Cenzic, a developer of application security assessment tools, has published a report (PDF) that claims 96% of all apps tested showed at least one security issue, ranging from poor programming practices to excessive access.
Cenzic published an Application Vulnerability Trends Report last year as well, and comparing the numbers year-to-year shows things aren't getting any better. In 2012, Cenzic found 99% of all apps tested had some kind of vulnerability. So the drop to 96% is an actual improvement. But the median number of flaws was 13 in 2012, while this past year it increased to 14.
The consequences of this vulnerable environment are dire. In 2013, cybercrime cost the U.S. economy more than $100 billion, and $300 billion worldwide, according to the Center for Strategic and International Studies (CSIS). Nearly 400 million credit card numbers, social security numbers, and other personal information were stolen.
Last year saw a massive amount of breaches, from Target (70 million potential victims), Adobe (38 million users), Living Social (50 million users), Evernote (50 million users), and the Federal Reserve (personal data on 4,000 bank executives).
The big problem is in mobile devices. Cenzic found that more than 80% of mobile apps it tested had "excessive privileges" or violated some kind of privacy rules. Cenzic found Cross Site Scripting (XSS) was the most frequently found vulnerability (25%), followed by information leakage (23%), authentication and authorization (15%), session management (13%), SQL injection (7%), cross-site request forgery (6%), and other (11%).
An increasing number of web services and applications are the cause of many of these problems, especially XSS and information leakage. Information leakage had the biggest percentage increase, nearly doubling from 2012 to 2013. The company said this is likely due to accidental leakage of sensitive information through data transmission or error messages.
Cenzic had three solutions for the different types of errors: coding standards, a web app firewall, or server configuration. These three all have one thing in common - they mean people are rushing. They are rushing apps to deployment and not configuring them, the firewall, or the server correctly. All of this means people need to slow down and employ better coding and deployment practices before sending their apps out into the wild.
"Many of these vulnerabilities are relatively easy for application security teams to detect, block, and fix during every phase of the application development life cycle. Technologies and processes for reducing application vulnerabilities include secure coding standards, vulnerability scanning, web application firewalls and intrusion detection, among others. The best results come from a multi-layered and coordinated approach that includes technology, processes, employees and a security-oriented corporate culture," the company wrote.
So slow down and do it right.