A new report by application security vendor Veracode paints a not-so-rosy picture of application development programs.
In its annual “State of Software Security Report,” the company revealed that 84 percent of Web applications from public companies were deemed unacceptable when measured against the OWASP Top 10 list of the most critical and frequently exploited vulnerabilities. The picture was no prettier for non-Web applications, with 63 percent failing when measured against the CWE/SANS Top 25 list of critical non-Web application vulnerabilities.
“Companies – particularly public ones – are beginning to be measured by regulators and investors on the strength of their cybersecurity solution and ability to protect intellectual property and customer data,” Chris Wysopal, founder and CTO of Veracode, said in a statement. “This is a fundamental shift. Companies can put all of the other cybersecurity controls in place but if there are application weaknesses, hackers have the will and time to find and exploit them.”
Despite having more compliance requirements than other businesses, public companies did not fare much better than others. Just 16 percent of public company Web applications passed initial testing compared to 14 percent for companies at large when measured against the OWASP Top 10 standard. The figures were worse for non-Web applications, with 38 percent of public companies passing against the CWE/SANS standard versus 42 percent of companies overall.
There is some good news however. The two most frequently exploited vulnerabilities types – cross-site scripting and SQL injections – remained statistically flat in terms of their prevalence from the first quarter of 2010 to the fourth quarter of 2011. However, Veracode believes the results suggest new vulnerabilities are being introduced at the same rate as the known vulnerabilities are being fixed.
“Over the last year some of the most prominent breaches that were carried out against the most preeminent names in business took advantage of weaknesses in software applications to infiltrate traditional perimeter defense security controls,” Wysopal said. “This should be a wake-up call. Particularly in public company disclosures, the issue needs to be discussed in much more detail.”