Research Shows a Slight Decline in the Percentage of SQL Injection Errors Across All Industry Applications, While Prevalence of Cross-Site Scripting Errors Remains Unchanged
LONDON Infosecurity Europe 2011 (Booth #B90) April 19, 2011 With the trend of targeted cyber attacks along with the exploitation of common vulnerabilities such as SQL Injection, it is clear that the core software infrastructure of several critical industries remains extremely vulnerable. Released today, the Veracode State of Software Security Report: Volume 3 uncovered that those security vendors tasked with protecting enterprises are often the most at risk due to the poor quality of their very own software applications. In fact, 72 percent of security products and services applications analyzed in this report failed to meet acceptable levels of security quality.
In its most recent State of Software Security report, Veracode analyzed 4,835 applications that were submitted to its cloud-based application security testing platform for independent security verification. That number is nearly double from the previous report (September 2010) and represents applications analyzed over the past 18 months. Despite many new findings, there is one constant data point: software remains fundamentally flawed. In fact, 58 percent of all software applications across supplier types continued to fail to meet acceptable levels of security quality upon initial submission to Veracodes service.
Whats New: From Software Industry Risks to SQL Injection TrendsVolume 3 includes several new areas of analysis including a deep dive on the software industry, quarterly trending information on the prevalence of common vulnerabilities such as SQL Injection and Cross-Site Scripting (XSS) errors, a study of flaw remediation behavior, and software developer education and training statistics.
What makes this data especially valuable is that compared to reports that extrapolate findings after an attack, Veracode examines unknown application vulnerabilities prior to a breach, and often prior to deployment, to identify where potential weaknesses exist. Specific highlights include:
66 percent of software industry applications were found to be of unacceptable security quality upon initial submission, a clear sign that significant work needs to be done just to equal the 58 percent unacceptable rate for applications across all industries.
72 percent of security products and services applications had unacceptable security quality: The two worst performers within the software industry upon initial submission were the categories of customer support, such as CRM and web customer support applications (82 percent unacceptable), followed by security products and services (72 percent unacceptable).
Private versus public software vendor applications little discernable difference: Despite the heightened scrutiny faced by public companies and perhaps elevated expectations for application security, Veracode found little discernable differences in terms of security quality between the two sectors.
Even with its flaws, the software industry moves swiftly to remediate errors: Overall, more than 90 percent of all applications across the software industry achieved acceptable security policy within 30 days. The average for all applications in the security products and services sub-category was an impressive three days. This data illustrates how easy it is to fix a flaw once it has been identified.
SQL Injection errors slowly declining: Despite elevated awareness and frequency of exploitation in high-profile attacks, the percentage of applications infected with SQL Injection errors declined only slightly, 2.4 percent per quarter over the past eight quarters. The prevalence of XSS errors remaining largely unchanged.
While somewhat surprising, our findings related to the quality of security product and services vendors seem to corroborate recent headlines associated with the high-profile, but not especially sophisticated attacks, on prominent security vendors such as HBGary, Comodo, Barracuda Networks and EMCs RSA division. These findings should reinforce that no industry sector is immune to application security risk, said Matt Moynahan, CEO, Veracode, Inc. Our goal with these State of Software Security reports is to continue to raise awareness of the prominence of common vulnerabilities, such as those caused by SQL Injection or XSS errors, while providing organizations with confidence that with the right training, tools and C-level commitment, that high-quality software is possible, without a tremendous time investment.
No comments:
Post a Comment