Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Application Development Programs Get Mixed Grades on Security

Secure application development programs are making progress reducing the prevalence of well-known vulnerabilities, but others appear to be growing in frequency, according to a new report from Cenzic.

Secure application development programs are making progress reducing the prevalence of well-known vulnerabilities, but others appear to be growing in frequency, according to a new report from Cenzic.

In an analysis of applications tested by Cenzic’s Managed Services Team in 2013, 25 percent were found to have a cross-site scripting vulnerability, a slight drop off from the previous year. However, other categories of vulnerabilities, such as information leakage (23 percent) and authentication and authorization bugs (15 percent) appear to be on the upswing or remained unchanged compared to 2012.

All together, 96 percent of the test applications had at least one vulnerability, with the average being 14. 

There are a number of challenges to application security, explained Bala Venkat, chief marketing officer at Cenzic. For one, security is often not well understood and baked into the secure development lifecycle, he said. Also, companies often outsource their code development to offshore organizations that are under pressure to deliver code on a tight deadline. Organizations should enforce a third-party security certification program for cloud services providers and supply chain partners to certify their applications and web services are free of vulnerabilities and approved for making digital connections into enterprise networks, he said.

“A holistic security program is often missing in organizations end to end,” he said. “Different business units for example do not have a concerted singular focus on incorporating security across all the domains. For example, a production stakeholder is more concerned about uptime and reliability and fails to realize that the applications that moved into his or her environment must have been secured at the code level in the pre-production environment in the first place. By the same token, the pre-production stakeholder is more concerned about pushing the apps to production on a deadline and not incentivized/compensated for incorporating security in their code practice.”

This has extended to the world of mobile applications, where privacy violations and excessive privileges were found in more than 80 percent of the apps tested. In particular, Cenzic recommends mobile developers pay close attention to how data is transferred and stored on mobile devices. Input validation (20 percent), session management (15 percent), privacy violations (22 percent) combined to account for 57 percent of the mobile vulnerabilities.

“BYOD is causing new challenges,” the CMO told SecurityWeek. “Single sign-on. . . employees bringing in their own devices, they come and go into an organization. Do they have their permissions authenticated and verified as they enter different environments? What happens when they leave their employer? Do their permissions get turned off automatically? Often times, we find these are holes that cyber criminals exploit and access data they were not privileged to.”

Advertisement. Scroll to continue reading.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.