Veracode uncovered that those security vendors tasked with protecting enterprises are often the most at risk due to the poor quality of their very own software applications. In fact, 72 percent of security products and services applications analyzed in this report failed to meet acceptable levels of security quality.
In its most recent State of Software Security report, Veracode analyzed 4,835 applications that were submitted to its cloud-based application security testing platform for independent security verification. That number is nearly double from the previous report (September 2010) and represents applications analyzed over the past 18 months.
Despite many new findings, there is one constant data point: software remains fundamentally flawed. In fact, 58 percent of all software applications across supplier types continued to fail to meet acceptable levels of security quality upon initial submission to Veracode’s service.
The report includes several new areas of analysis including a deep dive on the software industry, quarterly trending information on the prevalence of common vulnerabilities such as SQL Injection and Cross-Site Scripting (XSS) errors, a study of flaw remediation behavior, and software developer education and training statistics.
What makes this data especially valuable is that compared to reports that extrapolate findings after an attack, Veracode examines unknown application vulnerabilities prior to a breach, and often prior to deployment, to identify where potential weaknesses exist. Specific highlights include:
- 66 percent of software industry applications were found to be of unacceptable security quality upon initial submission, a clear sign that significant work needs to be done just to equal the 58 percent unacceptable rate for applications across all industries.
- 72 percent of security products and services applications had unacceptable security quality: The two worst performers within the software industry upon initial submission were the categories of customer support, such as CRM and web customer support applications (82 percent unacceptable), followed by security products and services (72 percent unacceptable).
- Private versus public software vendor applications – little discernable difference: Despite the heightened scrutiny faced by public companies and perhaps elevated expectations for application security, Veracode found little discernable differences in terms of security quality between the two sectors.
- Even with its flaws, the software industry moves swiftly to remediate errors: Overall, more than 90 percent of all applications across the software industry achieved acceptable security policy within 30 days. The average for all applications in the security products and services sub-category was an impressive three days. This data illustrates how easy it is to fix a flaw once it has been identified.
- SQL Injection errors slowly declining: Despite elevated awareness and frequency of exploitation in high-profile attacks, the percentage of applications infected with SQL Injection errors declined only slightly, 2.4 percent per quarter over the past eight quarters. The prevalence of XSS errors remaining largely unchanged.
Emphasizing the case for third-party software validation
The Epsilon breach served as a spectacular reminder about security risks for organizations that rely on third-party software to run core business functions. According to the Veracode report, Finance and Software & IT Services lead the charge for independent third-party risk assessments and software supplier accountability. Together, these industry segments represented more than 75 percent of the enterprises requesting formal verification of third-party suppliers. Additionally, the report showed that the Aerospace and Defense industry followed suit with its own efforts to apply new rigor to securing its software supply chain.
Reliance on third-party software will only increase with the adoption of cloud and mobile platforms. As such, CIOs and CISOs, particularly in the Finance, Software & IT Services, and Aerospace and Defense industries, should follow their peers’ efforts to protect their infrastructure against the dangers of insecure software.
Building or requiring secure software doesn’t have to be time consuming
Veracode understands the inherent concern among developer and security teams about gaining organizational buy-in for undertaking regular testing and programs. However, new data from this report seeks to debunk the assumption that remediation is simply too time intensive of a process to undertake.
More than 50 percent of commercial suppliers in Veracode’s data set resubmitted 90-100 percent of their applications. Slightly under 40 percent of companies developing applications internally resubmitted 90-100 percent of their applications. When all applications were measured against Veracode’s risk adjusted verification methodology, more than 80 percent of applications across all supplier types achieved an acceptable security rating within 30 days.
Making the case for application security training
While seemingly common sense that better developer training would lead to higher quality applications, Veracode is one of the first companies to link the prevalence of insecure software with quantifiable gaps in security competency and understanding. In analyzing data associated with its eLearning program participants, Veracode found that more than 50 percent of those who took an application security fundamentals exam received a grade of C or lower. More than 30 percent received a failing grade of D or F. This data supports the critical need for organizations to take responsibility for instituting more rigorous, contextual developer training and education programs to improve application security competency levels.
The complete report is available here (registration required).
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.