Report: Over 80% mobile apps have crypto flaws, 4 of 5 web apps fail OWASP security

Veracode found high rates of mobile apps with crypto issues and a high percentage of web apps written in risky web scripting languages.

security hole in fence clouds gap opening
Anton Novikov/Thinkstock

Veracode released a new report, State of Software Security: Focus on Application Development, which is a supplement to the original 2015 State of Software Security (SOSS) report that was released in June. The company's fall 2015 SOSS edition looks at security flaws of apps written in mobile app development languages, compiled languages, and traditional web app development languages.

Mobile app developers may be trying to implement crypto in their apps, but a whopping 87% of Android apps and 80% of iOS apps analyzed by Veracode were found to have cryptographic issues.

"Given the rapid adoption of mobile applications in the healthcare industry, this is particularly concerning," Veracode explained.

Other security bummers in the vendor's new report include the finding that "four out of five applications written in PHP, Classic ASP and ColdFusion" failed at least one of the OWASP Top 10, implying that millions of websites contain potential security vulnerabilities.

Percentage of programming languages passing OWASP

The data in the report covers "208,670 application assessments" from Veracode's cloud-based platform and "trillions of lines of code," which were analyzed for critical flaws that can result in large-scale breaches. The vendor's findings show how different programming languages and platforms are associated to critical software security issues. The analysis covered an 18-month period from October 1, 2013 through March 31, 2015, and looks at apps developed by large and small companies, open source projects, commercial software suppliers and software outsourcers.

Veracode called PHP one of the riskiest programming languages, as 81% of apps written in PHP fail to meet the Open Web Application Security Project (OWASP) Top 10 standards; 86% of apps written in PHP have at least one cross-site scripting (XSS) vulnerability, and 56% have at least one SQL injection (SQLi) vulnerability. Veracode pointed out, "Given the volume of PHP applications developed for the top three content management systems (CMS) -- WordPress, Drupal and Joomla, which represent more than 70% of all CMSs in use today -- these findings raise concern over potential security vulnerabilities in millions of websites."

Critical flaws found in programming languages

Additionally, on initial assessment, Veracode found that 64% of apps written in Microsoft's ASP and 62% of apps written in ColdFusion also have at least one SQLi hole. However, Java and .NET are "among the safest languages;" for example, only 29% percent of .NET apps and 21% of Java apps have at least one SQLi vulnerability. Veracode said, "By design, Java and .NET almost entirely eliminate the risk of buffer overflow and perform the best in terms of avoiding cross-site scripting and SQL injection."

An organization's security team should be consulted when a company is starting a new development project, as the team can consult Veracode's new report to help steer developers toward using more secure programming languages and implementing better crypto, therefore creating less risky apps.

Another key takeaway from the report is that "operating environment of the language matters for security. Some vulnerabilities are only relevant in certain execution environments." Veracode added, "For instance, some categories of information leakage are most acute in the mobile environment, which combines large volumes of personal data with a plethora of always-on networking capabilities."

Companies that use eLearning have a 30% improvement in fax rate compared to organizations that do not leverage eLearning.

The choice of security assessment can also affect vulnerability fix rates. "Black box" dynamic application security testing (DAST) and "white box" static application security testing (SAST) both specialize in finding different vulnerability categories. Flaws found by DAST may include deployment configuration and server configuration, while vulnerabilities uniquely found by SAST tend to be more difficult to identify via black box assessments. Veracode added that vulnerability categories found by DAST "may understate the real situation," and those found via SAST may report findings "that are not practically exploitable without compromising other trusted resources such as file systems or databases."

Dynamic vs static security test assessements

Veracode then found rate of fix for vulnerabilities that had been identified: 50% of dynamic vulnerabilities, 52% of flaws found via manual penetration testing, and 64% of static vulnerabilities were fixed. The vendor explained:

There are several possible reasons why static analysis observed a higher fix rate. The most likely is that static provides higher fidelity data about the root cause of a vulnerability, including source file and line number. But there are other possibilities, including the likelihood that a static assessment is being run on an application that is actively under development and that engineering therefore already sees fixing issues as a priority, where dynamic assessments may be run on a production system where the development team may not be actively engaged.

While security programs should not rely exclusively on static analysis, Veracode explained that "static assessment is worthwhile when possible, even when other methods have been employed, and the hypothesis that static results may be more actionable seems to be borne out."

Copyright © 2015 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations