Safe Coding and Software Security

ARE YOU PRACTICING SAFE CODING? As 2011 proved to be the year of the hack, the need for secure application coding is greater than ever. Application security requirements are heightening in the wake of critical application breaches, meaning knowledge and training must rise to ensure safe coding. WHAT'S THE BIG DEAL? Previously, attackers used application vulnerabilities to cause embarrassment and disruption. But now these attackers are exploiting vulnerabilities to steal data and much more: MODIFYING VICTIMS' WEBSITES TO DEPLOY MALWARE TO WEBSITE VISITORS IP THEFT TAKING OVER HIGH-VALUE ACCOUNTS BREACHING ORGANIZATION PERIMETERS ARE APPLICATIONS REALLY THAT UNSAFE? More than 8 out of 10 applications failed to pass OWASP Top 10 when first tested. More than half of all developers received a grade of C or lower on a basic application security assessment. TOP 5 APPLICATION VULNERABILITIES Percentage of Web Applications Affected Percentage of Hacks* 32% 53% SQL Injection Cryptographic Issues 2% 20% 68% 9% XSS OS Command 10% Injection 1% 66% Information Leakage 3% *Source: WHID While other flaws such as XSS account for a higher volume of findings, SQL injection accounts for 20 percent of hacks. WHERE ARE VULNERABILITIES FOUND? TOP 3 VULNERABILITIES BY LANGUAGE 156% xss 16% CRLF Injection Java 10% Information Leakage 187% xss 8% SaL Injection Cold- Fusion 1% Directory Traversal/Information Leakage/CRLF Injection (Tied) 126% Error Handling 20% Buffer Overflow C/C++ 18% Buffer Management Errors 147% xss 18% Information Leakage .NET 10% Cryptographic Issues 75% xss 10% Directory Traversal PHP 7% SaL Injection 44% Cryptographic Issues 28% CRLF Injection Android 10% Information Leakage |58% Cryptographic Issues 38% Information Leakage Java ME 3% Directory Traversal TOP 3 VULNERABILITIES BY SUPPLIER |58% xss Internally Developed 12% CRLF Injection 10% Information Leakage 144% xss Commercial 11% Information Leakage 8% CRLF Injection 141% xss Open Source 13% Directory Traversal 13% Information Leakage DEVELOPER PERFORMANCE AGAINST OWASP TOP 10 ON FIRST SUBMISSION Internally Developed Commercial Open Source Outsourced OVERALL 17% 12% 12% 7% 16% Acceptable 83% 88% 88% 93% 84% Not Acceptable EVEN YOUR ANDROIDS AREN'T SAFE In Java applications, this is usually due to the use of the statistical random number generator (RNG) rather than the cryptographic RNG. This common mistake can be fixed with a SINGLE LINE OF CODE. Percentage of Applications Affected 61% 42% 39% 6% Insufficient Entropy Information Exposure Through Sent Data Information Exposure Through Error Message Use of Hard-Coded Cryptographic Key FLAW Cryptographic Issues FLAW- Information Leakage WHAT ARE YOUR PARTNERS GIVING YOU? 60 percent of third-party software performance failed against Enterprise Policy. HOW EASY IS IT TO GET SAFE? 0-1 Week 2-3 Weeks 3-4 Weeks 4+ Weeks 3%- 7% 11%- 79%- 3% 3%- 12%- 82%- 98%- Internally Developed Commercial Open Source 3%- 11%- 82% 100%- Outsourced OVERALL 82 percent of applications that were remediated to a satisfactory level did so in a week or less. HOW CAN YOU STAY SAFE? 1. CONTINUE TO SCAN YOUR APPLICATIONS • Building secure software or requiring it from your suppliers does not have to be time-consuming. 2. GET TRAINING/EDUCATION • Measure your knowledge of application security fundamentals. • Take Application Security Training sessions. 3. ASK APPLICATION SUPPLIERS TO PROVE THE SECURITY OF THEIR APPS • Get your suppliers to scan their code. • Write security approval language into contracts. While there is not a statistical direct correlation between application security knowledge and application security, there is a strong association. Training seems to pay off - invest in it. AVERAGE SQS SCORE VS. AVERAGE QUIZ GRADE 100 80 60 40 20 20 40 60 80 100 Average Quiz Score VERACODE READ THE FULL REPORT AT VERACODE.COM/SOSS Average Sas Score