The (sorry) state of software security
Analysis of software security defects shows that while more that half of all applications may initially contain an unacceptable level of security flaws, it doesn't necessarily take long to code them into shape
By George V. Hulme
April 19, 2011 — CSO —
Secure software services provider Veracode this week released its security analysis of 4,835 applications that were submitted to the firm for evaluation during an 18-month period.
The results could be considered startling to anyone who would hope that the software applications they run are reasonably secure. However, according to Veracode's State of Software Security Report, 58 percent of all applications first submitted to security vendor had a level of what Veracode deems to be of "unacceptable security quality."
The findings don't get much better from there. The report found that 66 percent of applications developed by the software industry had unacceptable security quality, and a surprising 72 percent of security software met the same poor ranking. "Many executives think that when they spend $500,000 for an application from a major ISV that they're getting a product that is inherently secure," says Gunnar Peterson, software security architect and CTO at IT consultancy Arctec Group. "It's just absolutely not true, and I think this is news to a lot of executives," he says.
As complex as it is when trying to evaluate quality software development, some analysts felt the data showing raw vulnerability numbers doesn't shed much light onto how well companies may be doing in their efforts. "It would be interesting to see this data correlated with the size and complexity of the applications being evaluated," says Pete Lindstrom, research director at Spire Security.
The report also found that the finance and software industries request the most formal verification, or vetting, of the software quality of third party suppliers. When combined, these two verticals consisted of about 75% of all firms requesting the evaluation of the software quality of suppliers. "We're also seeing an increase in demand from the aerospace and defense industry," says Sam King, vice president of product marketing at Veracode. "They are starting to bring a similar level of diligence to software quality as they do with their physical supply chain," King says.
Additional data in the report showed that when it comes to maintaining compliance to the Payment Card Industry Data Security Standard, companies have much work to do. That security standard requires custom applications involved in the processing, storing, or transmission of credit card data be tested for the top ten software defects as determined by the Open Web Application Security Project (OWASP), known as the OWASP Top 10. "We found that 8 out of 10 applications failed when it came to the OWASP Top 10, and wouldn't subsequently be able to pass an audit," says Chris Eng senior director of security research at Veracode.
In what could be considered encouraging to organizations that want to develop more secure applications, Veracode's data the notion that remediating defects doesn't have to be time consuming. Of the organizations that resubmitted their applications after they've taken steps to fix their defects, 80 percent reached what Veracode would consider a level of acceptable security quality within 1 month.
Read more about data protection in CSOonline's Data Protection section.