Security provider Veracode analyzed nearly five-thousand applications submitted to its cloud-based testing service over the period of eighteen months and found that more than half of the software had some sort of significant security flaw.
According to Veracode’s "State of Software Security" report released April 19, fifty-eight percent of deployed web applications fail a security audit on the first examination.
“Software remains fundamentally flawed," the report states.
The study also reveals that the software industry in particular is producing more insecure applications than any other sector measured, with two thirds of the products demonstrating unacceptable levels of security.
Most alarming is the revelation that security vendors who's products are designed to protect enterprises and their clients from exploitation were too often employing poor coding techniques, leaving their products vulnerable to compromise.
The study found that seventy-two percent of security applications tested, and eighty-two percent of applications designed to interface with customers failed to demonstrate adequate levels of security.
The problem boils down to the lack of secure coding methodologies used in the development of application software, an issue that has long been a major complaint from the information security sector.
While the applications tested by Veracode may have showed a high rate of failure on first examination, the study also indicates that the problems are typically remediated quickly.
More than ninety percent of the applications that failed on the first round of testing subsequently passed within thirty days, and flaws in security-related software were shown to be corrected in an average of three days.
Adding weight to the problem of insecure coding and software development issues are statistics presented by the "Verizon Data Breach Investigation Report" that was also released on April 19.
The Verizon study indicates that the targeting of web applications accounted for nearly one quarter of all cyber attacks and lead to thirty-eight percent of lost data annually.
The report also showed that more than eighty percent of web applications tested failed to protect against the top ten most common vulnerabilities as listed by the Open Web Application Security Project (OWASP), including cross-site scripting (XSS) and SQL injections.
Cross-site scripting vulnerabilities account for more than half of the web application security flaws detected, leaving users susceptible to loss of sensitive data, account login credentials, and malicious redirects.
The answer may be as simple as improved training for software developers.
The Veracode study found that half of the software developers tested received a grade of "C" or worse on an application security fundamentals exam, and thirty percent received a grade of "D" or failed altogether.
While developers may not be up to par on secure coding procedures, it is ultimately the companies who need to ensure that coders are trained and also allowed the time necessary to produce securely coded software products.