Veracode reveals security flaws
These results come from Veracode, which recently released the 11th edition of its annual State of Software Security report.
Veracode has been tracking the prevalence of flaws in apps for ten years. The 2020 result was based on the analysis of more than 130,000 applications. At least one vulnerability was found in 76% of them and 66% had critical vulnerabilities as defined in the OWASP Top 10, a list of the 10 most common application vulnerabilities, of the Open Web Application Security Project.
Another measure of vulnerability severity used is the SANS Top 25, a list of the most dangerous software errors from the Common Weakness Enumeration (CWE), and 59% of applications had vulnerabilities.
Only 24% of the applications had “high severity” flaws, defined by Veracode at level 4 (high) – such as SQL injection and unlimited downloading of files with a dangerous type – or at level 5 (very high), such as operating system command injection, Eval Injection, stack-based buffer overflow, or incorrect calculation of multibyte string length.
The most common vulnerabilities found were information leaks (66%) which are defined as level 2 – Low, followed by CRLF injection (65%) and cryptographic issues (64%), both at level 3 – Medium, code quality monitoring (60%) ranging mainly from level 0 to level 3.
This year, a vulnerability type analysis by language was performed to produce the following heat map:
If you want to learn more, not only about the vulnerabilities, but also how to fix them, the Heatmap is available as an interactive resource with the title Beat The Heat where you can click to learn more about the one of the vulnerabilities. Here are the results of cross site scripting, an almost universal language flaw.
This seems like a really useful resource for understanding security flaws and for improving secure coding practices.
or send your comment to: [email protected]