Infosecurity.Com - Fifty-eight percent of applications reviewed by Veracode failed client-defined acceptable security standards, according to the third installment of its “State of Software Security Report”.
Findings of the report, which were released today, showed a minimal increase in the percentage of applications that failed to meet clients’ acceptable security standards over the last report (58% vs. 57%). In addition, data collected by the cloud-based application risk management firm showed that 80% of the 4835 applications it reviewed against the OWASP list of the top 10 web application errors failed to comply with the industry standard.
This is significant, Veracode noted, because the OWASP Top 10 is one of the measuring sticks the PCI Council uses to assess compliance with its standards.
The report, issued every six months, continued by acknowledging that the finance and software sectors were foremost in requesting “independent security verification” before deciding to purchase commercial applications (55%), with the aerospace and defense industries following behind. The analysis found that only a quarter of third-party commercial software applications met acceptable security standards as defined by the purchaser, up from 19% in the previous report.
Shortcomings in secure coding practices can be linked directly to a lack of training, asserted the Veracode report. It found that more than 50% of developers received a grade of C or lower when taking an application security fundamentals exam it provided, with more than 30% achieving grades of D or lower. Read More
