Feeds

Patchy app development security slammed

Eight out of 10 tested apps riddled with flaws

Website security in corporate America

Eight in 10 applications failed to pass stricter security testing standards in test by application security assessment firm Veracode.

Veracode tightened up its testing procedures so that apps prone to cross-site scripting and SQL injection errors automatically failed. This zero tolerance policy reflects that fact that these two classes of errors are so frequently exploited by hackers of varied stripes to access customer data or intellectual property.

Data from the Web Hacking Incident Database suggests that 20 per cent of reported breaches can be traced back to SQL injection exploits of one type or another.

Last year, under a less strict testing regime, 57 per cent of apps failed to pass muster on first inspection. This figure has reached 80 per cent under the new zero-tolerance for SQL injection policy.

The latest edition of Veracode's State of Software Security Report covers results from the analysis of 9,910 applications submitted to Veracode’s cloud-based application security testing platform over the last 18 months. The security firm reports that government apps are "less resilient to common attacks compared to other sectors". For example, analysis by Veracode revealed that 40 percent of government web applications accessed had SQL Injection issues as compared to 29 percent for finance and 30 percent for software development firms.

The study also discovered that common application development mistakes are also creep into mobile applications. Veracode found that mobile developers tend to make similar mistakes to enterprise developers, such as the use of hard-coded cryptographic keys. More than 40 per cent of the Android applications analysed had at least one instance of this flaw, which makes it easier for attackers to launch broader assaults. Attackers need only obtain the one common key to attack all instances of a vulnerable application in the same way and (perhaps) at the same time.

On a more positive note, Veracode reckons insecure software can usually be remediated quickly, without negatively impacting rapid development cycles. More than 80 per cent of the apps that flunked Veracode's tests at the first attempt were successfully modified to make a passing grade within one week, it reports. Developer training and education can successfully improve the security quality of the applications out of the gate, Veracode adds.

The latest edition of Veracode’s State of Software Security Report can be downloaded here. The study includes more details on the most commonly exploited vulnerabilities and the risks associated with commercial software as well as a detailed remediation workflow study. ®

Protecting against web application threats using SSL

More from The Register

next story
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
'Windows 9' LEAK: Microsoft's playing catchup with Linux
Multiple desktops and live tiles in restored Start button star in new vids
iOS 8 release: WebGL now runs everywhere. Hurrah for 3D graphics!
HTML 5's pretty neat ... when your browser supports it
Mathematica hits the Web
Wolfram embraces the cloud, promies private cloud cut of its number-cruncher
Google extends app refund window to two hours
You now have 120 minutes to finish that game instead of 15
Mozilla shutters Labs, tells nobody it's been dead for five months
Staffer's blog reveals all as projects languish on GitHub
SUSE Linux owner Attachmate gobbled by Micro Focus for $2.3bn
Merger will lead to mainframe and COBOL powerhouse
iOS 8 Healthkit gets a bug SO Apple KILLS it. That's real healthcare!
Not fit for purpose on day of launch, says Cupertino
Profitless Twitter: We're looking to raise $1.5... yes, billion
We'll spend the dosh on transactions, biz stuff 'n' sh*t
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.