A majority of applications have at least one security vulnerability. The latest results from Cenzic’s 2014 Application Vulnerability Trends Report reveals almost all current applications are vulnerable to a cyber attack. The report found 96% of applications Cenzic tested in 2013 have serious security flaws, with an average of 14 vulnerabilities per app.
One of the biggest problems, according to Cenzic CEO John Weinschenk, is that outsourced companies are doing a great deal of application development. He explained that outsourced development organizations are focused on writing an application as fast as possible, and while those applications’ form, fit and function work fine, security vulnerabilities are missed because the applications are doing what they are expected to do.
“The talent pool that’s writing them primarily just doesn’t understand security. They are not taught to write secure code, they are just taught to write code,” said Weinschenk.
He also noted that the threat model is constantly moving, and even though an organization tested and fixed vulnerabilities a month ago, the application is still prone to vulnerabilities.
“The problem is that threat model changes every single week, and so there are additional vulnerabilities we didn’t know a week before they existed,” said Weinschenk.
In other cases, vulnerabilities arise because organizations have too many applications and are not testing them or not testing them frequently, he said.
The report found the most common application vulnerabilities included cross-site scripting, information leaks, session management attacks, authentication and authorization attacks, cross-site request forgeries, SQL injections, Web server version attacks, remote code execution, Web server configuration, and unauthorized directory access.
“Application developers tend to focus on adding features rather than rooting out all application vulnerabilities,” according to the report. “This combined with the daunting task of preventing, detecting and eliminating application vulnerabilities explains part of the continued widespread discovery.”
In order to prevent security vulnerabilities, Cenzic recommended organizations implement safe coding practices, use Web application firewalls, and ensure proper server configuration.
The report also found that privacy violations appear in 90% of mobile applications, and excessive privileges show up in 80%.
The full Cenzic Application Security Trends Report 2014 is available here.