An important but much overlooked area is the security of applications that are hosted either externally or internally. According to the report ‘Study of Software Related Cybersecurity Risks in Public Companies’ published by Veracode, more than 8 out of 10 web applications from public companies fail to comply with the OWASP Top 10 vulnerabilities when first tested. The actual results are 84% (unacceptable) and 16% (acceptable). Non web applications also suffer a similar fate, having a low score of 37% – tested against the CWE/SANS Top 25 standard.
Cross-site scripting (XSS) being the most prevalent vulnerability category and affects 67% of the Web applications. The other vulnerablities include Information Leakage (64%), CRLF Injection (59%), Cryptographic Issues (52%), Directory Traversal (48%), SQL Injection (32%).
This could mean that there are a number of factors that require consideration, some top of the mind recall include…
- Increasing web applications portfolio
With organisations putting a large number of applications for an enhanced customer experience. Is the CISO in a race against time to secure applications?
- There is a need to set out time for testing the code…
Applications need to be developed in time for a market launch, or based on a national day /festival.
Do strict timelines prevent a comprehensive test to be carried out?
- Software Engineers may not have knowledge of secure coding
Have all our application programmers trained and tested formally in secure application development? Do they understand the risks?
- Communication between Pen-Testers and application Programmers
With a large increase in the terminology, application programmers may not grasp the full significance of an issue, or could Pen-testers not be able to convey the full impact of the vulnerability in terms understood by the programmer?
Software that is not secure gravely undermines our ability to defend ourselves, thereby allowing us to be attacked at will by script-kiddies and as connectivity grows we lose control on our digital infrastucture. All executives need to consider what risks their organisation is exposed to as a result of insecure applications. I am not venturing on mobile apps, this opens up another pandora’s box and will be discussed separately.
Top 25 Most Dangerous Software Errors: http://cwe.mitre.org/top25/
Top 10 application security risks: https://www.owasp.org/index.php/Top_10_2010-Main
State of Software Security Report: http://info.veracode.com/state-of-software-security-volume-4-supplement.html