Feeds

Patchy app development security slammed

Eight out of 10 tested apps riddled with flaws

Top 5 reasons to deploy VMware with Tegile

Eight in 10 applications failed to pass stricter security testing standards in test by application security assessment firm Veracode.

Veracode tightened up its testing procedures so that apps prone to cross-site scripting and SQL injection errors automatically failed. This zero tolerance policy reflects that fact that these two classes of errors are so frequently exploited by hackers of varied stripes to access customer data or intellectual property.

Data from the Web Hacking Incident Database suggests that 20 per cent of reported breaches can be traced back to SQL injection exploits of one type or another.

Last year, under a less strict testing regime, 57 per cent of apps failed to pass muster on first inspection. This figure has reached 80 per cent under the new zero-tolerance for SQL injection policy.

The latest edition of Veracode's State of Software Security Report covers results from the analysis of 9,910 applications submitted to Veracode’s cloud-based application security testing platform over the last 18 months. The security firm reports that government apps are "less resilient to common attacks compared to other sectors". For example, analysis by Veracode revealed that 40 percent of government web applications accessed had SQL Injection issues as compared to 29 percent for finance and 30 percent for software development firms.

The study also discovered that common application development mistakes are also creep into mobile applications. Veracode found that mobile developers tend to make similar mistakes to enterprise developers, such as the use of hard-coded cryptographic keys. More than 40 per cent of the Android applications analysed had at least one instance of this flaw, which makes it easier for attackers to launch broader assaults. Attackers need only obtain the one common key to attack all instances of a vulnerable application in the same way and (perhaps) at the same time.

On a more positive note, Veracode reckons insecure software can usually be remediated quickly, without negatively impacting rapid development cycles. More than 80 per cent of the apps that flunked Veracode's tests at the first attempt were successfully modified to make a passing grade within one week, it reports. Developer training and education can successfully improve the security quality of the applications out of the gate, Veracode adds.

The latest edition of Veracode’s State of Software Security Report can be downloaded here. The study includes more details on the most commonly exploited vulnerabilities and the risks associated with commercial software as well as a detailed remediation workflow study. ®

Remote control for virtualized desktops

More from The Register

next story
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
Euro Parliament VOTES to BREAK UP GOOGLE. Er, OK then
It CANNA do it, captain.They DON'T have the POWER!
NSA SOURCE CODE LEAK: Information slurp tools to appear online
Now you can run your own intelligence agency
Post-Microsoft, post-PC programming: The portable REVOLUTION
Code jockeys: count up and grab your fabulous tablets
Microsoft: Your Linux Docker containers are now OURS to command
New tool lets admins wrangle Linux apps from Windows
prev story

Whitepapers

Free virtual appliance for wire data analytics
The ExtraHop Discovery Edition is a free virtual appliance will help you to discover the performance of your applications across the network, web, VDI, database, and storage tiers.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
10 threats to successful enterprise endpoint backup
10 threats to a successful backup including issues with BYOD, slow backups and ineffective security.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Website security in corporate America
Find out how you rank among other IT managers testing your website's vulnerabilities.