You work hard to develop useful and secure applications for your organization or customers, but sometimes it seems like you’re running in quicksand. A recent study by Cenzic Inc., a maker of software that assesses Web app security confirms it: almost every app tested for its annual application security trends report contained at least one security vulnerability. Here’s a rundowns of the findings of the company, recently bought by Trustwave. All images from Shutterstock

The bad news

96 per cent of applications tested in 2013 had vulnerabilities, slightly down from the year before. But an average of 14 vulnerabilities per application were found, up from 13 in 2012. Perhaps here’s why: Application developers often say they struggle with development timelines, the report notes. At the same time more of their com­pensation is tied to feature completion rather than security cer­tification.


The big six

Cross-site scripting topped the list of six leading vulnerabilities found (25 per cent). Others were information leakage (23 per cent), authentication and authorization problems (15 per cent), session management (13 per cent) , SQL injection (7 per cent) and cross-site request forgery (6 per cent).

INSIDE software code 1

Going up

Looked at over time, in the last three years cross-site scripting and information leakage problems dominate the number of vulnerabilities. Others are declining or unchanged. Authentication & authorization declined slightly for the third year in a row; the report isn’t sure why.


The vulnerability of choice

Apps can have multiple vulnerabilities. Looked at this way, session management vulnerabilities were found in just under 80 per cent of applications tested in 2013. XSS vulnerabilities were found in 60 per cent of apps, followed by authentication and authorization-related problems (56 per cent) Web server vulnerabilities (47 per cent), and information leakage (36 per cent).

INSIDE malware graphic 2 SHUTTESTOCK

Mobile app profile

Mobile apps have a different profile: 30 per cent of vulnerabilities were related to infrastructure (server configuration and patch problems),  followed by privacy violations (22 per cent), input validation (20 per cent), session management (15 per cent) and issuing excessive privileges.
INSIDE mobile encryption SHUTTERSTOCK

What to do?

A shortage of developers with application security skills is still a major problem, several North American reports, including this one have noted. They also note that application developers tend to focus on adding features rather than finding all application vul­nerabilities. Perhaps management needs to find a way to change their priorities.





  1. You never mention the fact that adapting a security focused development cycle can fix most of these issues BEFORE they happen. The Microsoft Security Lifecycle is a mature, tech independent process which helps developers develope secure code.


Please enter your comment!
Please enter your name here