Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Monday, March 01, 2010

State Of Application Security: Nearly 60 Percent Of Apps Fail First Security Test

Even with all of the emphasis on writing software with security in mind, most software applications remain riddled with security holes, according to a new report released today about the actual security quality of all types of software.  Around 58 percent of the applications tested by application security testing service provider Veracode in the past year-and-a-half failed to achieve a successful rating in their first round of testing.

“The degree of failure to meet acceptable standards on first submission is astounding—and this is coming from folks who care enough to submit their software to our [application security testing] services,” says Roger Oberg, senior vice president of marketing for Veracode.

The data for Veracode’s State of Software Security Report comes from a combination of static, dynamic, and manual testing of all types of software across multiple programming languages—everything from non-Web and Web applications to components and shared libraries.  Veracode tests commercial, internally developed, open-source, and outsourced applications, all of which were represented in its findings.

And nearly 90 percent of internally developed applications contained vulnerabilities in the SANS Top 25 and OWASP Top 10 lists of most common programming errors and flaws in the first round of tests, Oberg says.

Despite the relatively gloomy picture of developers still missing the mark initially on security, there were some bright spots in the report: Open-source software isn’t as risky as you’d think, and financial services organizations and government agencies tend to have more secure applications from the get-go; more than half of their apps passed as acceptable in the first submission to testing, according to Veracode’s report.

And it was the quickest to remediate any flaws: “It took about 30 days to remediate open-source software, and much longer for commercial and internal projects,” he says.

“There’s been intense focus on cross-site scripting, and there are lots of different libraries and utilities available to eliminate it, but it’s still extremely prevalent,” says Chris Eng, director of security research for Veracode.  Eng says it’s likely due to a lack of education on how to quell XSS, plus it’s not uncommon to find 100 XSS bugs in one application.

http://www.darkreading.com/vulnerability_management/security/app-security/showArticle.jhtml?articleID=223100875&cid=RSSfeed

Posted on 03/01
TrendsPermalink