Cenzic, an application security intelligence provider, has released its 2014 report for Application Security Trends. And, based on the results, the application security landscape is ripe for disaster.
The report can be downloaded here: Application Vulnerability Trends Report: 2014
The report states that 96% of the applications tested have some sort of identified vulnerability, with each application exhibiting at least 14 vulnerabilities apiece.
I've talked a lot about this recently, how securing the operating system is only a very small piece of overall security, and that it’s the applications that run on the operating system that are the most worrying. The OS could be 100% secure, but a single application (anything from Adobe is a great example) opens holes just by executing. Even recently, a flaw in Adobe's Flash scripting language has caused Microsoft and partners to scramble to provide a temporary fix for IE9 and IE10.
From a web perspective, cross site scripting (XSS) tops the list of vulnerabilities. And, while XSS tops the list, Information Leakage (23%), Authentication and Authorization (15%), Session Management (13%), SQL Injection (7%), Cross Site Request Forgery (CSRF) (6%), and other (11%) round out the list of the total vulnerabilities found.
The Cenzic report also suggests that the problem is only going to get worse due to BYOD, cloud services, and mobile applications. Excessive privileges exist in over 80 percent of mobile applications. The Cenzic report also highlights Cloud services providers as the major source of threats today and in the future as more companies outsource data.
What's the fix?
According to Cenzic the majority of identified vulnerabilities comes down to *ahem* lazy developers who ignore code standards and don’t test code for security during development. Of course, proper server configuration helps, as well as, providing protection through a web application firewall.