Software Industry Presents Cyber Risks

Wednesday, April 20, 2011 @ 11:04 PM gHale

Targeted cyber attacks along with the exploitation of common vulnerabilities such as SQL injection continues to show the software infrastructure of critical industries remains vulnerable.

Security vendors that protect enterprises are often the most at risk due to the poor quality of their very own software applications, according to a report released by Veracode. In fact, 72 percent of security products and services applications analyzed in the report failed to meet acceptable levels of security quality.

In its most recent State of Software Security report, Veracode analyzed 4,835 applications submitted to its cloud-based application security testing platform for independent security verification. That number is nearly double from the previous report (September 2010) and represents applications analyzed over the past 18 months.

One constant data point remains amidst all the findings: Software remains fundamentally flawed. In fact, 58 percent of all software applications across supplier types continued to fail to meet acceptable levels of security quality upon initial submission to Veracode’s service.

The report includes several new areas of analysis including a more indepth look at the software industry, quarterly trending information on the prevalence of common vulnerabilities such as SQL Injection and Cross-Site Scripting (XSS) errors, a study of flaw remediation behavior, and software developer education and training statistics.

Report highlights include:
• 66 percent of software industry applications had unacceptable security quality upon initial submission, a clear sign that significant work needs to occur just to equal the 58 percent unacceptable rate for applications across all industries.
• 72 percent of security products and services applications had unacceptable security quality: The two worst performers within the software industry upon initial submission were the categories of customer support, such as CRM and web customer support applications (82 percent unacceptable), followed by security products and services (72 percent unacceptable).
• Private versus public software vendor applications – little discernable difference: Despite the heightened scrutiny faced by public companies and perhaps elevated expectations for application security, Veracode found little discernable differences in terms of security quality between the two sectors.
• Even with its flaws, the software industry moves swiftly to remediate errors: Overall, more than 90 percent of all applications across the software industry achieved acceptable security policy within 30 days. The average for all applications in the security products and services sub-category was three days. This data illustrates how easy it is to fix a flaw once the company becomes aware of the issue.
• SQL Injection errors slowly declining: Despite elevated awareness and frequency of exploitation in high-profile attacks, the percentage of applications infected with SQL Injection errors declined only slightly, 2.4 percent per quarter over the past eight quarters. The prevalence of XSS errors remaining largely unchanged.

“While somewhat surprising, our findings related to the quality of security product and services vendors seem to corroborate recent headlines associated with the high-profile, but not especially sophisticated attacks, on prominent security vendors such as HBGary, Comodo, Barracuda Networks and EMC’s RSA division.,” said Matt Moynahan, chief executive at Veracode. “These findings should reinforce that no industry sector is immune to application security risk.”

Concerns abound among developer and security teams about gaining organizational buy-in for undertaking regular testing and programs. However, data from this report found remediation is not time consuming.

Veracode found more than 50 percent of those who took an application security fundamentals exam received a grade of C or lower. More than 30 percent received a failing grade of D or F. This supports the idea for the need for organizations to take responsibility to institute g more rigorous, contextual developer training and education programs to improve application security competency levels.

Leave a Reply

You must be logged in to post a comment.