A new report issued on Tuesday by security firm Veracode paints a grim picture of the amount of protection built into application software.
More than half of all applications fail to meet acceptable security quality, according to the “State of Software Security Report: The Intractable Problem of Insecure Software.”
The study, which assessed nearly 5,000 applications over the last 18 months, found that 58 percent of all applications had “unacceptable” security quality when initially submitted to Veracode’s testing platform. Further, more than eight out of 10 web applications failed when measured against the OWASP Top 10, an industry benchmark that documents the most common critical web application errors.
One explanation for these failings, according to the report, is that security processes, such as threat modeling or secure coding standards, were not integrated or poorly integrated into the development lifecycle, Sam King, vice president of product marketing at Veracode, told SCMagazineUS.com on Tuesday. Security is something everyone knows should be there, but oftentimes is less a priority than time and budget.
However, as the threat environment continues to evolve and gain strength, these weaknesses “translate into real and present danger for the risk-free operation of software infrastructure,” the report said.
The root cause, King said, was a lack of awareness around secure coding principles.
“There’s a poor state of application security knowledge,” she said. “Formal training is not offered in most university computer science courses, nor in development training on a professional level.”
“Most applications are in terrible shape.”
– Dave Wichers, COO at Aspect Security
This sentiment is echoed by Dave Wichers, COO at Aspect Security, a Columbia, Md.-based provider of secure software applications.
“Most applications are in terrible shape,” he told SCMagazineUS.com on Tuesday.
While some exploits are less used today than previously, developers cannot let down their guard, experts said.
“In the last couple of years, we’ve been seeing a decline in popular exploitable security vulnerabilities, such as cross-site scripting (XSS) and SQL injection,” Bojan Ždrnja, senior information security consultant at INFIGO IS, a Croatia-based security consultancy, told SCMagazineUS.com on Tuesday. “However, in many cases this happened due to the framework that the developers are using. Modern frameworks such as ASP.NET can prevent certain attacks, such as XSS out of box.”
This is good because it will stop some attacks, but bad because it can lead to developers ignoring these vulnerabilities, which can be especially problematic since the application now depends on a different layer of security that can sometimes be inadvertently turned off by an administrator, Ždrnja said.
Meanwhile, another high-risk business impediment are business logic flaws. These involve mistakes such as insufficient authorization or predictable resource location that can lead to, for example, being able to reserve a seat on a flight prior to paying for it or guessing the URLs of press releases announcing the earnings of a particular public company, prior to their official release.
“This is even more worrying in high-profile applications, such as those used by the finance industry, since automated scanning tools today fail to identify business logic vulnerabilities,” Ždrnja said.
Experts, however, remain hopeful.
The recent spate of major breaches involving flawed application code, such as the breach of security firm Barracuda Networks via SQL injection, might serve a wake-up call to corporations to get serious about the security of their software, Veracode’s King said.
Wichers, who is also an OWASP board member and OWASP Top 10 project lead, said training developers on how to avoid all application weaknesses is key, but what is missing from the Veracode recommendations, he said, is providing developers with standard security controls that help address these problems.
“All programming languages have a safe way of using SQL safely to avoid SQL injection, but they also have an unsafe way, and developers frequently do it wrong,” Wichers said. “However, for cross-site scripting, many languages don’t provide a built-in library for making user input safe from XSS.”
Libraries exist where code writers can obtain safe script, he added.
“This makes building secure applications much easier,” Wichers said.