8 Out of 10 Software Apps Fail Security Test

Desktop and web applications remain a wasteland of bugs and holes that only a hacker could love, according to a report released Wednesday by a company that conducts independent security audits of code.

In fact, eight out of 10 software applications fail to meet a security assessment, according to a State of Software Security report by Veracode. That’s based on an automated analysis of 9,910 applications submitted to Veracode’s online security testing platform in the last 18 months. The applications are submitted by both developers — in the government and commercial sectors — as well as companies and government agencies wanting an assessment of software they plan to purchase.

The company examined commercial and government applications for more than 100 different flaw types, and found that applications created by the government fared worse when it came to cross-site scripting and SQL injection flaws, while commercial applications were more often marred by remote-execution flaws. About 75 percent of government web applications had cross-site scripting issues. Cross-site scripting flaws allow an attacker to inject malicious code into a vulnerable web application to obtain sensitive data from users.

“Government is doing worse for cross-site scripting, which is a bad place to be doing worse for,” said Chris Wysopal, co-founder and chief technology officer at Veracode.

As for SQL injection flaws, 40 percent of government applications contained these flaws. While the prevalence of SQL injection flaws has gone down 6 percent overall in the last two years in the apps market as a whole, it has remained even in government applications, indicating that government apps have made no improvement in this regard. SQL injection flaws allow an attacker to breach a backend database through a web site, usually in order to obtain information from the database.

Veracode says the bad grade for government might be due to the fact that a lot of government applications are built with Cold Fusion, a programming language that has a higher incident of cross-site flaws than C, C++, Java and PHP, the languages more prevalently used in commercial-sector software, Wysopal said. The use of Cold Fusion also suggests that government developers may be less-skilled overall than other developers and don’t have the same pressures to build secure software that commercial developers have.

“Other industries, if you’re in finance or software, you have to deal with your customers [if there is a security flaw],” he said, whereas the government is focused simply on developing applications that meet regulations and fulfill the functions they need to fulfill.

This is the fourth study that Veracode has released, but only the first one that adopted a zero tolerance for cross-site and SQL flaws in their acceptability criteria.

The flaws were previously considered lower level vulnerabilities, but due to the prevalence of breaches that leverage these flaws – two of the top three vulnerabilities the hacking crew LulzSec used during their 50-day hacking spree earlier this year were cross-site and SQL vulnerabilities — the company decided there should be zero tolerance for even these flaws, since attackers just need one flaw to get in.

“Even one flaw is going to probably be found and [a victim] is going to make the news, and it’s going to have an impact on them one way or another,” said Wysopal.

As a result of the new criteria, only 18 percent of applications submitted for security testing passed on a first try, as opposed to 58 percent of applications that passed in a previous Veracode survey.

Commercial software is by no means more secure than government applications, however. Commercial applications just have a prevalence of different kinds of flaws, such as buffer overflow and management issues that could lead to remote-code exploitation by a hacker.

Veracode also found that 3 percent of commercial applications it examined had backdoors — often included by developers for bug testing or diagnostic support — that could be leveraged by an attacker. Data management software and storage software often had backdoors, Wysopal said, but Veracode also found them apps used for transacting financial information and viewing personal health records.

In addition to all of these vulnerabilities, Veracode looked at about 100 Android mobile applications used by enterprise – such as applications built for internal use by financial service companies or health care professionals to access backend systems with critical data – and found that 40 percent of them used hard-coded cryptographic keys. If someone lost their phone, a thief could access the backend system without needing user credentials to authenticate. Or a hacker could simply decompile the Android application to uncover the cryptographic key used by the application.

“A lot of mobile developers aren’t really aware and are under the assumption that no one will really find that key,” Wysopal said, noting that Android apps are particularly susceptible to being easily decompiled to uncover that key.

Homepage photo: Marjan Krebelj/Flickr