Veracode has announced the launch of a free cross-site scripting (XSS) detection service to identify vulnerabilities and offer remediation recommendations.
According to the company, the free XSS detection service removes perceived complexity from the detection process, and with access to proper education and training developers can avoid introducing the flaws into software in the first place.
Users sign up for the service, submit one Java application for free of charge and the platform will search for XSS errors and produce a detailed report with location and remediation information. Participants will also receive complimentary access to Veracode's dedicated XSS eLearning courses
Veracode's 'State of Software Security Report' from September 2010 found that XSS accounted for 51 per cent of all vulnerabilities uncovered in a testing process. Chris Eng, senior director of security research at Veracode, said that many of the XSS vulnerabilities it sees are ‘trivial' and can be fixed with a single line of code.
“Some of our customers upload a new build the following day; others never do. Motivation is clearly a factor,” said Eng. “Think about the XSS vulnerabilities that hit highly visible websites such as Facebook, Twitter, MySpace and others. Sometimes those companies push XSS fixes to production in a matter of hours. Are their developers really that much better? Of course not. The difference is how seriously the business takes it. When they believe it is important, you can bet it gets fixed.”
Matt Moynahan, CEO of Veracode, said: “Developer and product security teams must accept greater accountability for writing better code. With this new service, there is no excuse. They can quickly and easily test an application in its final state to identify flaws before it's made available to their partners, customers or introduced into the software supply chain.”