Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Web Applications Security Fails to Make the Grade at Public Companies

A new report by application security vendor Veracode paints a not-so-rosy picture of application development programs.

A new report by application security vendor Veracode paints a not-so-rosy picture of application development programs.

In its annual “State of Software Security Report,” the company revealed that 84 percent of Web applications from public companies were deemed unacceptable when measured against the OWASP Top 10 list of the most critical and frequently exploited vulnerabilities. The picture was no prettier for non-Web applications, with 63 percent failing when measured against the CWE/SANS Top 25 list of critical non-Web application vulnerabilities.

Application Security Code“Companies – particularly public ones – are beginning to be measured by regulators and investors on the strength of their cybersecurity solution and ability to protect intellectual property and customer data,” Chris Wysopal, founder and CTO of Veracode, said in a statement. “This is a fundamental shift. Companies can put all of the other cybersecurity controls in place but if there are application weaknesses, hackers have the will and time to find and exploit them.”

Despite having more compliance requirements than other businesses, public companies did not fare much better than others. Just 16 percent of public company Web applications passed initial testing compared to 14 percent for companies at large when measured against the OWASP Top 10 standard. The figures were worse for non-Web applications, with 38 percent of public companies passing against the CWE/SANS standard versus 42 percent of companies overall.

There is some good news however. The two most frequently exploited vulnerabilities types – cross-site scripting and SQL injections – remained statistically flat in terms of their prevalence from the first quarter of 2010 to the fourth quarter of 2011. However, Veracode believes the results suggest new vulnerabilities are being introduced at the same rate as the known vulnerabilities are being fixed.

“Over the last year some of the most prominent breaches that were carried out against the most preeminent names in business took advantage of weaknesses in software applications to infiltrate traditional perimeter defense security controls,” Wysopal said. “This should be a wake-up call. Particularly in public company disclosures, the issue needs to be discussed in much more detail.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.