Veracode has released a report on the state of application security for the period from April 1, 2016 to March 31, 2017. The new statistics are based on the analysis of about 250 billion lines of code obtained during 400 thousand checks in 1,400 client companies.
According to the new statistics, 77% of applications used in the corporate environment suffer from at least one vulnerability, which can be detected at the first scan. For Java applications, this figure is even higher – 88%. At the same time, regular checks for the presence of vulnerable components are conducted by less than 28% of companies.
Testing showed that vulnerabilities in Java-applications are mostly tied to open-source and commercial components. So, the dangerous breach patched in March in Apache Struts 2 turned out to be uncovered in 68% of actively used programs. Also, more than half of the Java applications involved a vulnerable version of the Apache Commons Collections library.
When preparing the report, Veracode also found that in 12% of applications, the first scan identifies a very high or high criticality vulnerability.
The nature of the vulnerabilities most common in enterprise applications remains the same. These are mostly memory leaks – 65%, errors in the implementation of cryptographic functions – 62%, and poor quality of the code – 56%. Analysts concluded that this indicates an inability of organizations to resolve well-known security issues. Particularly deplorable is the situation in government structures, where such actively attacked vulnerabilities as XSS (49% of the total) and SQLi (32%) still prevail.
At the same time, Veracode analysts noted a slight increase in the number of organizations that annually spend at least 12 software scans – for the year this indicator increased by 0.6%, to 11.1%. However, more than a third of the company’s customers still conduct only one inspection per year. The number of applications that are checked daily, on average, increased by 3-4%, but most applications are still checked only once a quarter.
However, the authors of the report are not inclined to blame for the vulnerability of applications solely to coders and developers. The negligence of companies with regard to cybersecurity also takes place: for example, the Veracode study showed that 25% of the sites work on web servers that contain undefined vulnerabilities that are rated at 6 or more CVSS scores. At the same time, 19% of Web servers have been operating for more than ten years.