I think more companies are doing testing now than ever before, but you can’t test security into your application, you have to change your development process.
Chris Wysopal, CTO, Veracode Inc.
There needs to be a change before the problem is addressed appropriately at enterprises, said Chris Wysopal, CTO of Burlington, Mass.-based Veracode Inc. The software testing firm conducted its own study of 126 public companies that submitted Web applications to its cloud service over the last 18 months. The analysis validated anecdotal evidence that developers continue to churn out code riddled with the flaws, as well as other errors that can be used as a staging ground for a broader attack.
“I think more companies are doing testing now than ever before, but you can’t test security into your application, you have to change your development process,” Wysopal said. “We have empirical data that shows SQL injection [vulnerabilities are] being attacked, and the reason why they’re being attacked is because we find it in your average piece of software.”
Companies should be training developers about security and pushing testing further back into the software development lifecycle, Wysopal said in an interview with SearchSecurity.com. In part 2 of this three-part interview series, Wysopal explains why companies are getting tripped up and whether a steady decline in vulnerability reporting in commercial software can be attributed to better software security practices.
Editor’s note: This is the second installment of a three-part Q&A series exploring application security program fundamentals, threats and solutions. In part 2, application security expert Chris Wysopal of Veracode Inc. discusses technology that can be applied to the testing process and the challenge of developing secure mobile applications.
Part 1 | Part 2
Your team conducted a recent study looking at 126 public companies over the last 18 months.
What did you find?
Wysopal: We found a lot of things you would think of that have been in the news, like getting attacked with SQL injection; researchers reporting cross-site scripting. Our research has validated that those risks are true. Those vulnerabilities are found in the majority of Web applications that get sent to us. We have empirical data that shows SQL injection is being attacked and the reason why it’s being attacked is because we find it in your average piece of software.
SQL injection and cross-site scripting have been the most prevalent Web
application vulnerabilities for some time, right?
Wysopal: Those are the top two that tend to come up over and over again as found in every single application we look at. We’re looking at it scientifically while the threat space is attacking what’s working. We find those are correlated here with our report.
You and other application security experts have been evangelizing for a long time to address
many of these errors. Is that message not getting through? Are companies getting any better at
Wysopal: That is something I think about all the time. How much more evidence do you need to say you need to do something about your Web applications? I think more companies are doing testing now than ever before, but you can’t test security into your application, you have to change your development process. I think we’re starting to see more testing going on. I’m hoping it starts to move more towards using different languages and different frameworks. They should be training the developers to write code securely and doing the testing not when things are starting to go into production -- or are already in production -- but back in the software development lifecycle. We’re starting to see some improvements. In our last study we saw there was actually a downward trend with SQL injection over the last two years. About 4% fewer applications we reviewed had SQL injection vulnerabilities in them. It was enough to be statistically significant. On the other hand, with cross-site scripting, we didn’t see any improvements.
What are some other Web application vulnerabilities that don’t get the same attention as SQL
injection or cross-site scripting?
Wysopal: A big one we find a lot of that doesn’t get attacked much is cryptographic issues. We see a lot of companies implementing their crypto poorly. They are not using the right APIs or the right ciphers. They are not using strong random number generation and so I think it might be more difficult for an attacker to target those vulnerabilities. There are not as many tools that are turnkey for those. But I think the more sophisticated attackers could attack those.
We also see a lot of information leakage. It is more of a stepping stone to some of the other attacks. It isn’t typically the only vulnerability, but it helps an attacker stage an attack. We see things like directories, the names of internal machines and IP addresses, account names and things like that being leaked in error messages. That is something fairly easy to fix.
The Veracode team also analyzed non-Web applications. They were tested against the CWE/SANs
Top 25 list. How did they fare?
Wysopal: Those turn up a little better. Even though there are 25 things on that list, we found more of those applications passed. I think that goes to show how widespread SQL injection and cross-site scripting are; the Web applications fare poorer. With the non-Web applications, we find some of the applications that are written well and don’t have any defects that are in the Top 25 list.
Some of the reports coming out of Microsoft and other software vendors document a steady
decline in publicly reported vulnerabilities in some of their products over the years. What are
some of the factors contributing to the decline? Is it a focus on better software security?
Wysopal: I think there are only so many researchers out there that are discovering vulnerabilities. We’re seeing the whole world move away from installed software on the desktop and server-based moving toward Web applications; we’re seeing mobile applications. If you look at a conference like Black Hat and you look at the submissions, there’s a huge amount of submissions for mobile vulnerabilities and Web vulnerabilities. So people have turned away from some of the more traditional places where vulnerability research happens, and I think that has a lot to do with that decline, more so than the fact that software is written that much better.