July 2, 2015 By Jaikumar Vijayan 3 min read

A handful of common and understood Web application software flaws continue to pose huge problems for organizations across multiple sectors.

Security firm Veracode reviewed data from over 208,000 application analyses that it conducted on behalf of clients over the past 18 months. The analysis, titled “State of Software Security,” showed that cryptographic errors, command injection flaws, cross-site scripting (XSS) and SQL injection errors dominate the list of the most frequently encountered flaws in modern application software.

The prevalence of these flaws in applications tended to vary by industry. Cryptographic issues, or algorithmic flaws that weaken the encryption used to protect data, were a particularly big problem in the health care sector. About 80 percent of all health care applications tested had cryptographic issues, an especially troublesome fact considering the huge amount of highly personal data collected, shared and stored by health care organizations, the company noted.

Retail and technology services organizations also appeared to have a hard time overcoming crypto flaws, with well over 60 percent of applications in each sector exhibiting cryptographic vulnerabilities, according to the analysis.

XSS flaws, one of most commonly exploited in Web attacks, are a big problem for government agencies. Nearly 70 percent of applications tested in government agencies had at least one XSS-related issue, drastically outpacing other industries. Organizations across all the sectors struggled with operating system command injection flaws. More than half of the applications in the retail, technology and financial sectors had flaws that make them susceptible to attacker-supplied OS commands.

Interestingly, the analysis showed that third-party applications are not significantly better from a security standpoint compared to an in-house app. In fact, commercial, off-the-shelf apps had nearly 10 percent more vulnerabilities on average compared to an in-house application.

Multiple Factors Affect Software Security

Veracode’s report is based on manual penetration tests as well as binary and dynamic analyses of commercially purchased and internally developed applications. These programs were used by organizations in seven different industries, including health care, government, financial services, manufacturing and technology. As part of the analysis, Veracode looked at multiple application types, such as components, Web and non-Web applications and mobile applications written in multiple programming languages, including C/C++, Java, .Net, PHP and ColdFusion.

The results show that vulnerability density, discovery and remediation are dependent on a variety of factors. For example, the language in which application software is written can have a big impact on security. Applications coded in Java or .Net, for instance, do not have the buffer management problems that are common security issues with applications written in C and C++. The availability of skilled developers and other resources around a particular language can also have a big impact on security. CSO Online noted that coders may lack expertise or training in a certain language and, when they attempt to add encryption, unknowingly leave gaps that could lead to security breaches.

Process Maturity Matters

The maturity of processes used by organizations in different sectors plays a role in application security, as well, the Veracode analysis showed. Manufacturing and financial services organizations, for instance, were exceptionally efficient at remediating vulnerability issues compared to enterprises in any other sector.

Manufacturing companies fixed 81 percent of the flaws they discovered, while financial companies addressed 65 percent of the issues. Those rates are particularly impressive when compared to the remediation rates for government and health care, which sit at 27 percent and 43 percent, respectively. The difference could be due to the fact that manufacturers and financial companies have traditionally been leaders at adopting process improvement methods and are applying the same philosophy to improving software quality, as well, Veracode said.

“Based on our knowledge of these organizations, these results are correlated with an emphasis on systematic approaches focusing on centralized policies, KPIs and a culture of continuous improvement,” the report said.

Differences in organizational policies toward application security can also play a role. For example, a policy that requires developers to fix all vulnerabilities that they discover appears to actually discourage developer participation rather than encourage it. Conversely, enterprises that provide ample training and support for developers may promote maturation, bolster cooperation across departments and ultimately strengthen security.

More from

Regulatory harmonization in OT-critical infrastructure faces hurdles

3 min read - In an effort to enhance cyber resilience across critical infrastructure, the Office of the National Cyber Director (ONCD) has recently released a summary of feedback from its 2023 Cybersecurity Regulatory Harmonization Request for Information (RFI). The responses reveal major concerns from critical infrastructure industries related to operational technology (OT), such as energy, transport and manufacturing. Their worries include the current fragmented regulatory landscape and difficulty adapting to new cyber regulations. The frustration appears to be unanimous. Meanwhile, the magnitude of…

Generative AI security requires a solid framework

4 min read - How many companies intentionally refuse to use AI to get their work done faster and more efficiently? Probably none: the advantages of AI are too great to deny.The benefits AI models offer to organizations are undeniable, especially for optimizing critical operations and outputs. However, generative AI also comes with risk. According to the IBM Institute for Business Value, 96% of executives say adopting generative AI makes a security breach likely in their organization within the next three years.CISA Director Jen…

Q&A with Valentina Palmiotti, aka chompie

4 min read - The Pwn2Own computer hacking contest has been around since 2007, and during that time, there has never been a female to score a full win — until now.This milestone was reached at Pwn2Own 2024 in Vancouver, where two women, Valentina Palmiotti and Emma Kirkpatrick, each secured full wins by exploiting kernel vulnerabilities in Microsoft Windows 11. Prior to this year, only Amy Burnett and Alisa Esage had competed in the contest's 17-year history, with Esage achieving a partial win in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today