Many Web Apps Fail Security Audits Before Deployment

More than half of Web applications have some kind of serious security flaw after development, according to a research report, suggesting that software developers need to improve their security coding skills.

About 58 percent of Web applications generally fail a security audit the first time around, according to Veracode's State of Software Security report, released April 19.  Veracode analyzed 4,835 applications that were submitted to its cloud-based application testing service for a security audit over a space of 18 months.

Even more worrying, 66 percent of applications developed by the software industry, as opposed to other sectors, were initially found to have an unacceptable level of security quality. Software organizations are turning out more insecure applications than other companies, the study found. Of the applications from the software companies, 72 percent of security products and 82 percent of customer-focused applications submitted to Veracode were deemed unacceptable, securitywise.

Security vendors tasked with protecting enterprises are often the most at risk due to the poor quality of their very own software applications, Veracode found.

"Software remains fundamentally flawed," and no industry sector is immune to application security risk, the report found. However, the finance industry generally produced the cleanest code, according to the report.

The good news is that developers are learning from their mistakes quickly. More than 90 percent of the software that failed the audit the first time addressed the issues and passed a subsequent test within one month. Security products were fixed even faster, becoming "acceptable" in just three days.

The report has a slight reporting bias as the organizations voluntarily submitted their applications to the testing service. However, the findings highlight how widespread application insecurity has become if more than half of the applications from companies in the security software business fail the audit. The Verizon Data Breach Investigation Report, released the same day, found that Web application attacks accounted for 22 percent of all attacks that resulted in a data breach, and were the source of 38 percent of leaked records.

For more, read the eWEEK article: More Than Half of Web Apps Fail Security Audit Prior to Deployment.