8 Out of 10 Applications Fail To Meet New Security Standards

SQL Injection

The latest State of Software Security Report Volume 4 results reveal XSS and SQL Injection are two of the most frequently exploited vulnerabilities, often providing a gateway to customer data and intellectual property. Eight out of 10 applications fail to meet acceptable levels of security, marking a significant decline from past reports.

The latest report captures data collected over the past 18 months from the analysis of 9,910 applications (compared to 4,835 applications in Volume 3) that were submitted to a cloud-based application security testing platform. The report examines the security quality of applications across a number of variables including supplier type, language and industry. For Volume 4, we conducted a deep comparative analysis of government applications against other industries such as finance and software, and, for the first time, examined Android security trends.

One of the goals of the report is to create greater awareness and security intelligence about the risks of unknown vulnerabilities lurking in everyday applications. The results are aimed at creating a greater sense of urgency around the problem of insecure software, while also giving organizations the information they need to quickly take action.

Zero Tolerance for XSS and SQL Injection Errors Leads to Steep Decline in Application Security Performance

As a result of strengthening the overall analysis criteria, including a zero tolerance policy for XSS and SQL Injection errors, eight out of 10 applications across the dataset failed to meet acceptable security standards. Specifically for web applications, this report showed a high concentration of XSS and SQL Injection vulnerabilities, with XSS present in 68 percent of all web applications and SQL Injection present in 32 percent of all web applications.

Data from the Web Hacking Incident Database supports the need for a zero tolerance policy with 20 percent of reported incidents attributed to a SQL Injection exploit. Given this threat environment, organizations should implement stricter security policies that allow for the discovery and timely remediation of these vulnerability types.

Insecure software can be remediated quickly, without negatively impacting rapid development cycles. In fact, an overwhelming majority (more than 80 percent) of applications that failed to achieve acceptable security standards on initial submission were able to achieve a passing grade within one week. Revisiting the impact of application security training and education found that better trained developers do produce more secure software out of the gate.

Government Applications Are Less Resilient to Common Attacks Compared to Other Sectors

With an increasingly acute, global awareness of the potential impact of insecure software on national security, government agencies are following their private sector peers in the quest for more secure software. We analyzed U.S. federal, state and local government applications, which operate critical systems and process critical data such as personally identifiable information (PII) and national security data, and found that they lag behind other industries in key areas.

For example, government web applications have a much higher incidence of XSS and SQL Injection compared to other sectors. Analysis showed that 40 percent of government web applications had SQL Injection issues as compared to 29 percent for finance and 30 percent for software. Of note, while SQL Injection was trending lower for the overall dataset, in government applications it remains flat.

Given the gravity of cyber security risks and the potential impact on national assets, these results further reinforce the need for dedicated developer training and education, and the importance of instituting a programmatic approach to security testing within the government sector.

Common Application Development Mistakes Creep Into Mobile

With organizations seeking to balance employee mobility and productivity against mobile security risk in the “Bring Your Own Device” or BYOD era, we included analysis of Android applications for the first time. We found that mobile developers tend to make similar mistakes to enterprise developers, specifically with the use of hard-coded cryptographic keys.

More than 40 percent of the Android applications analyzed had at least one instance of this flaw. The prevalence of cryptographic keys becomes a problem because all installed instances of the application use the same key making it easier for an attacker to initiate a broader assault.

With the majority of recently reported breaches caused by attackers exploiting weaknesses in web applications or desktop software, often taking advantage of common XSS or SQL Injection flaws, I decided it was time to become even more stringent to reflect the realities of the threat landscape and raise the bar on what should be deemed secure software.

I feel strongly that there must be a greater sense of urgency. My hope with this report is that by raising the visibility of software-related business risk, we will encourage the industry to adopt a long-term commitment to protecting our software infrastructure.

Chris Wysopal is the founder, CISO and CTO, of Veracode. Chris started his career as software engineer that first built commercial software and then migrated to the specialty of testing software for vulnerabilities. Chris researched software security for the first vulnerability research think tank, L0pht Heavy Industries, from 1994-1999. He was one of the authors of L0phtCrack, the Windows password auditing program. He is also the author of Netcat for Windows and has published several major security vulnerabilities in Lotus Notes, Microsoft Windows and Cold Fusion. Chris has performed dozens of security code audits, design reviews, and software penetration tests for major software vendors on products such as web servers, SQL servers, mail servers and DRM products. He haS led highly productive and innovative software development teams and has had product management roles. His work has led him to testify on Capitol Hill twice on software security. Chris's goals are to automate the difficult task of finding vulnerabilities in software and to let customers assess the security of the software they purchase that can put them at risk.