BURLINGTON, Mass. – October 28, 2011 – As Halloween approaches, Veracode, Inc., provider of the world’s only independent, cloud-based application risk management platform, is highlighting the top five scariest software application flaws that could be lurking in your organization’s software portfolio. By pinpointing these commonly exploited vulnerabilities, developers, security teams and IT managers can more effectively prioritize and protect against these haunting threats.
According to Veracode, the top five scariest application security flaws for enterprises are:
· SQL Injection: When an application uses untrusted input to generate an ad-hoc SQL query, allowing an attacker to manipulate the query. The Attacker may then be able to bypass authentication checks, retrieve or modify data he shouldn’t have access to, determine the entire database schema and extract the contents, and even execute system commands on the database server.
· Cross-Site Scripting (XSS): When an application uses untrusted input to dynamically generate a web page, allowing an attacker to inject malicious executable content such as JavaScript code.
· Information Leakage: When an application discloses too much detail about product functionality, environment or other sensitive info. While often not exploitable in and of itself, the leak, such as an error message, default error page, stack trace or directory listing info leak, is something an attacker can use to formulate and refine their attack strategy.
· Cryptographic Issues: A broad category covering all sorts of ways to misuse cryptography including missing encryption, insufficient entropy and hard-copied crypto key.
· Directory Traversal: When an application uses untrusted input to specify the target of a file I/O operation (such as open, read, write, delete).
To learn more about these top software vulnerabilities, the impact potential attacks could have on a company’s application portfolio and its customers, and guidelines for developing a programmatic approach to verifying the security of critical applications, go to http://info.veracode.com/10611TopFiveMostPrevalentApp_TopFiveMostPrevalentApp.html and view the “Top 5 Most Prevalent Web Application Vulnerabilities” webcast delivered by Chris Eng, vice president of research, Veracode. For a general overview of application security risks faced by organizations today, go to http://info.veracode.com/082911-ApplicationSecurityFundamentals-ChrisWysopal_webinarApplicationSecurityFundamentals.html and view the “Application Security Fundamentals” webcast delivered by Chris Wysopal, CTO & CISO, Veracode.
About Veracode
Veracode is the world’s leader in cloud-based application risk management. With patented binary code analysis, dynamic Web assessments and developer e-learning, Veracode SecurityReview® is the most accurate and cost-effective way to independently verify application security in both internally developed applications and third-party software without requiring source code or expensive tools. Veracode provides the most simple, complete way to implement security best practices, reduce operational cost and comply with internal security policies or external standards such as OWASP Top 10, CWE/SANS Top 25 and PCI. Veracode works with global organizations across multiple vertical industries including Barclays PLC, California Public Employees’ Retirement System (CalPERS), Computershare and the Federal Aviation Administration (FAA). For more information, visit www.veracode.com, follow on Twitter: @Veracode or read the ZeroDay Labs blog.
Copyright © 2010 Veracode, Inc. All Rights Reserved. All other brand names, product names, or trademarks belong to their respective holders.
Media Contacts:
Liz Campbell
fama PR
phone: +1 617-758-4149
email:
veracode@famapr.com