|Veracode Reveals Security Flaws|
|Written by Alex Armstrong|
|Tuesday, 12 January 2021|
These findings come from Veracode which recently brought out the 11th Edition of its annual State of Software Security report.
Veracode has been tracking the prevalence of flaws in applications for ten years. The 2020 result was based on scans of over 130,000 applications. At least one flaw was found in 76% of them and 66% had critical flaws as defined on the OWASP Top 10, a list of the 10 most common application vulnerabilities, from the Open Web Application Security Project.
Another measure of flaw severity used is the SANS Top 25, a list of the Common Weakness Enumeration's (CWE) most dangerous software errors, and 59% of applications evidenced flaws included on it.
Only 24% of applications had "High Severity" flaws, defined by Veracode at Level 4 (High) - such as SQL Injection and Unrestricted Upload of File with Dangerous Type - or Level 5 (Very High), such as OS Command Injection, Eval Injection, Stack-based Buffer Overflow or Incorrect Calculation of Multi-Byte String Length.
The most common flaws found were Information Leakage (66%) which is defined as being at Level 2 - Low, then CRLF Injection (65%) and Cryptographic Issues (64%), both at Level 3 - Medium, followed by Code Quality (60%) mostly ranging from Level 0 to Level 3.
This year an analysis was done of type of vulnerability by language to produce the following heat map:
If you want to know more, not only about the vulnerabilities but also how to remediate them, the Heat Map is available as an interactive resource with the title Beat The Heat where you can click to find out more about any of the vulnerabilities. Here's the results for cross site scripting, a flaw that is almost universal where languages are concerned.
This seems a really useful resource for understanding security defects and for improving safe coding practices.
or email your comment to: firstname.lastname@example.org
|Last Updated ( Wednesday, 22 February 2023 )|