Eight out of 10 applications fail to meet acceptable levels of security, according to the latest State of Software Security Report by application security testing firm Veracode.
The report is based on the analysis of 9,910 applications submitted to Veracode’s cloud-based application security testing platform in the past 18 months.
The Web Hacking Incident Database shows that SQL injection exploits are responsible for 20% of reported incidents.
“Given this threat environment, organisations should implement stricter security policies that allow for the discovery and timely remediation of these vulnerability types,” the report said.
Government apps at risk
Veracode conducted a comparative analysis of government applications against other industries such as finance, and found that government applications are less resilient to common attacks.
Veracode analysed US federal, state and local government applications, which operate critical systems and process critical data such as personally identifiable information (PII) and national security data, and found that they lag behind other industries in key areas.
For example, government web applications have a much higher incidence of cross-site scripting (XSS) and SQL injection compared with other sectors. Analysis showed that 40% of government web applications had SQL injection issues, compared with 29% for finance.
Given the gravity of cybersecurity risks and the potential impact on national assets, the findings highlight the need for dedicated developer training and education, and the importance of security testing within the government sector, the report said.
Mobile users vulnerable to attack
Veracode found that mobile developers tend to make similar mistakes to enterprise developers, specifically with the use of hard-coded cryptographic keys. More than 40% of the Android applications analysed had at least one instance of this flaw, which makes it easier for attackers to initiate a broad assault as all installed instances of the application use the same key.
Veracode feels strongly that there must be a greater sense of urgency, said Chris Wysopal, founder, CISO and CTO of Veracode.
"Our hope with this report is that by raising the visibility of software-related business risk, we will encourage the industry to adopt a long-term commitment to protecting our software infrastructure,” he said.
Veracode claimed that more than 80% of applications that failed to achieve acceptable security standards were able to achieve a passing grade within a week.
However, the company emphasised that the study also showed that better trained developers produce more secure software out of the gate.