The research was carried out on 1600 internally developed, open source, outsourced, and commercial applications.
“These vulnerabilities are similar to those exploited in the recent cyber attacks on Google and the US Department of Defense, and the Heartland breach”, Chris Wysopal, Veracode co-founder and CTO, told Infosecurity’s Eleanor Dallaway. “There are also very similar types of risks in different applications. It’s simply not acceptable”, he confirms.
The Veracode ‘State of Software Security’ report is derived from multiple testing methodologies - including static, dynamic and manual - on the full spectrum of application types (components, shared libraries, web and non-web applications) and programming languages (including Java, C/C++ and .NET).
Roger Oberg, chief marketing officer, Veracode, comments: “Some applications are already doing something about security. There are a self-selected group that cares. However, many developers will say ‘that’s not in my code, so I’m not worried about it’”, he explains. “They don’t want to be accountable for it, but are happy to pass on the risk to their customers”.
When Veracode identifies a vulnerability in an application, the developer is alerted. “For every flaw we find, we recommend how to remediate it. The best way is to have the developer fix it”, says Oberg. “When you tell a developer where the vulnerability is and how to fix it, they normally do it very quickly”.
Part of Veracode’s product offering is their eLearning modules for developers. Whilst not a particularly significant part of their revenue, it does compliment their main business model nicely. “To encourage secure coding education we include some eLearning seats in our Enterprise edition”, explains Oberg. “We price individual seats at $500 per year - so affordable that even individual developers can put it on a credit card”.
Open source is equally safe
Despite the general consensus that open source applications must be riskier, the Veracode ‘State of Software Security’ results actually show that this is not the case. “There was a 66% fail on first time submission”, says Wysopal. “In fact, in some respects, open source is doing a better job. Remediation time was quicker, and they took less attempts to fix the application before getting it right”.
Also significant, the research showed smaller potential for backdoors in open source than commercial or outsourced software.
A big target, with better defence
While financial and government sectors are the most attacked industries, the research showed that their pass rate surpassed other industries, with more than half of their application deemed acceptable at first submission. “They must be doing something right”, concludes Wysopal. What? “They are using java.net for one, they invest in developer training and use binary analysis and web scanning”. The financial sector was the first to start pen testing and thinking about application security, remembers Wysopal. “They started doing it before they were made to – actually doing it to be secure, not compliant”.
This is a refreshing attitude, agree Oberg and Wysopal, who admit that most organisations “only get mature after they have been attacked. We’re hoping to show that people should invest in application security before they get attacked”, Oberg explains.
Interestingly, Wysopal explains that many organisations when testing their applications ignore the majority of them, focussing only on the ones most used. “People don’t realise that if some of their code isn’t secure, there could be a nasty domino effect”.
Third-Parties are weakest link
The Veracode ‘State of Software Security report’ also revealed that 40 percent of all applications submitted at the request of large enterprises were from third-parties. Furthermore, more than 30 percent of all internally developed applications also included identifiable commercial, open source, and outsource code.
“Even taking this into account”, Oberg explains, “Software-related industries recorded the lowest security scores on first submission to Veracode. In addition, the prevalence of C/C++ in both commercial and open source suppliers exposes system-compromising vulnerabilities to attackers.”
Mobile risks
Wysopal explains that looking at mobile application security is a natural progression for Veracode. “People just aren’t aware of the risks. We’re looking at where we can offer support”.
“BlackBerry feel obligated to enable these applications to make their platform more popular”, says Wysopal. “RIM don’t say what kind of security checks they have done, and Apple’s main concern is how it will impact their business model”.
Default levels of permission are certainly adding fuel to the fire, as “they will give your application access to everything if you choose to ‘trust’ it. In fact, even if you say ‘no’, it will still give some access. There’s an inherent, yet unfounded trust, in where you get your software from”, says Wysopal.
“Most enterprises don’t restrict applications for ease. They let you install anything you want – it’s cheaper to let them manage their own applications”, sighs Wysopal. “Their reluctance is to put anything in the way of growing their applications. Until consumers demand this stuff, application stores don’t think it’s necessary”, he says.
To combat this problem, Veracode are currently building a ‘verified’ list of applications that pass the security benchmark. Once passed, the application will display our ‘verified’ stamp. As this expands, it will become a white list”, Wysopal explains.
In light of the Veracode ‘State of Software Security’ report, Gartner’s Vive President, Joseph Feiman, has issued the following statement: “Gartner advises its clients to conduct their own inspection of all application code they procure from third-parties. However, if they lack their own resources or expertise, we recommend that they outsource third-party code testing to trusted service providers.”