What percentage of commercial software would you estimate to be secure? 90 percent... higher? It must be safe if it's being sold commercially, whether for enterprise or consumer applications, right? The actual percentage may shock you.

Only 42 percent of software passed core-security testing, according to a new report, "State of Software Security" (registration required, or you can download just the executive summary). With the release of this ground-breaking security report, Veracode has demonstrated that most commercial software applications are to some degree insecure. This report includes some shocking revelations, namely, that organizations are highly prone to attack, and users extremely vulnerable to cybercriminal activity.

Test results were even worse when applied against known industry standards such as Open Web Application Security Project Top 10 (2007) and CWE/SANS Top 25 most dangerous programming errors (2009). An almost unbelievable 88 percent of developed applications failed in testing against these benchmarks.

In general, only 38 percent of commercially developed software and a paltry 31 percent of internally developed code passed muster. The report also found that coding from third parties actually formed a major component in many applications, even when labeled as "internally developed."

"Third party" is an apparently loose description of components that could have passed (and in many cases did pass) through several developers' hands with no testing before integration and no system of approved suppliers.

Despite the conventional wisdom in some quarters that open-source software is more vulnerable, Veracode actually found open-source apps were safer overall, with fewer potential backdoor vulnerabilities than any other commercial software supplied. Also it had a better all-around score with a faster remedial turnaround -- 36 days, compared to 82 days for commercial development.

Vulnerabilities were found in all coding languages, but the biggest offenders were found to be applications using the C/C++ language. This could be explained in part by the continued popularity of C/C++, but also many such applications used third-party vendors for sections of coding, which remained untested for security.

This was further shown to increase the risk of attack from remote code execution, including buffer or integer overflows. Such hybrids of managed and native code originating from a heterogeneous software supply chain only add to the overall problem, and can be exploited for nefarious purposes, as seen in the recent Aurora attacks.

Despite years of warnings on the threat of cross-site scripting (XSS) vulnerabilities developers are shown to be surprisingly unaware of the essence and extent of the problem. Lack of security training was singled out for criticism; applications where developers had security training were safer and still provided a cost-effective coding solution.

Financial and governmental sectors were found to have the most secure systems. More investment and new industry requirements following data breaches may have stimulated action by related industries, and although more still needs to be done, other sectors can learn from these examples of securing the backdoor.

Security requirements in outsourced suppliers are often overlooked in an environment where outsourcing is seen as the cheaper option and, increasingly, as a component in applications. This presents a problem when security specifics are not fully detailed and no minimum acceptance testing is required.

Many in the security community who advocate publicizing vulnerability issues have argued for some time that the majority of software being supplied to enterprises, governmental departments, and end users alike was not secure. Now we have evidence to support this perspective. If nothing else, consumers and enterprises should demand an approved standard or third-party mark of security for software applications, just as we do with prescription drugs and electrical appliances.

By Jart Armin

www.internetevolution.com