The concept of secure development is still a myth as it is failing to show any signs of materialising.
ProCheckUp has questioned, having published three vulnerabilities in one day, whether the secure development that was predicted by many is showing any signs of materialising.
It claimed that the vulnerabilities it published are not new and, along with other larger vulnerabilities still being exposed, result in a call for a greater commitment to secure development.
Jan Fry, head of PCI service at ProCheckUp, said: “We are still finding the same vulnerabilities across the industry, from the large corporations to the smaller players.
“The concept of secure development still isn't prominent. To exacerbate the situation, web developers are often under immense pressure to meet deadlines. Companies have to start making this a priority otherwise we will continue to find these unnecessary security risks.”
A vulnerability was published on Broadvision, where an attacker sets a session ID for a target domain on a victim's browser, and the target application will take the newly set session ID as valid. Once the victim user logs in, the session ID set by the attacker is considered active by the application and at this point, the attacker can go to the target site using the same session ID that was set on the victim user's session and hijack his/her account.
The second vulnerability published was that Orion application server example pages are vulnerable to cross-site scripting (XSS). The final vulnerability was on ringtail, where the 'inline' parameter processed by 'riv_install.asp' during the ‘Ringtail Image Viewer Client' install process is vulnerable to XSS.