Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

Report claims 80% of web apps will fail a PCI DSS audit

In its study of more than 2900 web applications over the last 18 months, cloud risk-based security specialist Veracode says that, over the last six months there have been multiple new zero-day vulnerabilities reported in Microsoft Windows and widely covered uneasiness about the security of mobile apps, cloud service providers and SCADA systems.

As result, says the IT security vendor, this reinforces concerns about unknown weaknesses lurking in everyday software.

The study – the State of Software Security Report: Volume 2 – found that the quality of applications remains poor, with 57% failing to meet acceptable levels of security.

In addition the report notes that 8 out of 10 web applications failed to comply with the OWASP Top 10 security requirements, with cross-site scripting (XSS) – the flaw that caused Twitter to hit the headlines these last few days – is the most prevalent of all vulnerabilities.

Interestingly, the report notes that third-party applications were found to have the lowest security quality, whilst software developers quickly repaired their applications' security vulnerabilities.

Other conclusions of the report were that suppliers of cloud/Web applications were the most requested third-party assessments and that no single method of application security testing is adequate on its own.

The final piece of bad news coming from the report is that the quality of applications from banks, insurance, and financial services industries was not in line with the critical nature of their business.

Commenting on the report's findings, Joseph Feiman, vice president and Gartner fellow, said that the traditional disjointed approach to enterprise security needs to give way to a comprehensive approach that enables advanced security, improved analytics and assist in decision making.

"We are calling this new approach Enterprise Security Intelligence and we believe that both technology providers and their enterprise customers must begin laying the groundwork for its development, adoption and implementation", he said.

"The concept of 'intelligence’ is crucial, because it makes it clear that vulnerability scanning, monitoring and reporting are no longer adequate", he explained.

Over at Veracode, Matt Moynahan, the firm's CEO, said that his company has already begun laying the groundwork for greater enterprise security intelligence for applications.

The report, he said, provides an accurate reflection of what is happening in the larger software industry and offering real data that enterprises can use for better IT infrastructure decision-making.

What’s Hot on Infosecurity Magazine?