Web applications continue to fail security tests, as XSS and SQL flaws remain a problem

News by Dan Raywood

Over three-quarters of applications fail to meet NIST standards on security.

Over three-quarters of applications fail to meet NIST standards on security.

According to the Veracode State of Software Security report, cross-site scripting (XSS) and SQL injection remain two of the most frequently exploited vulnerabilities while the capability to write applications has increased.

Speaking to SC Magazine, Veracode EMEA vice-president Matt Peachey claimed that application writers need to be more diligent on risk as platforms are riddled with issues.

The report evaluated 9,910 applications; an average of 58 per cent failed an initial security test, but with NIST standards applied, 84 per cent failed. Peachey said: “Twenty per cent of all hacks are due to SQL injection flaws so there should be zero tolerance now. The threat landscape has missed out and so has the application assessment process. Hacking has got worse this year and writers have got to do more to determine what is acceptable and what is not.”

However, the report also found that more than 80 per cent of applications that failed to achieve acceptable security standards on initial submission were able to achieve a passing grade within one week.

For the first time, the report also evaluated Android applications and found that mobile developers tend to make similar mistakes to enterprise developers, specifically with the use of hard-coded cryptographic keys. It found that more than 40 per cent of the Android applications it analysed had at least one instance of this flaw.

Peachey pointed out that the prevalence of cryptographic keys becomes a problem because all installed instances of the application use the same key, making it easier for an attacker to initiate a broader assault.

Chris Wysopal, founder, CISO and CTO of Veracode, said: “We feel strongly that there must be a greater sense of urgency. Our hope with this report is that by raising the visibility of software-related business risk, we will encourage the industry to adopt a long-term commitment to protecting our software infrastructure.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews