How app secure are we?

An important but much overlooked area is the security of applications that are hosted either externally or internally. According to the report ‘Study of Software Related Cybersecurity Risks in Public Companies’ published by Veracode, more than 8 out of 10 web applications from public companies fail to comply with the OWASP Top 10 vulnerabilities when first tested. The actual results are 84% (unacceptable) and 16% (acceptable). Non web applications also suffer a similar fate, having a low score of 37% – tested against the CWE/SANS Top 25 standard.

Application Security: Are we secure?

Application Security: Are we secure?

Cross-site scripting (XSS) being the most prevalent vulnerability category and affects 67% of the Web applications. The other vulnerablities include Information Leakage (64%), CRLF Injection (59%), Cryptographic Issues (52%), Directory Traversal (48%), SQL Injection (32%).

This could mean that there are a number of factors that require consideration, some top of the mind recall include…

  1. Increasing web applications portfolio
    With organisations putting a large number of applications for an enhanced customer experience. Is the CISO in a race against time to secure applications?
  2. There is a need to set out time for testing the code…
    Applications need to be developed in time for a market launch, or based on a national day /festival.
    Do strict timelines prevent a comprehensive test to be carried out?
  3. Software Engineers may not have knowledge of secure coding
    Have all our application programmers trained and tested formally in secure application development? Do they understand the risks?
  4. Communication between Pen-Testers and application Programmers
    With a large increase in the terminology, application programmers may not grasp the full significance of an issue, or could Pen-testers not be able to convey the full impact of the vulnerability in terms understood by the programmer?

Software that is not secure gravely undermines our ability to defend ourselves, thereby allowing us to be attacked at will by script-kiddies and as connectivity grows we lose control on our digital infrastucture. All executives need to consider what risks their organisation is exposed to as a result of insecure applications. I am not venturing on mobile apps, this opens up another pandora’s box and will be discussed separately.

Further reading
Top 25 Most Dangerous Software Errors: http://cwe.mitre.org/top25/
Top 10 application security risks: https://www.owasp.org/index.php/Top_10_2010-Main
State of Software Security Report: http://info.veracode.com/state-of-software-security-volume-4-supplement.html

Advertisements

4 thoughts on “How app secure are we?

  1. Very interesting and I’m glad someone’s talking about it. What worries me as well are Mobile Apps that capture tonnes of personal information – location, usage patterns, called numbers, pictures… the list goes on. Unfortunately the lure of ‘cool apps’ makes us cast away apprehensions on security.

  2. i have personally seen point # 2 & 3. Security should also been taken up in colleges so everyone realises that just writing code isnt enough. One important point for consideration is that just taking care of security while developing code isnt enough. At every stage like configuration/deployment also we need to think about the same. For i recollect an instance where the directory browsing was accidently never turned off and it caused a breach.

  3. Very well captured. App security is something that more than often takes a back seat. What is needed is integrating security considerations at every stage of development life cycle right from inception & designing to testing. Quantifying the risk /potential losses at each of these stage can help bring the necessary gravity of the situation

  4. By using free Apps from phone markets we are puting our personal information at insecure places. i am not sure how to control such things in open market or what precautions people should use while using free apps from andiord market or any other market for that matter.
    At enterprise level security should get same preference and should be integrated into SDLC.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s