Many businesses are migrating away from Java due to the level of vulnerabilities in the Java Runtime Environment...
(JRE), according to Veracode’s latest State of Software Security report.
The company’s static code analysis tool has examined more than 22,000 applications submitted by its clients, with applications varying in size from a few megabytes to 1-2GB of code.
The study of code sent to the company’s cloud-based analysis tool between January 2011 and June 2012 found that 82% of the Java applications it tested had code quality issues.
This compares with 78% of .Net applications and 28% of C/C++ applications analysed.
“Lot of enterprises are transitioning out of Java. There are lots of zero-day vulnerabilities, almost all of which allow malicious code execution,” said Chris Eng, vice-president of research at Veracode.
In March, Oracle released security updates to addresses serious vulnerabilities in the JRE, which could enable a hacker to access a computer without needing any authentication. This followed an earlier zero-day security attack on Java in February.
Eng said that compared to Oracle, Microsoft’s emphasis on code quality has meant it is discovering a lot more vulnerabilities before products ship, and there is a well-defined process to roll out fixes.
More on Java
- How to secure Java amid growing Java security vulnerabilities
- Consider disabling Java as malware targets JRE vulnerabilities
- Oracle and Apple release Java security updates
- 2013 Java trends: The cloud floats into Java application development
- Java mobile application trends for 2013
- Five quick Java programming tips for junior software developers
“Oracle claims to have a security development lifecycle, but it does not appear to be as mature Microsoft's,” he said.
Oracle is being forced to address these security issues because browsers are now blacklisting Java, he added..
Looking at SQL injection, which affects server-side code, Veracode found that Java, representing 56% of web applications, showed a 16% improvement in SQL injection, while .Net, representing 28% of web applications, showed a 25% improvement in SQL injection.
Sub-standard software security
The research noted that the leading cause of security breaches and data loss for organisations is insecure software. It found that 70% of software failed to comply with enterprise security policies on their first submission for security testing.
This indicates that though there have been improvements in organisations fixing flaws within their existing applications, the demand for rapid development means new vulnerabilities are constantly being introduced into their software portfolio.
The survey of application code also covered mobile apps. Surprisingly, 26% of Android apps exhibited information leakage bugs, compared with 42% on iOS. This covers the leakage of personal information such as email, text messages, GPS coordinates, and the content of users’ address books.
“When you install Android, it requests access to certain phone functionality. The app developer has to request explicit access, while on iOS a developer does not have to request access,” said Eng.
Overall, cryptographic issues affected a sizeable portion of Android (64%) and iOS (58%) applications.
The report warned that using cryptographic mechanisms incorrectly can make it easier for attackers to compromise the application. Cryptographic keys are used to protect transmitted or stored data.
It found that in some applications, developers had hard-coded a cryptographic key directly into a mobile application. Should these hard-coded keys be compromised, any security mechanisms that depend on the privacy of the keys are rendered ineffective.
Oracle is being forced to address these security issues because browsers are now blacklisting Java
Agile software development
Looking at programming methodologies, Veracode noted that while it is not inherently insecure, security is not part of the agile methodology.
Commenting on his own experience of secure agile software development, Eng said: “We use the [agile] scrum methodology ourselves. We want to do code reviews on our process – for every story [project iteration] we assess the security impact.”
Any potential security issues raised are fed back to the developers, in the same way that within the agile process developers get feedback from users on usability issues, he added.