A software security analysis conducted between October 2014 and October 2015 revealed that 35 percent of approximately 7,000 web/desktop software applications and 75 percent of over 450 mobile apps contained a critical or high-severity vulnerability.
These findings, detailed in Hewlett Packard Enterprise's (HPE) just-released Cyber Risk Report 2016, were derived from HPE's annual Software Security Taxonomy research, which provides a snapshot of the state of application security over the previous year.
According to the report, the most commonly spotted critical vulnerabilities in both mobile and non-mobile apps were related to insecure data transport, including weak Secure Socket Layer (SSL) protocols. Of the software studied, 25 percent of web/desktop apps had a critical SSL weakness and 30 percent of mobile apps had a critical flaw pertaining to insecure transport.
SSL technology secures data in motion by generating an encrypted link between a web server and browser. “It's likely that many applications continue to use weak SSL protocols and ciphers for backward compatibility purposes, but it's still a dangerous choice,” the report reads.
Jewel Timpe, senior manager, security research communications at HPE in Palo Alto, Calif., explained to SCMagazine.com that a lack of strong computer language skills, combined with a demand to build apps quickly, is a key reason many developers take SSL shortcuts. “There are all these tools where you can literally put [software] pieces together like a puzzle to create an app and you don't have to be well-versed in the languages of computer science,” she said. Consequently, developers “don't understand how to implement [SSL] properly, or the criticality of it, and so we end up with a lot more vulnerabilities.”
For web/desktop apps, the most common non-critical (albeit still troublesome) security issue was external system information leaks (50 percent of studied apps suffered a non-critical leak), while for mobile apps the most common non-critical issue was internal system information leaks (83 percent).
“We already know how to write secure software. We've been doing it on the traditional computing side more than a decade,” said Timpe — and yet many app developers still don't cover the basics of security. “It's a problem that we've already solved but it's still hurting us.”