Two-thirds of software industry applications fail to meet acceptable security quality upon initial submission, a study of 4,800 applications has revealed.
This improves to a rate of 58% unacceptable when applications from all industries are taken into account, according to tests carried out by security firm Veracode using its cloud-based binary analysis tool for identifying software vulnerabilities.
However, a staggering 72% of security industry products and services fail to meet acceptable levels of security, second only to the customer support sector at 82%, according to Veracode's latest state of software security report.
Putting things right
On the flipside, the security industry has one of the fastest rates of remediation, says Matt Peachey, vice-president for EMEA at Veracode. "While 90% of applications across all sub-categories achieved acceptable security quality within 30 days, the average for security products and services was three days," he told Computer Weekly.
"This proves that with access to high-quality information about where security risks exist, remediation can be done quickly," said Peachey.
The code analysis found that more than 80% of web applications exhibited the top 10 application security risks defined by the Open Web Application Security Project (OWASP).
This means most web applications in use by enterprises would fail a payment card industry data security standard (PCI DSS) audit, says Peachey.
Cross-site scripting (XSS) remains one of the biggest online threats, accounting for 60% of vulnerabilities in web applications.
Although some of the worst data breaches in recent months have involved SQL injection attacks, there has been a slight dip, with a decrease of 2.4% per quarter since 2009.
Raising security standards
Overall, there has been little change says Peachey, which shows companies are struggling to wade through all the legacy code and at the same time deal with the flood of new applications.
At the heart of the problem, he says, is the fact that over 50% of developers taking an application security fundamentals exam scored a C grade or lower, which is where vulnerabilities creep in.
Peachey says developers need to get better security training and businesses need to start refusing to accept commercial software products that do not conform to the company's minimum security quality standard.
"If businesses insist on better security quality in code, it will not only be good for them, but also their suppliers who will be forced to raise their standard," he says.