One of the trends we have seen within organizations that have more mature application security processes is an understanding of the top vulnerability categories that are being actively exploited and are well known even outside of application security specialists. The first category where we saw this happen was SQL Injection and now we are seeing this trend with Cross-site Scripting (XSS). Lower prevalence of SQL Injection and XSS is a good indicator that an organization has supplied application security training to their developers and/or application security processes are integrated into the software development lifecycle.
Another trend we are seeing is organizations are starting to perform static analysis on web applications in addition to dynamic analysis. Dynamic analysis was the first automated application security testing technology available and within the web application category it has achieved significant adoption. Now organizations that have traditionally performed only dynamic analysis on web apps are starting to add static analysis and are seeing the benefits of a complementary testing technique.
2010 was the year that smartphones that enabled easy mobile app installation reached critical mass. There were over 70 Million Blackberry, iPhone, and Android devices sold in 2009 and likely much greater than that sold in 2010. Attackers are starting to take notice that there are vulnerabilities in the software running on these devices such as the PDF vulnerability on iOS 4.0 that allowed jailbreaking right over the web. There are also ample opportunities to sneak malicious functionality into mobile apps. We saw an iPhone flashlight app that had Apple forbidden tethering functionality, an Android game that sent the phone’s GPS location to an attacker, and the BBC showed that even one of their technology reporters could write his own Trojan spyware game.
The mobile platforms of 2010 feel like the Windows platform did in 1999. Vulnerable software and malicious spyware started a steep rise around that time on the Windows platform. Major changes in the way software is developed, tested, and distributed will be needed to prevent the 2010s from being the decade of mobile insecurity.
Within the past few months, backdoors have been in the headlines yet again, with the discovery of a worm targeting a SCADA product written by Siemens. The backdoor exploited by the worm was a hard-coded default password that had been known publicly for over two years but was never patched. At a time when critical infrastructure systems are being widely acknowledged as a weak link in our national defense, SCADA software and similar products lacking robust security design should be scrutinized more carefully than ever for common coding errors as well as malicious backdoors.
Major changes in the way software is developed, tested, and distributed will be needed to prevent the 2010s from being the decade of mobile insecurity.
We have also seen developments in how software companies interact with the vulnerability research community. Google and Mozilla increased bounty payments to over $3,000 per serious bug for researchers who report vulnerabili- ties without releasing details to the public. It’s likely that over time, others will introduce similar programs as one facet of a proactive product security strategy. Another noteworthy development was a subtle change to the TippingPoint Zero Day Initiative (ZDI), a program that compensates researchers for security vulnerabilities and then engages with the software vendors on the reporter’s behalf. In response to a growing backlog of high-risk vulnerabilities being ignored by vendors, sometimes for years, ZDI updated its disclosure policy to give vendors six months to produce a fix before technical details are released. This puts mild pressure on the vendor to take action and ultimately helps enterprises and consumers better understand and quantify the risks introduced by vulnerable third-party software. Another platform trend that is impacting application security is the
move to cloud based applications. We are seeing an uptick on the percentage of applications we review, especially for third-parties, that are applications deployed in the cloud. With nearly 60% of all third- party assessment requests targeting applications identified as cloud or as having a cloud option (cloud+deployed) it appears that many customers are more concerned about the security of software they are using that is deployed on a cloud platform rather than purchased and deployed on premise.
Overall, it has been a good year for application security awareness. More organizations are getting up to speed on static analysis that had relied previously only on dynamic analysis and the awareness and remediation of common vulnerability categories such as SQL injection and XSS is on the rise in mature organizations. On the other hand, while software on mature platforms, such as on-premise Windows and Unix, get more security testing, software on new platforms such as mobile and cloud are barely getting started.
Many customers are more concerned about the security of software they are using that is deployed on a cloud platform rather than purchased and deployed on premise.
Addendum
Methodology
About Veracode’s Risk Adjusted Verification Methodology
The Veracode SecurityReview uses static and dynamic analysis (for web applications) to inspect executables and identify security vulnerabilities in applications. Using both static and dynamic analysis helps reduce false negatives and detect a broader range of security vulnerabilities. The static binary analysis engine creates a model of the data and control flow of the binary executable; the model is then verified for security vulnerabilities using a set of auto- mated security scans. Dynamic analysis uses an automated web scanning technique to detect security vulnerabilities in a web application at runtime. Once the automated process is complete, a security analyst verifies the output to ensure the lowest false positive rates in the industry. The end result is an accurate list of security vulnerabilities for the classes of automated scans applied to the application.
About Software Assurance Levels
The foundation of the Veracode rating system is the concept that higher assurance applications require higher security quality scores to be acceptable risks. Lower assurance applications can tolerate lower security quality. The assurance level is dictated by the typical deployed environment and the value of data used by the application. Factors that determine assurance level include reputation damage, financial loss, operational risk, sensitive information disclosure, personal safety, and legal violations.
About the Data Set
The data represents 2,922 applications submitted for analysis by large and small companies, commercial software providers, open source projects, and software outsourcers. An application was counted only once even if it was submitted multiple times as vulnerabilities were remediated and new versions uploaded. The report contains findings about applications that were subjected to static, dynamic, or manual analysis through the Veracode SecurityReview® Platform. The report considers data that was provided by Veracode’s customers (application portfolio information such as assurance level, industry, application origin) and information that was calculated or derived in the course of Veracode’s analysis (application size, application compiler and platform, types of vulnerabilities, Veracode rating). In any study of this size there is a risk that sampling issues will arise because of the nature of the way the data was collected. For instance, it should be kept in mind that all the applications in this study came from organizations that were motivated enough about application security to engage Veracode for an independent assessment of software risk. Care has been taken to only present comparisons where a statistically significant sample size was present About the Findings
Unless otherwise stated, all comparisons are made on the basis of the count of unique application builds submitted and rated.