Veracode’s Supplement to the 2015 State of Software Security: Focus on Application Development report benchmarks application risk profiles by type of programming language
Veracode, a leader in protecting enterprises from today’s pervasive web and mobile application threats, released a supplement to the 2015 State of Software Security: Focus on Application Development, a report based on benchmarking analytics from its cloud-based platform. The report shows that four out of five applications written in PHP, Classic ASP and ColdFusion that were assessed by Veracode during the period covered by the report failed at least one of the OWASP Top 10, an industry-standard security benchmark. Given the volume of PHP applications developed for the top three content management systems (CMS) – WordPress, Drupal and Joomla, which represent more than 70 percent[i] of all CMSs in use today – these findings raise concern over potential security vulnerabilities in millions of websites.
Veracode’s analytics show that 86 percent of PHP-based applications contain at least one Cross-Site Scripting (XSS) vulnerability and 56 percent have at least one SQL injection (SQLi) when initially assessed by Veracode. These vulnerability trends are also seen across the wider family of web scripting languages, where applications written in Classic ASP and ColdFusion are nearly twice as likely to contain these flaws compared to more modern languages such as .NET and Java.
Veracode’s cloud-based platform has now assessed more than a trillion lines of code for critical vulnerabilities that can lead to large-scale breaches. The 2015 report captures data collected over the past 18 months from more than 200,000 automated assessments performed for Veracode’s customers across a range of industries and geographies.
As enterprises shift to continuous delivery and other DevOps innovations, the pressure is mounting to produce more secure software faster. Yet, according to SANS, less than 26 percent of organisations have mandated, ongoing secure coding education programmes.
Organised by programing language type for simplified benchmarking, Veracode’s supplement to the 2015 State of Software Security Report helps organizations plan for new application development as well as prioritise assessment and remediation activities. The report addresses key questions such as: are some programing languages inherently more secure than others?; and what should design teams look for before starting their projects?
Findings include:
- Design of the language matters for security. Some languages are designed from the ground up to avoid certain vulnerability classes. For example, by removing the need for developers to directly allocate memory, Java and .NET eliminate almost entirely vulnerabilities dealing with memory allocation (such as buffer overflows). Similarly, the default behaviours of some ASP.NET controls avoid common issues related to Cross-Site Scripting.
- Operating environment of the language matters for security. Some vulnerabilities are only relevant in certain execution environments. For instance, some categories of information leakage are most acute in the mobile environment, which combines large volumes of personal data with a plethora of always-on networking capabilities.
- Mobile development project teams need to focus on encryption. Eighty-seven percent of Android apps and 80 percent of iOS apps contained cryptographic issues. This suggests that while mobile app developers may be aware of the need for cryptography to protect sensitive data and thus use it in their applications, few of them know how to implement it correctly. Given the rapid adoption of mobile applications in the healthcare industry, this is particularly concerning.
“When organisations are starting new development projects and selecting languages and methodologies, the security team has an opportunity to anticipate the types of vulnerabilities that are likely to arise and how best to assess for them,” said Chris Wysopal, Veracode CISO and CTO. “The data in this report can inform decisions around language selection, developer training and which assessment techniques to use in order to make the inevitable remediation process less onerous.”
Remediation Impacted by Bringing Security Closer to the Developer
The data also indicates that developer education through eLearning services has a big impact on reducing application-layer risk. Development organisations that leverage Veracode’s eLearning services improve the security of their code by 30 percent compared to those without a formal educational programme. Created by world-class security and development experts, these on-demand classes help developers understand secure coding practices and how to remediate vulnerabilities more quickly and efficiently.
Further analytics also show a 28 percent higher fix rate for vulnerabilities found by ‘white box’ or static analysis (SAST) compared to those found by ‘black box’ or dynamic analysis (DAST). While no single assessment technology is sufficient to secure an application, understanding the each assessment technology’s strengths and weaknesses is important when it comes to fixing – not just finding – software vulnerabilities.
[su_box title=”About Veracode” style=”noise” box_color=”#336588″]
Veracode is a leader in securing web, mobile and third-party applications for the world’s largest global enterprises. By enabling organizations to rapidly identify and remediate application-layer threats before cyberattackers can exploit them, Veracode helps enterprises speed their innovations to market – without compromising security.Veracode’s powerful cloud-based platform, deep security expertise and systematic, policy-based approach provide enterprises with a simpler and more scalable way to reduce application-layer risk across their global software infrastructures.Veracode serves hundreds of customers across a wide range of industries, including nearly one-third of the Fortune 100, three of the top four U.S. commercial banks and more than 20 of Forbes’ 100 Most Valuable Brands.[/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.