Two major studies find that vulnerabilities are prevalent and persistent
By Bala Venkat
For years now, security experts have been singing the same song: that security must be “baked” into the development process, and that the most common vulnerabilities are usually not the new and scary ones, but those that have been around for a long time.
The song remains the same. But it appears that many developers still aren’t listening.
In the last few weeks, major research reports have revealed strikingly similar conclusions: that security vulnerabilities in applications are the norm, and that they are usually the same flaws that have been found and exploited for years.
Here at Cenzic, our newly-published Cenzic Application Vulnerability Trends Report 2013 shows that security flaws are prevalent not only in most applications, but in nearly all of them. Of the applications we tested last year, 99 percent of all applications contained one or more serious bug. The median number of bugs per app was 13 in 2012 — down from 16 in 2011, but still remarkably high.
What’s even more remarkable is that these vulnerabilities are not the product of some great leap in technology – they are the same bugs we have been finding for years. Cross-site scripting (XSS) vulnerabilities – which have been around for years and are frequently exploited — appear in 61% of applications, followed by Authentication and Authorization (45%), Web Server Configuration (28%), CSRF (22%), Information Leakage (17%), SQL Injection (16%), Web Server Version (10%), Unauthorized Directory Access (8%) and Remote Code Execution (3%).
While most vulnerabilities have declined slightly in the last year, the pace of improvement is glacial. Vulnerabilities still exist in almost all legacy applications and new applications. And emerging cloud and mobile applications increase the complexity of the problem. Moreover, the threats from these vulnerabilities continue to evolve as bad actors experiment with new and different attack strategies. While a great deal of time and money has been spent on secure software development over the last few years, the situation simply is not getting better.
This week, application security firm Veracode published its State of Software Security Report Volume 5, and although the numbers were different, it confirms our own findings. Veracode found that 70 percent of enterprise applications failed to comply with the organization’s security policies on their first submission to scanning – very similar to the frequency of failure it has recorded in past years.
Also similar to our Trends Report, Veracode found that most of the vulnerabilities found were those that have been known for years. For example, nearly a third (32 percent) of Web applications presented SQL injection flaws from the first quarter of 2011 to the second quarter of 2012, according to the study.
Both of these reports point to a sad truth about application development: despite increasing threats posed by attackers and an increasing frequency of reported breaches, secure software development processes still have not improved radically over the past several years. Today’s enterprises face many of the same vulnerabilities, with approximately the same frequency, as they did two or three years ago.
If there’s a takeaway from these results, it’s that application development processes are in need of a radical change. Our existing methods of identifying flaws in the pre-development phase are only partially effective, and it’s time to rethink these processes from the ground up.
There are many ways to do this rethinking, but one of the most fundamental is the need to shift the application scanning process from a strictly pre-deployment approach to a continuous, consistent process that also scans applications post-deployment and in production.
The fact is that vulnerabilities don’t just happen during original code development. New flaws can be introduced during the patching process, in upgrades, and in customization of code. An application that has been running for a year is as likely – perhaps even more likely – to contain vulnerabilities as an application that is being rolled out for the first time. And many of those flaws will not be new or particularly interesting – they will be the same flaws that have been occurring for years, including XSS, SQL injection, buffer overflows and the like.
It’s time for application developers – and the security auditors who support and scan for vulnerabilities – to really rethink the application testing process. Only through real change will we change the repetitive pattern of vulnerabilities that we continue to see in the industry.