Over the past 18 months, almost 10,000 software applications from the government and private sector were submitted to Veracode’s online security testing platform for independent security auditing and 8 out of 10 failed to achieve an acceptable level of security on their first try. Veracode reached this conclusion by automatically checking submitted apps for over 100 types of flaws. That’s not to say the 18% that passed were flawless, merely that their security gaps weren’t glaring. Take into account that developers who have their applications tested by an independent third party are likely more security conscious to begin with, and you paint a pretty grim picture or software application security.
In government, 75% of applications had cross-site scripting problems, which means that attackers could find ways to input malicious code onto a webpage. These attacks are often used to get sensitive information maintained by a user’s browser, such as session cookies that can then be utilized to impersonate the user. According to Veracode, one reason for the prevalence of cross-site scripting issues was that many government apps were built using Cold Fusion, a programming language more likely to produce such flaws than languages more commonly used for commercial applications. In addition, 40% of government applications were vulnerable to SQL injections, which allow unauthorized users to get into back-end databases through a website. SQL injection flaws have grown less common over the past few years in the app market as a whole, but they have failed to improve in government despite all of the “wake up calls” declared earlier when LulzSec used this method of attack along with cross-site scripting to hack government and industry websites. Veracode CTO Chris Wysopal believes that while companies have to deal with angry customers, the government only needs to worry about meeting regulations and standards and hence faces less pressure to develop secure applications.
That doesn’t mean that commercial software apps fared much better, they simply had a more diverse set of problems such as buffer overflows and management issues. Veracode found that 3% of commercial applications had backdoors, initially put in place for debugging and diagnostic support, that can be used by attackers. They also looked at about 100 Android enterprise mobile applications and found that 40% had hard-coded crypographic keys, which are keys that are fixed in the source code. If the mobile device is lost or stolen a thief could get into the application without additional credentials or a hacker could decomplie the source code to get the key.
This startling data confirms that government and industry alike should assume that their applications are vulnerable. Rather than responding to incidents reactively, they should presume breach and make sure their auditing and remediation processes are in order. They should also try to pinpoint what their vulnerabilities are, as in all likelihood their applications are flawed, with the help of services such as Veracode. This way, they can prevent breaches or at least make vulnerabilities harder to find.
- Eight Out of Ten Software Apps Fail Security Test (wired.com)
- Note to CIOs: Your Organization Will Never Be 100% Secure (ctovision.com)
- 50 Days of Lulz: A Retrospective (ctovision.com)