Application security vendor Veracode Inc. is urging software makers to conduct security awareness training for developers and additional application security testing after a review found a variety of common software vulnerabilities.
So far we’ve seen more opportunistic attackers than dedicated attackers trying to find intellectual property about security companies.
Chris Eng, senior director of security research, Veracode Inc.
The third edition of the company’s State of Software Security report was issued this week. Veracode conducted software code analysis on 4,835 applications that were submitted via its software security platform over an 18-month period. It found 58% of all applications first submitted to the security vendor had “unacceptable security quality.”
Veracode uses what it calls a “risk adjusted verification scale,” to weigh whether software code is acceptable or unacceptable. The firm scores the software based on the number of vulnerabilities discovered during code analysis, as well as the severity level of the vulnerabilities. Also factoring into the score is the business criticality of the application, which is determined by the submitter. An application controlling financial data or software that has a risk of loss of life associated with it will factor highly into the score.
Commercial software vendors and security software makers are also getting sub-par marks from Veracode. The report found that 66% of software vendor applications had an unacceptable security quality, and 72% of security software vendors got the same poor marks.
Web application errors are the root cause of many of the website breaches that have surfaced in recent years, including some high-profile website breaches against security vendors. While websites are typically tied to few systems containing sensitive data, attackers can inject code into them to create drive-by attacks on legitimate sites. Recently McAfee.com was breached, exposing some email addresses. Breaches have been reported against Barracuda Networks Inc., Comodo Group Inc., Symantec Corp., Kaspersky Lab and others.
“So far we’ve seen more opportunistic attackers than dedicated attackers trying to find intellectual property about security companies,” said Chris Eng, senior director of security research at Veracode. “If you happen to hit the right system, you could stumble onto something important.”
Veracode found that when weighed against the OWASP Top 10, a list of critical Web application errors, more than 8 out of 10 Web applications across internally developed and commercial software fail to achieve compliance. But OWASP isn’t the only framework the firm tests against. The CWE/SANS Top 25 software vulnerabilities addresses many non-Web application coding errors. Eng said compliance may be the biggest driver in how companies use the various frameworks available for secure coding. For example, the Payment Card Industry Data Security Standards (PCI DSS) recently changed the standards to remove dependence on OWASP, giving merchants the ability to test against other frameworks, including the CERT Secure Coding Standards.
“We get people asking for everything, which is why we have mapping for all these different taxonomies,” Eng said. “People aren’t really asking us which one they should use, they’re picking the ones they need and choosing to map the testing results against it.”
Software makers are making progress in addressing SQL injection vulnerabilities, one of the most common errors in Web application security. The firm measured the percentage of applications that are being affected by at least one instance of SQL injection or cross-site scripting (XSS). SQL injection is gradually decreasing by 2.4% per quarter. In addition, XSS, commonly found in Web applications, remains flat. Eng said security training can help raise the profile of the common errors. In addition, automated tools can find flaws quickly, he said.
“Companies are starting to take software security more seriously, and SQL injection is a fairly easy thing to fix,” Eng said. “Companies are also starting to include more applications in the realm of testing, so the overall rate of SQL injection and XSS are not decreasing as much because you’re introducing these new apps into the mix.”