Secure coding techniques absent from eight in 10 Web applications

Veracode’s latest State of Software Security Report showed secure coding techniques are absent from most Web applications. Android apps fared badly, too.

Most developers of Web applications are still writing code that is vulnerable to some of the most commonly used hacking techniques.

According to the latest analysis of application security by Burlington, Mass.-based testing company Veracode Inc., more than eight out of 10 applications contained vulnerabilities that opened them to attackers using SQL injection, cross-site scripting and remote code injection. 

We have a problem because the Android handset vendors are not releasing updates at the same pace as Google is developing the operating system.

Matt Peachey

The Veracode State of Software Security Report: Volume 4, released December 7, 2011, analysed the results of nearly 10,000 application tests the company carried out for its customers during the last 18 months. The report stated developers still make basic mistakes and need more training in secure coding techniques so security is built into applications from the start.

Software security findings
Of the total number of applications analysed by Veracode, 72% were developed internally while the rest were from a variety of external sources, including open source, commercial packages, and applications developed by outside developers. As in previous Veracode reports, internally developed code fared better than the rest, achieving a 17% pass rate on first submission against 12% for commercial and open source programs and 7% for outsourced code.

“You can’t allow those flaws in your applications because they put your company at risk,” said Matt Peachey, VP EMEA for Veracode. “Twenty percent of all major breaches were the result of SQL injection, and the hacks carried out by groups like Anonymous and LulzSec all went after those common flaws. “

Review of Android app security
For the first time, Veracode's report contained an analysis of a small batch of Android apps. “They make up just 1% of the total applications in the report, but we think it’s big enough to let us draw some conclusions,“ Peachey said.

The most significant discovery was that 42% of the Android apps contained hard-coded cryptographic keys. “Ironically, a hard-coded key is much simpler to extract from a mobile application than from a J2EE Web application since the application can simply be copied off the mobile device!” Veracode stated in the report. “This category will be worth watching to see if the prevalence gap persists as the Android population grows.”

A third of the Android apps were also transmitting information marked as “potentially sensitive,” but the Veracode researchers admitted it was impossible to know if it posed a threat without knowing the context and purpose of the app itself.

While the report underlines that mobile ecosystems are maturing and beginning to resemble other mature platforms, such as the desktop OS or the Web, mobile applications can still fall prey to vulnerabilities that affect the traditional security areas of confidentiality, integrity and availability.

“We have a problem because the Android handset vendors are not releasing updates at the same pace as Google is developing the operating system,” Peachey said. “Also, many of the developers tend to be small shops, and they don’t have the resources to develop security skills.”

Alerting developers to security shortcomings
Earlier this year, Veracode published its Top 10 Mobile Application Risks on its blog to alert developers and software acquirers to the biggest risks.

The analysis also featured some non-Web applications that were measured against the CWE/SANS Top 25 most dangerous software errors. The rate of errors was three times lower than with Web applications, with 42% of applications achieving compliance on first submission for analysis.

The Veracode State of Software Security Volume 4 report concludes that if developers can be made aware of the OWASP Top 10 vulnerabilities for Web applications, and the CWE/SANS Top 25 for non-Web applications, they will avoid the most common pitfalls of insecure coding.

“An educated developer produces fewer security flaws, thus lowering the overall application security risk of the enterprise at a lower cost than remediating vulnerabilities later in the software development lifecycle,” Veracode stated in the report.

Read more on Application security and coding requirements