More than half of the internally developed, open source, outsourced and commercial applications are vulnerable to security breaches.
A report by Veracode claims that of the 1,600 applications analysed when first submitted, 58 per cent contained vulnerabilities similar to those exploited in the recent cyber attacks on Google and others.
Despite the claim about vulnerabilities in open source software, the report did find that it ‘has comparable security, faster remediation times and fewer potential backdoors than commercial or outsourced software'.
However it found that 40 per cent of all applications submitted at the request of large enterprises were from third-parties, and more than 30 per cent of all internally developed applications also included identifiable commercial, open source and outsource code.
Matt Moynahan, CEO of Veracode, said: “Because of the depth and breadth of the data in our platform, we have expansive knowledge about risk from all types of applications and across the software supply chain.
“The report not only analyses the state of security more comprehensively than any others in this market, but it offers specific recommendations for each type of potential threat. It is essential reading for security professionals and executives accountable for the software supply chain and its impact on the business.”
Joseph Feiman, vice president and Gartner fellow, said: “Gartner advises its clients to conduct their own inspection of all application code they procure from third-parties. However, if they lack their own resources or expertise, we recommend that they outsource third-party code testing to trusted service providers.”
The news comes as Microsoft confirmed it was investigating a publicly posted issue that could allow an attacker to host a maliciously crafted web page. An attacker could run arbitrary code if they could convince a user to visit the web page and then get them to press the F1 key in response to a pop up dialog box.
Jerry Bryant, senior security communications manager at Microsoft, said it was not aware of any attacks seeking to exploit this issue at this time and it has determined that users running Windows 7, Windows Server 2008 R2, Windows Server 2008 and Windows Vista, are not affected by this issue.