Over half of applications fail security test

New research from app security firm Veracode has highlighted that the ‘ticking timebomb' of software vulnerabilities is getting worse, with over half of those tested failing to meet acceptable security standards.

The vendor's third State of Software Security report reviewed nearly 5,000 applications with an emphasis on web apps and those developed internally rather than commercial products.

Around a third of those analysed were collaboration and content management applications, while operations, security, financial and customer-related software was also studied.

These applications were then given a score according to the criticality of the vulnerabilities and the business criticality of the app itself. Some 58 per cent failed to pass muster, around the same as the last report, while eight out of ten failed the OWASP top ten list of vulnerabilities.

In terms of the type of vulnerabilities creeping into software, instances of cross site scripting remained the same while SQL injection vulnerabilities only decreased in frequency marginally.

European vice president Matt Peachey argued that firms need to look more closely at the entire software ecosystem and be more prescriptive of security requirements within the software supply chain.

He added that the rate of innovation with new types of applications is "outpacing the process of fixing and educating people".

"The bright new things coming from university know how to code but they don't understand about security vulnerabilities so things tend to creep through," he argued. "Over 50 per cent of people taking an app security exam got a C grade or lower."

The report also found, however, that some industries such as finance and software are getting the message and holding their software suppliers to account by requiring independent verification of third party software, for example.

In addition, Veracode's report found that over 80 per cent of applications resubmitted after their developer were notified of security issues achieved acceptable quality within a month.

"There was good and bad on both sides with this report," said Peachey. "Developer education is not where it needs to be and things haven't changed a lot since the last report but we tried to demonstrate that you can get to an acceptable level of quality quickly in a timely and resource effective way."