You work hard to develop useful and secure applications for your organization or customers, but sometimes it seems like you’re running in quicksand. A recent study by Cenzic Inc., a maker of software that assesses Web app security confirms it: almost every app tested for its annual application security trends report contained at least one security vulnerability. Here’s a rundowns of the findings of the company, recently bought by Trustwave. All images from Shutterstock
The bad news
96 per cent of applications tested in 2013 had vulnerabilities, slightly down from the year before. But an average of 14 vulnerabilities per application were found, up from 13 in 2012. Perhaps here’s why: Application developers often say they struggle with development timelines, the report notes. At the same time more of their compensation is tied to feature completion rather than security certification.
The big six
Cross-site scripting topped the list of six leading vulnerabilities found (25 per cent). Others were information leakage (23 per cent), authentication and authorization problems (15 per cent), session management (13 per cent) , SQL injection (7 per cent) and cross-site request forgery (6 per cent).
Looked at over time, in the last three years cross-site scripting and information leakage problems dominate the number of vulnerabilities. Others are declining or unchanged. Authentication & authorization declined slightly for the third year in a row; the report isn’t sure why.
The vulnerability of choice
Apps can have multiple vulnerabilities. Looked at this way, session management vulnerabilities were found in just under 80 per cent of applications tested in 2013. XSS vulnerabilities were found in 60 per cent of apps, followed by authentication and authorization-related problems (56 per cent) Web server vulnerabilities (47 per cent), and information leakage (36 per cent).
Mobile app profile
Mobile apps have a different profile: 30 per cent of vulnerabilities were related to infrastructure (server configuration and patch problems), followed by privacy violations (22 per cent), input validation (20 per cent), session management (15 per cent) and issuing excessive privileges.
What to do?
A shortage of developers with application security skills is still a major problem, several North American reports, including this one have noted. They also note that application developers tend to focus on adding features rather than finding all application vulnerabilities. Perhaps management needs to find a way to change their priorities.