SMARTER STRATEGIES

Most Security Software Is Flawed from the Start

R. Colin Johnson | Date: 04-26-11 | Comments

Application-testing firm Veracode reports that programmers need more advanced training in security coding, after discovering that nearly three-fourths of the security apps it tested had built-in flaws.

Billions of lines of code were screened in the last 18 months by cloud-based application intelligence and security verification service provider Veracode. After going through that process, the provider claims that most of the 4,835 applications it screened had security flaws.

Within 30 days of their first release, more than 90 percent of new applications had their security leaks plugged, according to Veracode's semi-yearly State of Software Security report. However, when new security software was first submitted for testing, at least 72 percent of the applications had known flaws, about two-thirds (66 percent) of software industry applications had known flaws, and more than half (58 percent) of applications in all industry categories had known security flaws. The worst of these errors allowed simple user actions�such as typing code into fields intended to solicit user input�to grant access to the underlying databases, allowing downloads of large swaths of sensitive data.

"Our goal with these State of Software Security reports is to continue to raise awareness of the prominence of common vulnerabilities," said Matt Moynahan, Veracode CEO.

Software lifecycle management should include security conscious development methodologies to certify code and enforce secure coding practices.

Veracode reported that SQL injection continues to plague new applications that access databases, but at last has begun to decline, if only slightly (down 2.4 percent, compared with six months ago). If input fields are not filtered, for instance, users can type code into fields intended for data, causing the underlying database to return unexpected results. There are dozens of complex variations of SQL injection attacks, but an exemplary case might be using SQL syntax to insert a wild-card variable into the user name field when requesting your user profile, causing the database to return all user profiles instead of just your own.

Another common vulnerability cited by Veracode was XSS (cross-site scripting) errors, which were found to be just as common as they were six months ago. XSS errors allow client-side code in a scripting language to be executed on a user's computer after being load from a malicious Web page that was downloaded with the user's browser. The hidden scripts then execute on the user's machine, often giving hackers access not only to personal data, but also to the data on any other system on which a user might currently be logged.

Training is the cure, according to Veracode, which claims that more than 50 percent of its participants in a security fundamentals eLearning exam received a grade of C or less, with 30 percent getting a D or F. Of those market segments addressing security, financial and IT services faired the best, with more than 75 percent of requests for security verification coming from that segment. The Veracode report also called out aerospace and defense developers for aggressively addressing security issues in new applications.