Study Shows Significant Percentage of Applications Lack Basic Security ProtectionFri 29 Apr, 2011 // Chris Allan
Software developers continue to make fundamental coding errors when developing website applications according to recent research, allowing hackers to carry out a variety of attacks with relative ease.
The study looked at 4,900 applications submitted by customers over the last six months. The findings demonstrated the urgent need for a severe stepping up of security standards within web application development.
More than half of the almost 5,000 applications failed to meet acceptable security standards, with more than eight out of 10 Web containing vulnerabilities listed in the OWASP (Open Web Application Security Project) Top 10, which denotes the most common coding errors.
The study and the results highlight the persistent level of application insecurity which has remained. While SQL injection vulnerabilities have dropped, the most common mistake remains to be cross-site scripting.
While it may be assumed that the worst offenders would be amongst the internally developed apps, in fact it is those which are produced on a commercial scale which have caused the greatest concern. While only 12% of commercial apps meeting the industry standards upon the analysis submission, a slightly improved 16% of internally developed applications were deemed acceptable.
Security levels were measured based upon an amalgamation of factors ranging from the vulnerability seriousness to the criticality of the app as determined by the customer.
The research also revealed that some companies are taking much more interest in the quality of the software used by their partners. According to the figures, only 25% of software submitted from third parties met the acceptability test on the first analysis.
Ian Glover, the president of the Council of Registered Ethical Security Testers (CREST), a professional, ethical security testing body, was unsurprised at the findings. Glover said:
“The testing community is bored by having to deal with the same old problems over and over again in applications”
He predicted that the situation will only worsen as hackers develop more sophisticated techniques, such as advanced persistent threats, while developers proceed to make the same mistakes. Glover highlighted the issue surrounding the oft insecure and unusable shrink-wrapped software his members are asked to test.
Glover further added that CREST is working with a number of UK universities to improve the teaching of secure coding, including Leeds, Southampton and Royal Holloway.
“We have been pleased to work with commissum who have provided us with services to address our Security Assurance requirements. commissum met our demands, as an organisation operating within the Legal Services sector, with the highest level of integrity, commitment and excellent level of service. We would have no hesitation in recommending commissum.”
Mr Kenneth P, IT Manager, National Legal Services
"commissum recently provided us with services to assess a web application and supporting infrastructure. I was impressed with the consultants throughout the project, by their technical knowledge, flexibility, open communication and willingness to go that extra mile. Of particular benefit was the sound advice given both during and after the engagement. By identifying vulnerabilities promptly, accompanied with practical recommendations on how to address them. We were able to implement improvements quickly. Good value, a job well done.”
JM, Infosec Analyst, International Investment Bank
"We engaged with commissum for the first time this year and found them highly professional and a pleasure to do business with. We were particularly pleased with the report provided which was of excellent quality, with an appropriate level of detail and clarity in its recommendations. I would happily refer others to commissum.”
Mr Billy K, IT Director, National Law Firm
"We are extremely pleased with the work carried out by the commissum team. All of the commissum staff were a pleasure to work with and maintained a high level of professionalism at all times. They were able to provide us with sound advice and guidance to make sure that we got the best value for money from our test and provided excellent communication and recommendations before, during and after the tests. I would strongly recommend commissum to other companies that are looking for peace of mind in relation to their IT security and I can say that we will use commissum again for future testing.”
Chris S, IT Officer - UK Housing Association
"commissum understood exactly what we needed and delivered excellent service on time, and on budget. Why can't all companies be like them!"
Mr Duncan M, Information Security Manager - National Building Society
Get in touch with one of our security consultants today
- No obligation
- Expert advice
- Tailored solutions
"commissum was particularly responsive and the project was well managed under demanding conditions. I was very happy with the technical standard. Very good value for money as well”
Mr Kenneth Y, Head of IT Risk & Compliance, International Retail Bank
"I was very pleased with the work delivered by commissum from start to finish. The quality of reporting was excellent and the consultants very helpful with clear communication throughout the engagement. I would happily recommend commissum to others.”
Ms Louisa L, IT Manager, National Building Society
"commissum provided us with a high quality service. We found the project team helpful and flexible in responding to changes in requirement; the technical staff in particular were excellent. All commitments including deliverable timescales were met and I would have no hesitation in recommending commissum.”
Mr A Moretti, Executive Director for IT Security Risk Management, Global Investment Bank
"From the start the project went very smoothly despite the short notice. commissum maintained excellent communication throughout ........ their flexibility and responsiveness right up to the end of the project was of great value to us.”
Mr Keith H, Senior Business Manager - UK Local Government