Veracode's 2015 State of Software Security (SOSS) report analyzed industries against the OWASP top 10 list of most severe vulnerabilities in web apps. The policy compliance rule therefore means an app must be free of OWASP top 10 vulnerabilities. The worst offender was the government.
Veracode's 2015 SOSS report is organized into seven vertical markets across 34 industries: government; financial services such as banking, finance and insurance; retail and hospitality; technology which includes tech, telecommunications, electronics, software, security products and services and consulting; manufacturing which includes manufacturing and aerospace; healthcare; and other which is made up of other, biotechnology, education, entertainment, transportation, not for profit, apparel, communications, engineering, media, media and entertainment, food and beverage, utilities, energy, machinery, construction, chemicals, not specified, shipping and business services.
Some key takeaways from Veracode's report included:
- Reliance on outdated programming languages has hamstrung government security. The government ranks last among vertical markets, with three out of four government applications failing the OWASP Top 10 when initially assessed for risk. Part of the reason for this is that many government agencies still use older programming languages such as ColdFusion which are known to produce more vulnerabilities.
- The financial services and manufacturing industries' attention to software security pays off. In contrast to the government sector, organizations in financial services and manufacturing more proactively remediate the majority of their vulnerabilities (65% and 81%, respectively). These results appear to indicate a higher institutional awareness of application security risk and a stronger emphasis on enforcing enterprise-wide policies, monitoring key performance indicators (KPIs) and instituting continuous improvement processes.
- Healthcare organizations fare poorly. Given the large amount of sensitive data collected by healthcare organizations, it's concerning that 80% of healthcare applications exhibit cryptographic issues such as weak algorithms upon initial assessment. In addition, healthcare fares near the bottom of the pack when it comes to addressing remediation, with only 43% of known vulnerabilities being remediated.
- Significant risk is introduced by the software supply chain. Nearly three out of four applications produced by third-party software vendors and SaaS suppliers fail the OWASP Top 10 when initially assessed.
Veracode's report is based on data collected over the past 18 months from 208,670 application scans performed by the company's cloud-based platform. "Unlike a survey, the data comes from actual code-level analysis of billions of lines of code uploaded to the platform by our customers, across a range of industries and geographies."
While some businesses believe commercial apps created by third-party software vendors are more secure, Veracode found that 72.4% did not pass OWASP, compared to 63.4% of internally developed apps that did not pass.
When it comes to fixing flaws in vulnerable apps, manufacturing does the best at 81% and government comes in dead last among the seven vertical markets analyzed as it fixes only 27% of application vulnerabilities after security flaws have been detected.
Veracode reported that government applications also "have the highest prevalence of SQL Injection vulnerabilities – commonly used to steal sensitive data from databases – upon initial assessment. In contrast, financial services and manufacturing ranked best across most categories, with healthcare, retail and hospitality near the bottom."
Veracode's SOSS report added:
Consistent with their low pass rate for the OWASP Top 10, organizations in the government industry vertical have the highest prevalence of both SQL Injection and Cross-Site Scripting on first assessment, while organizations in retail and hospitality have the lowest. Among other flaw categories, organizations in healthcare have the highest incidence of cryptographic issues — which is concerning given data confidentiality requirements for personal information imposed by HIPAA.
When it comes to programming languages, security is not necessarily a driving factor for why companies use specific languages. Instead, industries may use a specific language based upon the skill of their developers or the languages used by their suppliers. The industry sectors of tech, healthcare and other have embraced mobile apps, with iOS favored more by healthcare. Just like bad guys repackage malware for cybercrime purposes, so too do non-malicious programmers in order to speed up production. However, such code reuse means that any security flaws in the code go into new apps.
Some of the security problems outlined in the report can be attributed to lack of in-house expertise, but Veracode added that the data shows "development organizations that leverage external remediation coaching services improve the security of their code by a factor of two and half times compared to those that choose to do it on their own."
I highly recommend for you to download Veracode's State of Software Security V6 report.