Software security testing – interest is high, security is low

In the past six months alone there have been multiple new zero-day vulnerabilities reported in Microsoft Windows and widely covered uneasiness about the security of mobile apps, cloud service providers and SCADA systems that reinforce concerns about unknown weaknesses lurking in everyday software.

To address those concerns, Veracode analyzed more than 2,900 applications to publish the “State of Software Security Report: Volume 2.” Similar to the first report, findings show that overall quality of applications remains poor, with 57 percent failing to meet acceptable levels of security. New results demonstrate that cloud/web-based applications are the most commonly scrutinized, and with good reason: 80 percent of web applications would not pass a PCI audit.

The goal of the report is to create greater enterprise security intelligence among the C-suite, security managers and developers regarding their application portfolio. The data empowers informed decision-making around IT infrastructure choices including selecting the best mobile platform, policies about the use of Open Source software and how to best structure third-party software procurement contracts.

Findings are based on analysis of Internally Developed, Open Source, Outsourced and Commercial applications that have been submitted to Veracode for testing using its cloud-based platform over the past 18 months. Veracode reports a nearly 200 percent increase in the number of applications submitted for review during the past six months, indicating greater industry awareness about software security.

Following is a summary of key findings:

More than half of all software failed to meet an acceptable level of security – 57 percent of all applications were found to have unacceptable application security quality on first submission to the company’s testing service, even when standards were lowered for those considered less business critical.

Third-party code is the culprit behind Operation Aurora, Siemens Stuxnet and others – Third-party code is an essential and rapidly growing part of an enterprise’s software portfolio, making up nearly 30 percent of all applications submitted for review, with third-party components comprising between 30-70 percent of internally developed applications. Of particular note, third-party suppliers failed to achieve acceptable security standards 81 percent of the time.

Cloud /web applications were the most requested third-party assessments – Suppliers of cloud/web applications made up nearly 60 percent of all third-party assessments. Similar to the results of testing other types of third-party software, cloud/web applications show low levels of acceptable security.

Eight out of 10 web applications would fail a PCI audit – Based on automated analysis, Veracode found that eight out of 10 web applications failed to comply with the OWASP Top 10 industry standard for security quality, and therefore would not pass a PCI audit.

Security flaws are being repaired quicker than ever before – Indicating the positive impact of greater developer education and training, more mature tools and increasing enterprise pressure, Veracode found that the time it took organizations to repair flaws to achieve acceptable levels of security decreased from between 36-82 days, to 16 days on average.

56 percent of finance-related applications failed upon first submission to the testing service. Analysis shows that software quality of applications from banking, insurance and financial services industries is not commensurate with the security requirements expected for business critical applications, though the financial services industry performed better than banking and insurance overall.

Cross-site scripting remains prevalent, accounting for 51 percent of all vulnerabilities uncovered in the testing process; .NET applications exhibited abnormally high cross-site scripting vulnerabilities. Additionally, “potential backdoors” broke into the top 10 most common vulnerabilities.

The company noted a significant increase in the number of applications it has been asked to review at the request of a buyer of software or software development services since its last report. Third-party assessments (similar to having a pre-purchase home inspection) are among the fastest growing types of assessments requested of Veracode – a sign that organizations are taking increased responsibility for managing risk within their software supply chain and the growing use of independent, cloud-based application risk management services.

The State of Software Security draws on continuously updated information in the company’s cloud-based application risk management services platform. New in Volume 2 is data from third-party assessments, the first inclusion of PHP and ColdFusion applications, a comparison of static binary, dynamic and manual testing effectiveness, and additional depth on financial industry applications. The data comes from actual code-level analysis of billions of lines of code and thousands of applications.