Safe Coding and Software Security Infographic

The need for secure application coding is greater than ever! This Veracode infographic represents anonymized data from billions of lines of code submitted for analysis by large enterprises, commercial software providers, open source projects, and software outsourcers in Veracode’s cloud-based application risk management services platform.

Safe Coding and Software Security

Add this Infographic to Your Website for FREE!

 

Small Version

Large Version

Infographic by Veracode Application Security

As 2011 proved to be the year of the hack, the need for secure application coding is even greater than ever. Application security requirements are heightening in the wake of critical application breaches, meaning knowledge and training must rise to ensure safe coding.

What’s the Big Deal?

Previously, attackers used application vulnerabilities to cause embarrassment and disruption. But now these attackers are exploiting vulnerabilities to steal data and much more:

  • IP Theft
  • Modifying victims’ websites to deploy malware to website visitors
  • Taking over high-value accounts
  • Breaching organization perimeters

Are Applications Really That Unsafe?

Over 8 out of 10 applications failed to pass OWASP Top 10 when first tested.
More than half of all developers received a grade of C or lower on a basic application security assessment.

 

Top 5 Application Vulnerabilities

Category Percentage of Hacks Web Applications Affected
SQL Injection 20% 32%
XSS 10% 68%
Information Leakage 3% 66%
Cryptographic Issues 2% 53%
OS Command Injection 1% 9%

While other flaws such as XSS account for a higher volume of findings, SQL injection accounts for 20 percent of hacks.

Where Are Vulnerabilities Found?

Top 3 Vulnerabilities by Language

Java ColdFusion C/C++ .NET PHP Android Java ME
Cross-site Scripting (XSS) 56% XSS (87%) Error Handling (26%) XSS (47%) XSS (75%) Cryptographic Issues (44%) Cryptographic Issues (58%)
CRLF Injection (16%) SQL Injection (8%) Buffer Overflow (20%) Information Leakage (18%) Directory Traversal (10%) CRLF Injection (28%) Information Leakage (38%)
Information Leakage (10%) Directory/Traversal/Information Leakage/CRLF Injection (1%) {Tied} Buffer Mgmt Errors (18%) Cryptographic Issues (10%) SQL Injection (7%) Information Leakage (10%) Directory Traversal (3%)

 

Top Vulnerabilities by Supplier

Internally Developed Commercial Open Source Outsourced
Cross-site Scripting (XSS)(58%) XSS (44%) XSS (41%) CRLF Injection (47%)
CRLF Injection (12%) Information Leakage (11%) Directory Traversal (13%) XSS (28%)
Information Leakage (10%) CRLF Injection (8%) Information Leakage (13%) Information Leakage/Encapulation(6%) {Tied}

 

Developer Performance on First Submission

Supplier Type Acceptable Not Acceptable
Internally Developed 17% 83%
Commercial 12% 88%
Open Source 12% 88%
Outsourced 7% 93%
Overall 16% 84%

 

Even Your Androids Aren’t Safe

Flaw Category Applications Affected (%)
Cryptographic Issues Insufficient Entropy 61%
Cryptographic Issues Use of Hard-coded Cryptographic Key 42%
Information Leakage Information Exposure Through Sent Data 39%
Information Leakage Information Exposure Through Error Message 6%

In Java applications, this is usually due to the use of the statistical random number generator (RNG) rather than the cryptographic RNG. This common mistake can be fixed with a SINGLE LINE OF CODE.

 

What Are Your Partners Giving You?

60 percent of third-party software performance failed against Enterprise Policy.

How Easy Is It To Get Safe?

 

Supplier Type 0-1 Week 2-3 Weeks 3-4 Weeks 4+ Weeks
Internally Developed 82% 3% 3% 12%
Commercial 79% 3% 7% 11%
Open Source 98% - - 2%
Outsourced 100% - -
Overall 82% 3% 4% 11%

82 percent of flaws can be fixed in a week or less.

 

How Can You Stay Safe?

  • Continue to scan your applications: Building secure software or requiring it from your suppliers does not have to be time consuming.
  • Get Training/Education: Measure your knowledge of application security fundamentals and take Application Security Training sessions.
  • Ask application suppliers to prove the security of their apps: Get your suppliers to scan their code and write security approval language into contracts.

While there is not a statistical direct correlation between application security knowledge and application security, there is a strong association. Training seems to pay off – invest in it.

Veracode Security Guides
Data Security Resources
Veracode Security Solutions

Vulnerability Assessment Tools
Web Vulnerability Scanner
Apple iOS Security
Website Security
Mobile Phone Security
Online Internet Security
Facebook Security Issues
SDLC Phases
SQL Injection Attack
Android Application Security

Safe Coding and Software Security Infographic | Rockett Reviews | March 8, 2012 4:03 pm

[...] Application Security Veracode Security Guides Data Security Resources Originally posted here: Safe Coding and Software Security InfographicWallpaper for mac This entry was posted in Uncategorized and tagged application, based, cloud, [...]

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

*

RSS feed for comments on this post