Software Holes Very Evident: Report

Thursday, April 11, 2013 @ 03:04 PM gHale

The inability to reduce the number of security flaws in software code means hackers that want to can exploit vulnerabilities with a small amount of technical skills, a new report said.

Of the 22,430 applications submitted to security testing firm Veracode’s code analysis service in 18-month time period from January 2011 to June 2012, only 13 percent of web applications were able to pass the generic Open Web Application Security Project (OWASP) Top 10 list of security problems, according to the company’s State of Software Security (SoSS) report.

Securing SCADA: Compensating Controls
Making Patching Work for SCADA, ICS
Good, Bad and Ugly of SCADA, ICS Patching
In Theory, Hackers can Hijack Planes
Trojan Gets Smarter, Goes Global

When it came to standalone applications, only 31 percent complied with the separate CWE/SANS Top 25, a decrease on the compliance rate in the previous SoSS report caused by a broader sample of companies using the service, Veracode said.

Nevertheless, the percentage of applications containing common but serious flaws such as SQL injection remained static at 32 percent, with cross-site scripting also entrenched at 67 percent.

In short, these failure rates underscore that weak and insecure software development lifecycles are still an issue years after the industry started fixing the problem.

And having failed to eradicate issues such as SQL injection, the ability of non-technical hackers to hunt down and exploit them is also a problem for the industry, Veracode said.

The company predicts one in three data breaches this year will be the result of SQL injection alone, one of the easiest for “everyday hackers” to target.

“The pessimist remains very concerned that we are not seeing the dramatic decreases in exploitable coding flaws that I expect to see with each passing year,” said Veracode’s co-founder and CTO, Chris Wysopal.

“It’s as if for each customer, development team, or application that has become more secure, there are an equal number or more that do not,” he said.

“Put more bluntly, we must figure out a way to code more securely simply to keep up with attacks from the most basic attacker.”

Click here to register for Vercode’s State of Software Security (SoSS) report.

Leave a Reply

You must be logged in to post a comment.