This compares with only 58% of software applications that failed to meet acceptable levels of security in the previous report, although this year’s report applies more stringer criteria to the evaluation of software security.
“We have applied a more rigorous and probably more realistic rating for application security”, said Matt Peachey, vice president of Europe, the Middle East, and Africa at Veracode. For the most recent report, Veracode applied a zero tolerance policy for cross-site scripting and SQL injection vulnerabilities, the two most commonly exploited software flaws.
“The problem is not getting any better. Frankly, it is getting worse. You should care about it because…you could be the next Sony or whomever”, Peachey told Infosecurity.
The latest State of Software Security Report captures data collected over the past 18 months from the analysis of 9,910 applications (compared to 4,835 applications in Volume 3) that were submitted to Veracode’s cloud-based application security testing platform.
For web applications, the report found a high concentration of cross-site scripting and SQL injection vulnerabilities, with cross-site scripting present in 68% of all web applications and SQL injection present in 32% of all web applications.
Those vulnerabilities were found to affect a higher percentage of U.S. government web applications than private industry. The survey found that 75% of government applications had cross-site scripting issues compared to 67% for the finance sector and 55% for the software sector; 40% of government applications had SQL injection issues, compared to 29% for finance and 30% for software.
In addition, vulnerabilities that can lead to remote code execution and backdoor functionality, such as buffer overflow and nontypesafe languages C/C++ and Objective C, are found to be far more prevalent in commercial software, according to report. The RSA and Google Aurora attacks were based on remote code execution, Peachey explained.
Veracode also found that mobile software developers tend to make similar mistakes to enterprise developers, specifically with the use of hard-coded cryptographic keys. More than 40% of the Android applications analyzed had at least one instance of this flaw.
“If someone were to exfiltrate that cryptography key off your application, they can use it to gain access to anyone else’s phone using the same application. From our perspective, you should never hard-code data like that into any application”, Peachey said.