July 2, 2015 By Jaikumar Vijayan 3 min read

A handful of common and understood Web application software flaws continue to pose huge problems for organizations across multiple sectors.

Security firm Veracode reviewed data from over 208,000 application analyses that it conducted on behalf of clients over the past 18 months. The analysis, titled “State of Software Security,” showed that cryptographic errors, command injection flaws, cross-site scripting (XSS) and SQL injection errors dominate the list of the most frequently encountered flaws in modern application software.

The prevalence of these flaws in applications tended to vary by industry. Cryptographic issues, or algorithmic flaws that weaken the encryption used to protect data, were a particularly big problem in the health care sector. About 80 percent of all health care applications tested had cryptographic issues, an especially troublesome fact considering the huge amount of highly personal data collected, shared and stored by health care organizations, the company noted.

Retail and technology services organizations also appeared to have a hard time overcoming crypto flaws, with well over 60 percent of applications in each sector exhibiting cryptographic vulnerabilities, according to the analysis.

XSS flaws, one of most commonly exploited in Web attacks, are a big problem for government agencies. Nearly 70 percent of applications tested in government agencies had at least one XSS-related issue, drastically outpacing other industries. Organizations across all the sectors struggled with operating system command injection flaws. More than half of the applications in the retail, technology and financial sectors had flaws that make them susceptible to attacker-supplied OS commands.

Interestingly, the analysis showed that third-party applications are not significantly better from a security standpoint compared to an in-house app. In fact, commercial, off-the-shelf apps had nearly 10 percent more vulnerabilities on average compared to an in-house application.

Multiple Factors Affect Software Security

Veracode’s report is based on manual penetration tests as well as binary and dynamic analyses of commercially purchased and internally developed applications. These programs were used by organizations in seven different industries, including health care, government, financial services, manufacturing and technology. As part of the analysis, Veracode looked at multiple application types, such as components, Web and non-Web applications and mobile applications written in multiple programming languages, including C/C++, Java, .Net, PHP and ColdFusion.

The results show that vulnerability density, discovery and remediation are dependent on a variety of factors. For example, the language in which application software is written can have a big impact on security. Applications coded in Java or .Net, for instance, do not have the buffer management problems that are common security issues with applications written in C and C++. The availability of skilled developers and other resources around a particular language can also have a big impact on security. CSO Online noted that coders may lack expertise or training in a certain language and, when they attempt to add encryption, unknowingly leave gaps that could lead to security breaches.

Process Maturity Matters

The maturity of processes used by organizations in different sectors plays a role in application security, as well, the Veracode analysis showed. Manufacturing and financial services organizations, for instance, were exceptionally efficient at remediating vulnerability issues compared to enterprises in any other sector.

Manufacturing companies fixed 81 percent of the flaws they discovered, while financial companies addressed 65 percent of the issues. Those rates are particularly impressive when compared to the remediation rates for government and health care, which sit at 27 percent and 43 percent, respectively. The difference could be due to the fact that manufacturers and financial companies have traditionally been leaders at adopting process improvement methods and are applying the same philosophy to improving software quality, as well, Veracode said.

“Based on our knowledge of these organizations, these results are correlated with an emphasis on systematic approaches focusing on centralized policies, KPIs and a culture of continuous improvement,” the report said.

Differences in organizational policies toward application security can also play a role. For example, a policy that requires developers to fix all vulnerabilities that they discover appears to actually discourage developer participation rather than encourage it. Conversely, enterprises that provide ample training and support for developers may promote maturation, bolster cooperation across departments and ultimately strengthen security.

More from

Trends: Hardware gets AI updates in 2024

4 min read - The surge in artificial intelligence (AI) usage over the past two and a half years has dramatically changed not only software but hardware as well. As AI usage continues to evolve, PC makers have found in AI an opportunity to improve end-user devices by offering AI-specific hardware and marketing them as "AI PCs."Pre-AI hardware, adapted for AIA few years ago, AI often depended on hardware that was not explicitly designed for AI. One example is graphics processors. Nvidia Graphics Processing…

Cybersecurity Awareness Month: Cybersecurity awareness for developers

3 min read - It's the 21st annual Cybersecurity Awareness Month, and we’re covering many different angles to help organizations manage their cybersecurity challenges. In this mini-series of articles, we’re focusing on specific job roles outside of cybersecurity and how their teams approach security.For developers, cybersecurity has historically been a love-hate issue. The common school of thought is that coders are frustrated with having to tailor their work to fit within cybersecurity rules. However, many companies are embracing a security-first approach, and some developers…

Spooky action: Phantom domains create hijackable hyperlinks

4 min read - According to a recent paper published at the 2024 Web Conference, so-called "phantom domains" make it possible for malicious actors to hijack hyperlinks and exploit users' trust in familiar websites.The research defines phantom domains as active links to dot-com domains that have never been registered.Here's what enterprises need to know about how phantom domains emerge, the potential risks they represent and what they can do to disrupt phantom attacks. There are two common types of phantom domains: Errors and placeholders.Domain errorsErrors…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today