Desktop and web applications remain a wasteland of bugs and holes that only a hacker could love, according to a report released Wednesday by a company that conducts independent security audits of code.
In fact, eight out of 10 software applications fail to meet a security assessment, according to a State of Software Security report by Veracode. That’s based on an automated analysis of 9,910 applications submitted to Veracode’s online security testing platform in the last 18 months. The applications are submitted by both developers — in the government and commercial sectors — as well as companies and government agencies wanting an assessment of software they plan to purchase.
The company examined commercial and government applications for more than 100 different flaw types, and found that applications created by the government fared worse when it came to cross-site scripting and SQL injection flaws, while commercial applications were more often marred by remote-execution flaws. About 75 percent of government web applications had cross-site scripting issues. Cross-site scripting flaws allow an attacker to inject malicious code into a vulnerable web application to obtain sensitive data from users.
“Government is doing worse for cross-site scripting, which is a bad place to be doing worse for,” said Chris Wysopal, co-founder and chief technology officer at Veracode.
As for SQL injection flaws, 40 percent of government applications contained these flaws. While the prevalence of SQL injection flaws has gone down 6 percent overall in the last two years in the apps market as a whole, it has remained even in government applications, indicating that government apps have made no improvement in this regard. SQL injection flaws allow an attacker to breach a backend database through a web site, usually in order to obtain information from the database.
Veracode says the bad grade for government might be due to the fact that a lot of government applications are built with Cold Fusion, a programming language that has a higher incident of cross-site flaws than C, C++, Java and PHP, the languages more prevalently used in commercial-sector software, Wysopal said. The use of Cold Fusion also suggests that government developers may be less-skilled overall than other developers and don’t have the same pressures to build secure software that commercial developers have. More
