Broken access control and broken object level authorizations vulnerabilities have proven the most difficult to fix, while fixes for command injection and SQL injection flaws are most often incorrect.
Research released from HackEDU, which was based on feedback from primarily security, development and compliance leaders, attributed the failures to a lack of formal training, with about 53 percent of developers not trained on secure coding practices.
“The data comes from the assessments, lessons, the challenges and the actual reported vulnerabilities from HackEDU customers and students,” Brandon Hoe, head of marketing at HackEDU told SC Media.
The report noted that command injection vulnerabilities can be prevented by simply “adhering to the principle of never calling out to OS commands from application layer code; however developers often try to fix them with insufficient filters.”
SQL injections often prove difficult, because many developers “try to fix them using regular expressions, while a more secure way of approaching the vulnerability is to use prepared statements.” HackEDU suggested that educating developers on secure coding would “go a long way towards ensuring that these vulnerabilities are reduced, or even eliminated.”
Developers grapple with harder-to-fix vulnerabilities because they are more complex, requiring them to understand the fundamentals, not just memorize syntax or a framework and apply it as a patch. Because there is no “silver bullet” fix, resolution of those flaws is more complicated, HackEDU noted.
Third-party software providers that are slow to release patches can further complicate the terrain for developers. And many organizations may not jump quickly enough to patch software when upgrades are available – or refuse to update at all, choosing “functional status over a total system overhaul” where legacy systems are involved.
Those flaws that made HackEDU’s most often fixed incorrectly list have taken the top two spots on the OWASP list for the last 14 years.
