-supplied OS commands.
Interestingly, the analysis showed that third-party applications are not significantly better from a security standpoint compared to an in-house app. In fact, commercial, off-the-shelf apps had nearly 10 percent more vulnerabilities on average compared to an in-house application.
Multiple Factors Affect Software Security
Veracode’s report is based on manual penetration tests as well as binary and dynamic analyses of commercially purchased and internally developed applications. These programs were used by organizations in seven different industries, including health care, government, financial services, manufacturing and technology. As part of the analysis, Veracode looked at multiple application types, such as components, Web and non-Web applications and mobile applications written in multiple programming languages, including C/C++, Java, .Net, PHP and ColdFusion.
The results show that vulnerability density, discovery and remediation are dependent on a variety of factors. For example, the language in which application software is written can have a big impact on security. Applications coded in Java or .Net, for instance, do not have the buffer management problems that are common security issues with applications written in C and C++. The availability of skilled developers and other resources around a particular language can also have a big impact on security. CSO Online noted that coders may lack expertise or training in a certain language and, when they attempt to add encryption, unknowingly leave gaps that could lead to security breaches.
Process Maturity Matters
The maturity of processes used by organizations in different sectors plays a role in application security, as well, the Veracode analysis showed. Manufacturing and financial services organizations, for instance, were exceptionally efficient at remediating vulnerability issues compared to enterprises in any other sector.
Manufacturing companies fixed 81 percent of the flaws they discovered, while financial companies addressed 65 percent of the issues. Those rates are particularly impressive when compared to the remediation rates for government and health care, which sit at 27 percent and 43 percent, respectively. The difference could be due to the fact that manufacturers and financial companies have traditionally been leaders at adopting process improvement methods and are applying the same philosophy to improving software quality, as well, Veracode said.
“Based on our knowledge of these organizations, these results are correlated with an emphasis on systematic approaches focusing on centralized policies, KPIs and a culture of continuous improvement,” the report said.
Differences in organizational policies toward application security can also play a role. For example, a policy that requires developers to fix all vulnerabilities that they discover appears to actually discourage developer participation rather than encourage it. Conversely, enterprises that provide ample training and support for developers may promote maturation, bolster cooperation across departments and ultimately strengthen security.