10 Years In: Still Combatting the Most Common Same Software Security Vulnerabilities

While methods for finding and fixing vulnerabilities have evolved a lot over the past 10 years, a recent study show that the most common vulnerabilities haven’t changed much in the same time frame. Which, in a way, is good news: we know what sorts of vulnerabilities are most prevalent; it’s just a matter of addressing them.

That’s at least one way to look at the results of Vol. 10 of Veracode’s “State of Software Security” report, which is based on actual customer application scans by Veracode’s cloud-based software security testing solution. Upon looking at the eight most common vulnerabilities found this past year, it’s striking that the top two categories are the same as they were 10 years ago in Vol. 1 of the report: Information Leakage (found in 64 percent of apps) and cryptographic issues (62 percent). 

Perhaps more worrisome is that the prevalence of each of the top eight application security offenders is greater today than 10 years ago, in many cases by quite a bit. Information leakage shot to the top spot by nearly doubling in prevalence from 37 percent in Vol. 1 of the report while cryptographic issues rose by nearly 20 points, from 44 percent 10 years ago.

‘Many ways to get this wrong’

How can that be? Shouldn’t we be getting better at securing our applications, not losing ground?

Well it’s no coincidence that the top two categories  have the most entries as measured by the Common Weakness Enumeration (CWE) standard. The cryptographic leakage category has 25 known CWEs while information leakage has 15.

“In other words, there are many ways to get this wrong,” says Chris Kirsch, who works on product strategy at Veracode.

With respect to cryptographic issues, one issue is the continued use of crypto algorithms that are well past their prime, Kirsch says. The MD5 and SHA-1 hashing functions, for example, were once considered strong algorithms, but we now know that they are not as robust as we once thought. Yet many legacy applications still include them and developers may simply not be aware that it’s no longer considered strong crypto and use it unknowingly even in newer apps.

Education plus SAST and DAST

Which gets to the larger issue of educating software developers on security best practices, and integrating them into DevSecOps processes, which is an ongoing battle.

“New classes of coding errors are few and far between,” Kirsch says. “People continue to make the same mistakes. They’re not getting the old stuff right.”

Another issue is the requirement to test software using both Static and Dynamic Application Security Test tools (SAST and DAST). SAST looks at the application code when “at rest,” meaning when the app is not actually running. Issues such as those cryptographic errors are found during SAST testing.

But other flaws can be found only when the application is in action, which is where DAST comes in. A configuration error, for example, will only crop up while the app is interacting with a browser or other resource.

Kirsch likens the need for both sorts of software security testing to how a doctor who only takes an x-ray won’t be able to determine whether the patient has high blood pressure. “You need a variety of tests,” he says.

Like proper handwashing is key to keeping healthy, making progress in combatting the top vulnerabilities requires some mundane but necessary steps. “You have to educate developers so they know how to code securely and don’t introduce new flaws. And give feedback early in the dev cycle so they’re aware of vulnerabilities and can fix them,” Kirsch says. “Then you need checks and balances to make sure insecure code doesn’t go into production.”

As with the medical analogy, there’s often no silver bullet, just lots of fundamentals. Eat healthy, go to the gym, get educated.

Comments are closed.