Security firm Veracode based in Burlington, Massachusetts has release it annual State of Software Security Report for 2016 on enterprise security. The first thing to know here is that open source components in software development account for most of the security vulnerabilities. The other thing to know is that this report is based on over 300,000 assessments run on enterprise applications over an 18 month period.
Of all the programming languages Java topped the list with 97 percent of apps written in it were found to have at least one vulnerability. Some of these threats which range from severe to low come from their component parts which are bits of code developers use to write a piece of software. The use of known vulnerable component which the report say can be found in 25 percent of all Java apps also played a major role in the high ratings Java got for vulnerability.
Java which was first developed by Sun Microsystems in 1995 and now Oracle because they acquired the originating company in 2009 has been known for security flaws hence the frequent security patches. Chris Wysopal, co-founder and chief technology officer of Veracode told Fortune that “there’s a danger in code components being reused throughout many applications without developers necessarily realizing it… a lot of risk is inherited, and people don’t know, because it’s two steps removed.”
The report also notes that information leakage and cryptographic issues were found to be leading sources of all vulnerabilities at 72 percent and 65 percent respectively.
While developers that work in companies are getting better at building more secure applications, third party developers are getting worse. The report found that apps that were developed by in-house teams passed the industry benchmark at a score 39% of the apps passed versus 37% last year while third party developers passed 25 percent of the time compared to 28 percent last year. In some cases, companies feel it may be too expensive to continue paying vendors for maintenance and this is common in many firms. They would rather buys an applications and have it maintained in-house. Other times, the vendor having been paid for their applications may not feel the need to constantly update the application.
One sector which the lowest vulnerability fix rate is the health sector and this industry’s low scores on these application security benchmarks is troubling according to the report. While you may be thinking the techies would have the highest fix rate, the report notes that only about a third of flaws are fixed by security professionals. Manufacturing has been the best at fixing all known/reported flaws at a two-thirds rate.
Paul Balo is the founder of TechBooky and a highly skilled wireless communications professional with a strong background in cloud computing, offering extensive experience in designing, implementing, and managing wireless communication systems.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behaviour or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
