App security full of holes: Report

You work hard to develop useful and secure applications for your organization or customers, but sometimes it seems like you’re running in quicksand. A recent study by Cenzic Inc., a maker of software that assesses Web app security confirms it: almost every app tested for its annual application security trends report contained at least one security vulnerability. Here’s a rundowns of the findings of the company, recently bought by Trustwave. All images from Shutterstock

The bad news

96 per cent of applications tested in 2013 had vulnerabilities, slightly down from the year before. But an average of 14 vulnerabilities per application were found, up from 13 in 2012. Perhaps here’s why: Application developers often say they struggle with development timelines, the report notes. At the same time more of their com­pensation is tied to feature completion rather than security cer­tification.


The big six

Cross-site scripting topped the list of six leading vulnerabilities found (25 per cent). Others were information leakage (23 per cent), authentication and authorization problems (15 per cent), session management (13 per cent) , SQL injection (7 per cent) and cross-site request forgery (6 per cent).

INSIDE software code 1

Going up

Looked at over time, in the last three years cross-site scripting and information leakage problems dominate the number of vulnerabilities. Others are declining or unchanged. Authentication & authorization declined slightly for the third year in a row; the report isn’t sure why.


The vulnerability of choice

Apps can have multiple vulnerabilities. Looked at this way, session management vulnerabilities were found in just under 80 per cent of applications tested in 2013. XSS vulnerabilities were found in 60 per cent of apps, followed by authentication and authorization-related problems (56 per cent) Web server vulnerabilities (47 per cent), and information leakage (36 per cent).

INSIDE malware graphic 2 SHUTTESTOCK

Mobile app profile

Mobile apps have a different profile: 30 per cent of vulnerabilities were related to infrastructure (server configuration and patch problems),  followed by privacy violations (22 per cent), input validation (20 per cent), session management (15 per cent) and issuing excessive privileges.
INSIDE mobile encryption SHUTTERSTOCK

What to do?

A shortage of developers with application security skills is still a major problem, several North American reports, including this one have noted. They also note that application developers tend to focus on adding features rather than finding all application vul­nerabilities. Perhaps management needs to find a way to change their priorities.




Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Slideshows

Top Tech News