Eight out of ten apps fail security test

Eight out of 10 applications fail to meet acceptable levels of security, according to the latest State of Software Security Report by application security testing firm Veracode. The report is based on the analysis of 9,910 applications submitted to Veracode’s cloud-based application security testing platform in the past 18 months.

Web applications were among the weakest, with a high concentration of cross-site-scripting (68%) and SQL injection (32%) vulnerabilities. The Web Hacking Incident Database shows that SQL injection exploits are responsible for 20% of reported incidents.

Veracode conducted a comparative analysis of government applications against other industries such as finance, and found that government applications are less resilient to common attacks.Veracode analysed US federal, state and local government applications, which operate critical systems and process critical data such as personally identifiable information (PII) and national security data, and found that they lag behind other industries in key areas. 

Veracode also found that mobile developers tend to make similar mistakes to enterprise developers, specifically with the use of hard-coded cryptographic keys. More than 40% of the Android applications analysed had at least one instance of this flaw, which makes it easier for attackers to initiate a broad assault as all installed instances of the application use the same key.

Tags: , ,

Leave a Comment