Veracode Report Uncovers Significant Weaknesses in Security Vendor Applications. Shows Slight Decline in the Percentage of SQL Injection Errors Across All Industry Applications, While Prevalence of Cross-Site Scripting Errors Remains Unchanged
The Verizon 2011 Data Breach Investigations Report released today, noted that the most common method of malware infection surrounding data breach incidents was through installation or injection by a remote attacker, often in scenarios where an attacker breached a system and then deploys the malware or injects code via SQL injection or other web application input functionality. This trend shows that the core software infrastructure of several critical industries remains extremely vulnerable.
Another report released today uncovered that security vendors responsible for protecting enterprises are often the most at risk due to the poor quality of their own software applications. According to the report , 72 percent of security products and services applications analyzed for the report failed to meet acceptable levels of security quality.
In the report released by Veracode, “State of Software Security Report: Volume 3”, Veracode analyzed 4,835 applications that were submitted to its cloud-based application security testing platform for independent security verification. The report revealed that software continues to be fundamentally flawed, with 58 percent of all software applications from various suppliers failing to meet acceptable levels of security quality upon initial submission to Veracode’s service.
Different in scope than reports like the Verizon Data Breach Report that extrapolates findings after an attack, the Veracode report examines unknown application vulnerabilities before a breach to identify where potential weaknesses exist.
Key findings in the report:
• 66 percent of software industry applications were found to be of unacceptable security quality upon initial submission, a clear sign that significant work needs to be done just to equal the 58 percent unacceptable rate for applications across all industries.
• 72 percent of security products and services applications had unacceptable security quality: The two worst performers within the software industry upon initial submission were the categories of customer support, such as CRM and web customer support applications (82 percent unacceptable), followed by security products and services (72 percent unacceptable).
• Developers Need More Application Security Training – More than 50 percent of developers who took an application security fundamentals exam received a grade of C or lower.
• Private versus public software vendor applications – little discernable difference: Despite the heightened scrutiny faced by public companies and perhaps elevated expectations for application security, Veracode found little discernable differences in terms of security quality between the two sectors.
• The software industry moves swiftly to remediate errors: Overall, more than 90 percent of all applications across the software industry achieved acceptable security policy within 30 days. The average for all applications in the security products and services sub-category was an impressive three days. This data illustrates how easy it is to fix a flaw once it has been identified.
• SQL Injection errors slowly declining: Despite elevated awareness and frequency of exploitation in high-profile attacks, the percentage of applications infected with SQL Injection errors declined only slightly, 2.4 percent per quarter over the past eight quarters. The prevalence of XSS errors remaining largely unchanged.
• Building or Requiring Secure Software Doesn’t Have to Be Time Consuming – Data from the report seeks to debunk the assumption that remediation is simply too time intensive of a process to undertake.
“While somewhat surprising, our findings related to the quality of security product and services vendors seem to corroborate recent headlines associated with the high-profile, but not especially sophisticated attacks, on prominent security vendors such as HBGary, Comodo, Barracuda Networks and EMC’s RSA division. These findings should reinforce that no industry sector is immune to application security risk,” said Matt Moynahan, CEO, Veracode, Inc. “Our goal with these State of Software Security reports is to continue to raise awareness of the prominence of common vulnerabilities, such as those caused by SQL Injection or XSS errors, while providing organizations with confidence that with the right training, tools and C-level commitment, that high-quality software is possible, without a tremendous time investment.”
The Epsilon breach served as a spectacular reminder about security risks for organizations that rely on third-party software to run core business functions. According to the Veracode report, Finance and Software & IT Services lead the charge for independent third-party risk assessments and software supplier accountability. Together, these industry segments represented more than 75 percent of the enterprises requesting formal verification of third-party suppliers. Additionally, the report showed that the Aerospace and Defense industry followed suit with its own efforts to apply new rigor to securing its software supply chain.
Reliance on third-party software will only increase with the adoption of cloud and mobile platforms. As such, CIOs and CISOs, particularly in the Finance, Software & IT Services, and Aerospace and Defense industries, should follow their peers’ efforts to protect their infrastructure against the dangers of insecure software.
