Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Application Development Programs Get Mixed Grades on Security

Secure application development programs are making progress reducing the prevalence of well-known vulnerabilities, but others appear to be growing in frequency, according to a new report from Cenzic.

Secure application development programs are making progress reducing the prevalence of well-known vulnerabilities, but others appear to be growing in frequency, according to a new report from Cenzic.

In an analysis of applications tested by Cenzic’s Managed Services Team in 2013, 25 percent were found to have a cross-site scripting vulnerability, a slight drop off from the previous year. However, other categories of vulnerabilities, such as information leakage (23 percent) and authentication and authorization bugs (15 percent) appear to be on the upswing or remained unchanged compared to 2012.

All together, 96 percent of the test applications had at least one vulnerability, with the average being 14. 

There are a number of challenges to application security, explained Bala Venkat, chief marketing officer at Cenzic. For one, security is often not well understood and baked into the secure development lifecycle, he said. Also, companies often outsource their code development to offshore organizations that are under pressure to deliver code on a tight deadline. Organizations should enforce a third-party security certification program for cloud services providers and supply chain partners to certify their applications and web services are free of vulnerabilities and approved for making digital connections into enterprise networks, he said.

“A holistic security program is often missing in organizations end to end,” he said. “Different business units for example do not have a concerted singular focus on incorporating security across all the domains. For example, a production stakeholder is more concerned about uptime and reliability and fails to realize that the applications that moved into his or her environment must have been secured at the code level in the pre-production environment in the first place. By the same token, the pre-production stakeholder is more concerned about pushing the apps to production on a deadline and not incentivized/compensated for incorporating security in their code practice.”

This has extended to the world of mobile applications, where privacy violations and excessive privileges were found in more than 80 percent of the apps tested. In particular, Cenzic recommends mobile developers pay close attention to how data is transferred and stored on mobile devices. Input validation (20 percent), session management (15 percent), privacy violations (22 percent) combined to account for 57 percent of the mobile vulnerabilities.

“BYOD is causing new challenges,” the CMO told SecurityWeek. “Single sign-on. . . employees bringing in their own devices, they come and go into an organization. Do they have their permissions authenticated and verified as they enter different environments? What happens when they leave their employer? Do their permissions get turned off automatically? Often times, we find these are holes that cyber criminals exploit and access data they were not privileged to.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Raffi Joukhadarian has been named Managing Director and Chief Financial Officer at MorganFranklin Cyber.

Data security firm Rubrik has appointed Kavitha Mariappan as its Chief Transformation Officer.

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.