IFSEC Insider is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
Enterprises and software developers are starting to get control of old vulnerabilities such as SQL injection and cross-site scripting, according to a study published this week. But new vulnerabilities are taking their place, leaving flaws in nearly every application tested.
Ninety-six percent of applications tested have at least one security vulnerability, according to a study published by application security firm Cenzic earlier this week. This figure has dropped slightly — the same study turned up flaws in 99 percent of apps in 2011 and 1012 — but the vulnerabilities remain nearly ubiquitous. In fact, the median number of vulnerabilities per application found in this year’s study – 14 – is actually greater than it was in the previous year – 13.
“While some improvements in the development process have been made, other newer areas of vulnerability have emerged,” says Bala Venkat, chief marketing officer at Cenzic, which compiled the numbers through an analysis of production applications scanned by its tools. “It’s a graphic illustration of the gigantic game of whack-a-mole that enterprises and software developers are playing – and a clear message that it’s time to rethink the way we develop and test our applications.” Information leakage — in which an application exposes information about itself, its connections, or its users — was the primary category of vulnerability in this year’s study, accounting for almost one quarter (23 percent) of security flaws. This category displaced older vulnerabilities such as cross-site scripting (XSS), which still is found in almost as many applications. “We found that the growth of mobile and cloud applications is causing a slight shift in the types of vulnerabilities we are finding,” Venkat says. “But the prevalence of vulnerabilities has not changed significantly.” Enterprises and their software development teams need to rethink their processes, Venkat says, focusing more attention on security during the development cycle.
“Web application firewalls can also help enterprises identify vulnerabilities early and prevent them from leading to greater damage,” Venkat says. Closer attention to basic issues such as server configuration can also help enterprises to minimize the impact of vulnerabilities in their applications, he adds. “One of the chief obstacles that remain is to get software developers and enterprises to stop thinking of vulnerability scanning as a one-time project,” Venkat stated. “As web applications evolve and make their journey traversing various production environments, the incidence of vulnerabilities is growing, not shrinking. Applications development and security teams must get together and implement a plan for continuous proactive monitoring of vulnerabilities, rather than the traditional, annual quality assessment.”
Free Download: The Video Surveillance Report 2023
Discover the latest developments in the rapidly-evolving video surveillance sector by downloading the 2023 Video Surveillance Report. Over 500 responses to our survey, which come from integrators to consultants and heads of security, inform our analysis of the latest trends including AI, the state of the video surveillance market, uptake of the cloud, and the wider economic and geopolitical events impacting the sector!
Download for FREE to discover top industry insight around the latest innovations in video surveillance systems.
96 percent of applications have security vulnerabilities, finds StudyNearly all applications tested have security flaws, Cenzic study says; information leakage is chief culprit
IFSEC Insider
IFSEC Insider | Security and Fire News and Resources
