Study Finds That While Application Security Testing Is Expanding to New Industries, The Software Supply Chain Is Still Vulnerable
While few enterprises have vendor application security testing programs in place, organizations are increasingly recognizing the risks associated with using applications developed by third-party providers, Veracode found in its latest analysis.
Of the 939 applications submitted to Veracode for vulnerability assessment between January 2011 and June 2012, SQL injection and cross-site scripting remained the most prevalent security flaws in third-party software, Veracode said Tuesday. In its annual State of Software Security Report, Veracode examined all the applications submitted to Veracode over the past 18 months, including those that were resubmitted after failing assessment on the first attempt, Chris Eng, vice-president of research at Veracode, told SecurityWeek.
Organizations rely heavily on third-party applications and external developers. A "typical enterprise" averages 600 mission-critical applications, of which almost two-thirds were developed externally, Eng said. Companies may be vulnerable to data theft, malware infection, and financial fraud if the security flaws in third-party software are not addressed, and there are signs organizations are beginning to thinking about securing the software supply chain, Eng said.
"The widespread adoption of third-party apps and use of external developers in enterprises brings increased risk," Eng said, before noting that there were signs enterprises were recognizing and addressing the risks.
The volume of vendor-supplied software and application assessments within the organization is growing, increasing 49 percent between the first quarter of 2011 and the second quarter of 2012, Veracode said. Previously, the financial services, software/IT services, and technology sectors dominated vulnerability assessments. Now, half of the companies regularly requesting assessments come from industry sectors other than those three, Veracode found. While it's growing, code assessment is still in the "early stages" considering that less than one in five enterprises have requested a code-level security audit from at least one vendor, Eng said.
Nearly 62 percent of applications failed the security test on the first submission, which means organizations need procedures in place to manage non-compliant applications as part of its comprehensive enterprise security policy, Veracode said.
There is a gap between what the organization requires to pass the assessment and what the industry sets for compliance, and vendors are better at complying with enterprise standards, Veracode found. A little over a third, or 38 percent, of vendor-supplied applications complied with the less rigorous enterprise-defined policies, compared to the mere 10 percent complying with the recommendations outlined in the OWASP Top 10 list. About 30 percent of vendor-supplied applications were compliant with CWE/SANS Top 25 industry list.
Vendors were more likely to achieve compliance on the first try against the enterprise policy, Veracode found. "Obtaining initial visibility into the state of vendor software security was more important for these enterprises than demanding compliance with a tough security policy," the report said.
A programmatic approach to software security testing can help enterprises and vendors mitigate flaws, Veracode found. Organizations who take on a more ad-hoc approach, selecting and testing applications on a case-by-case basis had fewer applications and vendors participating in an assessment. Enterprises with programmatic approaches were also much faster at fixing flaws after a failed assessment to become compliant. In organizations with a programmatic approach for vulnerability testing, 45 percent of vendor applications were compliant within one week, compared to 28 percent in organizations with ad-hoc testing.
The most prevalent vulnerabilities found during vendor application assessments are also highlighted as being dangerous flaws on various industry lists, Eng said. Four of the top five flaw categories for Web applications appear on the OWASP Top 10 most dangerous flaws, Veracode found. Five of the top six flaw categories for non-Web applications (software) are listed on the CWE/SANS Top 25 list of the most dangerous flaws.
SQL injection and cross-site scripting continue to pop up quite frequently in applications, with SQL injection flaws found in 40 percent of Web application software and cross-site-scripting affecting 71 percent, Veracode said.
"Organizations still assume too much risk when trusting their third-party software suppliers to develop applications that meet industry and organizational standards," Eng said.