Almost three-quarters of security products and service applications fail to meet acceptable levels of quality.
According to Veracode's State of Software Security report, security vendors tasked with protecting enterprises are often the most at risk due to the poor quality of their very own software applications. It said that of 4,835 applications submitted to its application security testing platform, 72 per cent failed on a first scan.
Veracode said that this is nearly double the number from the previous report in September 2010 and represents applications analysed over the past 18 months. Matt Peachey, VP EMEA at Veracode, told SC Magazine that this is about driving awareness to applications and about trying to identify vulnerabilities in applications.
He said: “The point is there is real world data on vulnerabilities in software that you use everyday. A drill down into the data shows that if you buy a security product, you would assume it would go through some rigorous security testing process but the facts are that they are not.
“The vulnerabilities are everywhere but what do you do when you find them? The majority of people in security fix them within one month and the average is three days.”
Asked if these numbers could be worse, Peachey said that while the numbers seem to be bad, when he saw the results they were not what he was expecting.
The report also found that there is a common prevalence with SQL injection and cross-site scripting (XSS) vulnerabilities, although SQL injection flaws are declining slightly, while the prevalence of XSS errors remains largely unchanged.
Peachey said: “XSS is flatlining at 60 per cent, SQL is simple to fix but it is trending downwards. People are starting to tackle this and it is a question of timing and driving down the process, as people are still dealing with legacy systems and new applications.”
In terms of fixing vulnerabilities, security vendors demonstrated the fastest response time, with flaws fixed in an average of three days. However Peachey claimed that there are three problems areas in general: legacy applications; new applications; and a lack of awareness in the development community.
He said: “There is a lack of awareness with people who develop. Security development is not security aware. We see ways of finding out, can they develop and how bad or good is it? We are showing a way to detect and learn how to trust to put things in place; people put care from the enterprise and need to be taught on security fundamentals. We want them to be aware and it is easy to solve these things, so it is a combination.”