Application Development Programs Get Mixed Grades on Security

Secure application development programs are making progress reducing the prevalence of well-known vulnerabilities, but others appear to be growing in frequency, according to a new report from Cenzic.

In an analysis of applications tested by Cenzic’s Managed Services Team in 2013, 25 percent were found to have a cross-site scripting vulnerability, a slight drop off from the previous year. However, other categories of vulnerabilities, such as information leakage (23 percent) and authentication and authorization bugs (15 percent) appear to be on the upswing or remained unchanged compared to 2012.

All together, 96 percent of the test applications had at least one vulnerability, with the average being 14. 

There are a number of challenges to application security, explained Bala Venkat, chief marketing officer at Cenzic. For one, security is often not well understood and baked into the secure development lifecycle, he said. Also, companies often outsource their code development to offshore organizations that are under pressure to deliver code on a tight deadline. Organizations should enforce a third-party security certification program for cloud services providers and supply chain partners to certify their applications and web services are free of vulnerabilities and approved for making digital connections into enterprise networks, he said.

“A holistic security program is often missing in organizations end to end,” he said. “Different business units for example do not have a concerted singular focus on incorporating security across all the domains. For example, a production stakeholder is more concerned about uptime and reliability and fails to realize that the applications that moved into his or her environment must have been secured at the code level in the pre-production environment in the first place. By the same token, the pre-production stakeholder is more concerned about pushing the apps to production on a deadline and not incentivized/compensated for incorporating security in their code practice.”

This has extended to the world of mobile applications, where privacy violations and excessive privileges were found in more than 80 percent of the apps tested. In particular, Cenzic recommends mobile developers pay close attention to how data is transferred and stored on mobile devices. Input validation (20 percent), session management (15 percent), privacy violations (22 percent) combined to account for 57 percent of the mobile vulnerabilities.

“BYOD is causing new challenges,” the CMO told SecurityWeek. “Single sign-on. . . employees bringing in their own devices, they come and go into an organization. Do they have their permissions authenticated and verified as they enter different environments? What happens when they leave their employer? Do their permissions get turned off automatically? Often times, we find these are holes that cyber criminals exploit and access data they were not privileged to.”