14 DAY TRIAL // According to application risk management vendor Veracode, 57 percent of applications tested by the company's cloud-based SecurityReview platform during the past year and a half, failed to meet an acceptable security level.
The findings are outlined in the company's recently published "State of Software Security Report: Volume 2," which is based on the results of testing 2,922 applications.
"57% of all applications were found to have unacceptable application security quality on first submission, even when standards were adjusted for applications considered less business critical," the company notes.
Amongst other things, the assessment involved looking for the presence of common types of vulnerabilities described in Open Web Application Security Project's (OWASP) Top 10, as well as in CWE/SANS TOP 25 Most Dangerous Software Errors.
Veracode found that cross-site scripting (XSS) weaknesses, which are at the top of both lists, accounted for 51% of all vulnerabilities identified in the tested applications.
Software created in .NET in was most susceptible to such bugs, despite them being relatively easy to avoid. "These statistics underscore the need for developers to become better educated and better equipped to avoid common vulnerabilities," Veracode concludes.
The company also found that third-party software is more insecure than the one developed internally. As much as 81% third-party software suppliers scored badly in the security assessments.
This can be a serious problem, because third-party components are commonly integrated in in-house projects and third-party programs accounted for 29% of software submitted by companies to Veracode.
As much as 60% of requested assessments were for Web and cloud-based applications, suggesting a concern over these technologies. The bad news is that eight in ten Web apps contained at least one vulnerability listed in the OWASP Top 10.
On the good side, it seems that developers are becoming more responsive to vulnerability reports. Veracode reports that it took on average 16 days for development teams to address the identified problems.