Published on April 14th, 2020 📆 | 8321 Views ⚑
010 Years In: Still Combatting the Most Common Same Software Security Vulnerabilities
While methods for finding and fixing vulnerabilities have evolved a lot over the past 10 years, a recent study show that the most common vulnerabilities havenât changed much in the same time frame. Which, in a way, is good news: we know what sorts of vulnerabilities are most prevalent; itâs just a matter of addressing them.
Thatâs at least one way to look at the results of Vol. 10 of Veracodeâs âState of Software Securityâ report, which is based on actual customer application scans by Veracodeâs cloud-based software security testing solution. Upon looking at the eight most common vulnerabilities found this past year, itâs striking that the top two categories are the same as they were 10 years ago in Vol. 1 of the report: Information Leakage (found in 64 percent of apps) and cryptographic issues (62 percent).Â
Perhaps more worrisome is that the prevalence of each of the top eight application security offenders is greater today than 10 years ago, in many cases by quite a bit. Information leakage shot to the top spot by nearly doubling in prevalence from 37 percent in Vol. 1 of the report while cryptographic issues rose by nearly 20 points, from 44 percent 10 years ago.
âMany ways to get this wrongâ
How can that be? Shouldnât we be getting better at securing our applications, not losing ground?
Well itâs no coincidence that the top two categories  have the most entries as measured by the Common Weakness Enumeration (CWE) standard. The cryptographic leakage category has 25 known CWEs while information leakage has 15.
âIn other words, there are many ways to get this wrong,â says Chris Kirsch, who works on product strategy at Veracode.
With respect to cryptographic issues, one issue is the continued use of crypto algorithms that are well past their prime, Kirsch says. The MD5 and SHA-1 hashing functions, for example, were once considered strong algorithms, but we now know that they are not as robust as we once thought. Yet many legacy applications still include them and developers may simply not be aware that itâs no longer considered strong crypto and use it unknowingly even in newer apps.
Education plus SAST and DAST
Which gets to the larger issue of educating software developers on security best practices, and integrating them into DevSecOps processes, which is an ongoing battle.
âNew classes of coding errors are few and far between,â Kirsch says. âPeople continue to make the same mistakes. Theyâre not getting the old stuff right.â
Another issue is the requirement to test software using both Static and Dynamic Application Security Test tools (SAST and DAST). SAST looks at the application code when âat rest,â meaning when the app is not actually running. Issues such as those cryptographic errors are found during SAST testing.
But other flaws can be found only when the application is in action, which is where DAST comes in. A configuration error, for example, will only crop up while the app is interacting with a browser or other resource.
Kirsch likens the need for both sorts of software security testing to how a doctor who only takes an x-ray wonât be able to determine whether the patient has high blood pressure. âYou need a variety of tests,â he says.
Like proper handwashing is key to keeping healthy, making progress in combatting the top vulnerabilities requires some mundane but necessary steps. âYou have to educate developers so they know how to code securely and donât introduce new flaws. And give feedback early in the dev cycle so theyâre aware of vulnerabilities and can fix them,â Kirsch says. âThen you need checks and balances to make sure insecure code doesnât go into production.â
As with the medical analogy, thereâs often no silver bullet, just lots of fundamentals. Eat healthy, go to the gym, get educated.
Copyright Š 2020 IDG Communications, Inc.
Gloss