Extent of application flaws in security software revealed

Security software utilized in public companies has as many application flaws as that utilized in other large enterprises.

According to a 'State of Software Security Report' from Veracode, released this week, 84 per cent of web applications from public companies were deemed unacceptable when measured against the OWASP Top 10.

Surveying data from 126 public companies over the last 18 months from applications that were submitted to Veracode's cloud-based application security testing platform, the corporate found that backend operational systems and desktop commercial applications had a 63 per cent failure rate when measured against the CWE/SANS Top 25.

Also, despite having greater compliance requirements and frequently more funding, only 16 per cent of public company web applications passed initial testing, compared with 14 per cent for all companies. The performance for non-web applications is worse for public companies, with 38 per cent meeting the CWE/SANS industry standard, compared with 42 per cent for all companies.

Chris Wysopal, founder, CISO and CTO of Veracode, said: “Companies can put all the other cyber security controls in place, but when there are application weaknesses, hackers have the need and time to locate and exploit them.

“The issue simply can't be neglected any longer. During the last year one of the crucial most prominent breaches that were implemented against one of the most pre-eminent names in business took good thing about weaknesses in software applications to infiltrate traditional perimeter defence security controls. This could be a wake-up call. Particularly in public company disclosures, the problem must be discussed in a lot more detail.”

The report also found that just one in five public companies has performed a proper verification on a 3rd-party application. Chatting with SC Magazine, Veracode EMEA vice-president Matt Peachey said that although companies were finishing up due diligence, this didn't necessarily filter right down to improving applications.

He said: “The overall treatment of risk could be very poor; we all know it is vitally common stuff, nonetheless it remains to be not there. The time to remediate is lower than people think, they're obliged to report it but fixing it's believed to be by hand. The typical time to do that is in days, but that's nothing within the software development lifecycle.”

The two most often exploited vulnerability types â€" XSS and SQL injections â€" showed a statistically flat incidence rate from the primary quarter of 2010 to the fourth quarter of 2011, suggesting that new vulnerabilities are being introduced on the same rate as known vulnerabilities are being remediated.