Findings of the report, which were released today, showed a minimal increase in the percentage of applications that failed to meet clients’ acceptable security standards over the last report (58% vs. 57%). In addition, data collected by the cloud-based application risk management firm showed that 80% of the 4835 applications it reviewed against the OWASP list of the top 10 web application errors failed to comply with the industry standard.
This is significant, Veracode noted, because the OWASP Top 10 is one of the measuring sticks the PCI Council uses to assess compliance with its standards.
The report, issued every six months, continued by acknowledging that the finance and software sectors were foremost in requesting “independent security verification” before deciding to purchase commercial applications (55%), with the aerospace and defense industries following behind. The analysis found that only a quarter of third-party commercial software applications met acceptable security standards as defined by the purchaser, up from 19% in the previous report.
Shortcomings in secure coding practices can be linked directly to a lack of training, asserted the Veracode report. It found that more than 50% of developers received a grade of C or lower when taking an application security fundamentals exam it provided, with more than 30% achieving grades of D or lower.
The reasons for this gap, the report posits, is the lack of formal security training embedded in most university computer science programs. A move toward more rigorous security training would almost certainly help reduce the number of application security flaws, said Matt Peachey, VP EMEA for Veracode.
“I honestly think it will happen over time”, he told Infosecurity. “You can’t carry on in this state where you have bright young minds coming out of university, but not aware of the real-world issues.”
The most damaging indictment uncovered by the report concerns the ragged state of applications being provided by software firms themselves – with particular shortcomings among applications created by security firms. The findings revealed that 66% of applications created by the software sector were of “unacceptable security quality upon first submission”, lower than the overall rate of 58% across other industries. Security products and services fared even worse, at a mind-boggling 72% unacceptable rate when it comes to security acceptability.
“If you are buying a security product for your laptop or business, you sort of make the assumption it is going to be secure”, an astonished Peachey admitted. “Based on our assessments, they have not been to date...and this is very surprising to us.”
As for the reasons why this is the case, the Veracode executive points to the fact that much of the software in the security space is reused, but there is no concrete data to back up this theory. “But we know this is real because RSA got breached, HB Gary got breached, Comodo got breached.”
However discouraging the report may be, the silver lining lies in the fact that most programmers, once educated on secure coding practices, are able to remediate software vulnerabilities rather quickly. Veracode found that organizations that resubmitted their “unacceptable” applications for assessment were able to achieve the aforementioned “acceptable” security quality within one month of their initial failed submission.
Security firms, however, were able to remediate their software security flaws in an impressive three days, added Peachey.
“You can build secure software quickly”, he concluded. “If you have access to the right type of information, you can improve the quality of your application enormously, and it’s not difficult.”