BURLINGTON, Mass. – December 07, 2011 – Veracode, Inc., today released its latest “State of Software Security Report.” Volume 4 results are based on more stringent analysis criteria, including a zero tolerance policy for Cross-Site Scripting (XSS) and SQL Injection. Considered “low hanging fruit” because of their prevalence in software applications, XSS and SQL Injection are two of the most frequently exploited vulnerabilities, often providing a gateway to customer data and intellectual property. When applying the new analysis criteria, Veracode reports eight out of 10 applications fail to meet acceptable levels of security, marking a significant decline from past reports.
The latest State of Software Security Report captures data collected over the past 18 months from the analysis of 9,910 applications (compared to 4,835 applications in Volume 3) that were submitted to Veracode’s cloud-based application security testing platform. The report examines the security quality of applications across a number of variables including supplier type, language and industry. For Volume 4, Veracode conducted a deep comparative analysis of government applications against other industries such as finance and software, and, for the first time, examined Android security trends.
One of the goals of the State of Software Security Report is to create greater awareness and security intelligence about the risks of unknown vulnerabilities lurking in everyday applications. The results are aimed at creating a greater sense of urgency around the problem of insecure software, while also giving organizations the information they need to quickly take action. Veracode also emphasizes the ease with which organizations can incorporate software testing into current development cycles. This version of the report clearly demonstrates the positive impact of developer training and education on the security quality of the applications they are developing. Following are highlights from the report.
Zero Tolerance for XSS and SQL Injection Errors Leads to Steep Decline in Application Security Performance: As a result of strengthening the overall analysis criteria, including a zero tolerance policy for XSS and SQL Injection errors, eight out of 10 applications across the Veracode dataset failed to meet acceptable security standards. Specifically for web applications, this report showed a high concentration of XSS and SQL Injection vulnerabilities, with XSS present in 68 percent of all web applications and SQL Injection present in 32 percent of all web applications. Data from the Web Hacking Incident Database supports the need for a zero tolerance policy with 20 percent of reported incidents attributed to a SQL Injection exploit. Given this threat environment, organizations should implement stricter security policies that allow for the discovery and timely remediation of these vulnerability types.
Veracode demonstrates that insecure software can be remediated quickly, without negatively impacting rapid development cycles. In fact, an overwhelming majority (more than 80 percent) of applications that failed to achieve acceptable security standards on initial submission were able to achieve a passing grade within one week. Veracode also revisited the impact of application security training and education finding that better trained developers do produce more secure software out of the gate.
Government Applications Are Less Resilient to Common Attacks Compared to Other Sectors: With an increasingly acute, global awareness of the potential impact of insecure software on national security, government agencies are following their private sector peers in the quest for more secure software. Veracode analyzed U.S. federal, state and local government applications, which operate critical systems and process critical data such as personally identifiable information (PII) and national security data, and found that they lag behind other industries in key areas.
For example, government web applications have a much higher incidence of XSS and SQL Injection compared to other sectors. Analysis showed that 40 percent of government web applications had SQL Injection issues as compared to 29 percent for finance and 30 percent for software. Of note, while SQL Injection was trending lower for the overall dataset, in government applications it remains flat. Given the gravity of cyber security risks and the potential impact on national assets, these results further reinforce the need for dedicated developer training and education, and the importance of instituting a programmatic approach to security testing within the government sector.
Common Application Development Mistakes Creep Into Mobile: With organizations seeking to balance employee mobility and productivity against mobile security risk in the “Bring Your Own Device” or BYOD era, Veracode included analysis of Android applications for the first time. Veracode found that mobile developers tend to make similar mistakes to enterprise developers, specifically with the use of hard-coded cryptographic keys. More than 40 percent of the Android applications analyzed had at least one instance of this flaw. The prevalence of cryptographic keys becomes a problem because all installed instances of the application use the same key making it easier for an attacker to initiate a broader assault.
“With the majority of recently reported breaches caused by attackers exploiting weaknesses in web applications or desktop software, often taking advantage of common XSS or SQL Injection flaws, we decided it was time to become even more stringent to reflect the realities of the threat landscape and raise the bar on what should be deemed secure software,” said Chris Wysopal, founder, CISO and CTO, Veracode. “We feel strongly that there must be a greater sense of urgency. Our hope with this report is that by raising the visibility of software-related business risk, we will encourage the industry to adopt a long-term commitment to protecting our software infrastructure.”
Download the Report
Veracode’s State of Software Security Report: Volume 4 also examines additional software security topics in context of application threat space trends, including details on the most commonly exploited vulnerabilities, risks associated with commercial software, and the rise of independent security verification across multiple industry segments as well as a detailed remediation workflow study. For complete report findings, download a copy of the report by visiting: http://info.veracode.com/state-of-software-security-report-volume4.html.
Veracode is the only independent provider of cloud-based application intelligence and security verification services. The Veracode platform provides the fastest, most comprehensive solution to improve the security of internally developed, purchased or outsourced software applications and third-party components. By combining patented static, dynamic and manual testing, extensive eLearning capabilities, and advanced application analytics, Veracode enables scalable, policy-driven application risk management programs that help identify and eradicate numerous vulnerabilities by leveraging best-in-class technologies from vulnerability scanning to penetration testing and static code analysis. Veracode delivers unbiased proof of application security to stakeholders across the software supply chain while supporting independent audit and compliance requirements for all applications no matter how they are deployed, via the web, mobile or in the cloud. Veracode works with global organizations across multiple vertical industries including Barclays PLC, California Public Employees’ Retirement System (CalPERS), Computershare and the Federal Aviation Administration (FAA). For more information, visit www.veracode.com, follow on Twitter: @Veracode or read the Veracode Blog.
Copyright © 2011 Veracode, Inc. All Rights Reserved. All other brand names, product names, or trademarks belong to their respective holders.
Liz Campbell
fama PR
phone: +1 617-986-5009
email: veracode@famapr.com
Paula Averley
Hothouse Communications (for Veracode UK)
phone: (44) (0)20 8224 9933
email: veracode@hothousecomms.com