Finance and retail applications are the most susceptible to hacking attacks because of data input by customers, according to research.
Research from software testing company CAST revealed that 69% of finance applications and 70% of retail applications have data input validation violations.
This enables hackers to use buffer overflow attacks to run malicious code, which is put into the input field where customers enter their details.
In its Crash report, CAST analysed 705 million lines of code used by 1,316 enterprise applications.
Input validation violations are caused by poor code quality which indirectly causes security vulnerability.
Lev Lesokhin, vice-president of CAST, said as long as organisations overlook the impact that software quality can have on security, there will be more attacks and breaches of confidential information.
- Software development: CAST study identifies massive technical debt
- Breaches show information security fundamentals prove hard to learn
- Boards need to get behind application security, says Owasp
“Businesses handling customer financial information have a responsibility to improve software quality and reduce the operational risk of their applications – not only to protect their businesses, but ultimately their customers,” he said.
The report revealed that government applications comprise the highest percentage of applications without any input validation violations – 61%. It also found that the financial services industry has 224 input validation violations per app.
Bill Curtis, chief scientist at CAST and author of the Crash report, which will be released next month, said some security experts argue that software security is different from software quality and should be treated separately.
“The Crash report data proves this is false,” he said. “Badly constructed software will not only cause systems to crash, corrupt data and make recovery difficult, it will also leave numerous security holes.”