Security apps full of common software flaws, report finds

Developers still not taking security seriously, Veracode finds

Security developers are one of the two software sectors most likely to write insecure code, an analysis of applications submitted to code-testing outfit Veracode has found.

According to the company's State of Software Security (SOSS) Report volume three, 72 per cent of security software and services applications seen by the company were deemed 'unacceptable' on the first analysis of their code, a result that was ahead of only one sector, customer support, which failed 82 per cent of the time.

For comparison, the financial sector failed only 52 per cent of the time, with the score across all development sectors, including internal, bespoke and commercial developers, being a mediocre 58 per cent.

Veracode first published the SOSS in mid-2009, since when it has updated the analysis every six months based on the accumulated number of applications submitted by its customers. That total now stands at 4,385, of which 13 per cent are security-related.

On a positive note, security vendors were the best sector at fixing the flaws, with an average remediation time of only three days.

The findings might count as surprising if it weren't for a recent spate of security woes suffered by companies in the sector, including RSA Security, HBGary Federal, Comodo, and Barracuda Networks, the report's authors note.

Two security flaws that can commonly afflict web applications remain about as common as they were in the two previous SOSS reports, which suggests a deeper complacency in the developer community.

60 per cent of web applications are affected by easily-fixed cross-site scripting (XSS) flaws, a number that has remained static since Q1 2009. SQL injection flaws have improved somewhat over time, but are still currently around the 30 per cent mark.

"When you consider these statistics in the context of the ever strengthening threat environment these application security weaknesses translate into real and present danger for the risk-free operation of your software infrastructure," say the authors.

Where the services offered by Veracode and companies like it first into this environment is interesting. The company sells its ability to detect security problems in code, mainly using an automated mixture of 'static' and 'dynamic' analysis. It is clear, however, that many of the problems it detects would not be there at all were developers to adopt better security review during the stage applications are planned and written.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationssecurityVeracodesoftware

More about Barracuda NetworksComodoRSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts