News Archive

Software Study

by msecadm4921

With the trend of targeted cyber attacks along with the exploitation of common vulnerabilities such as SQL Injection, it is clear an IT firm says that the core software infrastructure of several critical industries remains vulnerable.

The Veracode “State of Software Security Report: Volume 3” uncovered that those security vendors tasked with protecting enterprises are often the most at risk due to the poor quality of their very own software applications. In fact, 72 percent of security products and services applications analyzed in this report failed to meet acceptable levels of security quality.

In its most recent State of Software Security report, Veracode analyzed 4,835 applications that were submitted to its cloud-based application security testing platform for independent security verification. That number is nearly double from the previous report (September 2010) and represents applications analyzed over the past 18 months. Despite many new findings, there is one constant data point: software remains fundamentally flawed. In fact, 58 percent of all software applications across supplier types continued to fail to meet acceptable levels of security quality upon initial submission to Veracode’s service.

What’s New

Volume 3 includes several new areas of analysis including a deep dive on the software industry, quarterly trending information on the prevalence of common vulnerabilities such as SQL Injection and Cross-Site Scripting (XSS) errors, a study of flaw remediation behavior, and software developer education and training statistics.

66 percent of software industry applications were found to be of unacceptable security quality upon initial submission, a clear sign that significant work needs to be done just to equal the 58 percent unacceptable rate for applications across all industries.

72 percent of security products and services applications had unacceptable security quality: The two worst performers within the software industry upon initial submission were the categories of customer support, such as CRM and web customer support applications (82 percent unacceptable), followed by security products and services (72 percent unacceptable).

Private versus public software vendor applications – little discernable difference: Despite the heightened scrutiny faced by public companies and perhaps elevated expectations for application security, Veracode found little discernable differences in terms of security quality between the two sectors.

Even with its flaws, the software industry moves swiftly to remediate errors: Overall, more than 90 percent of all applications across the software industry achieved acceptable security policy within 30 days. The average for all applications in the security products and services sub-category was an impressive three days. This data illustrates how easy it is to fix a flaw once it has been identified.

SQL Injection errors slowly declining: Despite elevated awareness and frequency of exploitation in high-profile attacks, the percentage of applications infected with SQL Injection errors declined only slightly, 2.4 percent per quarter over the past eight quarters. The prevalence of XSS errors remaining largely unchanged.
“While somewhat surprising, our findings related to the quality of security product and services vendors seem to corroborate recent headlines associated with the high-profile, but not especially sophisticated attacks, on prominent security vendors such as HBGary, Comodo, Barracuda Networks and EMC’s RSA division. These findings should reinforce that no industry sector is immune to application security risk,” said Matt Moynahan, CEO, Veracode, Inc. “Our goal with these State of Software Security reports is to continue to raise awareness of the prominence of common vulnerabilities, such as those caused by SQL Injection or XSS errors, while providing organisations with confidence that with the right training, tools and C-level commitment, that high-quality software is possible, without a tremendous time investment.”

Related News

  • News Archive

    Jail In Laser Case

    by msecadm4921

    A 21-year-old Maidstone man has been sentenced to eight months in prison for endangering the Kent and Essex Police helicopter while it…

  • News Archive

    Infosec Survey

    by msecadm4921

    The mood among information security people has improved but remains downbeat, according to the 2008 Information Security Breaches Survey. Computer technology can…

  • News Archive

    Know Colleague

    by msecadm4921

    In London, Westminster Police are asking businesses to review their access control measures during September; and suggest making September ‘Know Your Colleague…

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing