Network Security, Patch/Configuration Management, Vulnerability Management

HPE study finds app security lacking; weak SSL tops list of critical flaws

HPE Cyber Risk Report 2016

A software security analysis conducted between October 2014 and October 2015 revealed that 35 percent of approximately 7,000 web/desktop software applications and 75 percent of over 450 mobile apps contained a critical or high-severity vulnerability.

These findings, detailed in Hewlett Packard Enterprise's (HPE) just-released Cyber Risk Report 2016, were derived from HPE's annual Software Security Taxonomy research, which provides a snapshot of the state of application security over the previous year.

According to the report, the most commonly spotted critical vulnerabilities in both mobile and non-mobile apps were related to insecure data transport, including weak Secure Socket Layer (SSL) protocols. Of the software studied, 25 percent of web/desktop apps had a critical SSL weakness and 30 percent of mobile apps had a critical flaw pertaining to insecure transport.

SSL technology secures data in motion by generating an encrypted link between a web server and browser. “It's likely that many applications continue to use weak SSL protocols and ciphers for backward compatibility purposes, but it's still a dangerous choice,” the report reads.

Jewel Timpe, senior manager, security research communications at HPE in Palo Alto, Calif., explained to SCMagazine.com that a lack of strong computer language skills, combined with a demand to build apps quickly, is a key reason many developers take SSL shortcuts. “There are all these tools where you can literally put [software] pieces together like a puzzle to create an app and you don't have to be well-versed in the languages of computer science,” she said. Consequently, developers “don't understand how to implement [SSL] properly, or the criticality of it, and so we end up with a lot more vulnerabilities.”

For web/desktop apps, the most common non-critical (albeit still troublesome) security issue was external system information leaks (50 percent of studied apps suffered a non-critical leak), while for mobile apps the most common non-critical issue was internal system information leaks (83 percent).

 “We already know how to write secure software. We've been doing it on the traditional computing side more than a decade,” said Timpe — and yet many app developers still don't cover the basics of security. “It's a problem that we've already solved but it's still hurting us.”

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.