The State of application security report from application security company Veracode is based on analysis scans of code submitted for testing. There are three main types of scan: dynamic analysis which looks at runtime behavior, statis analysis which inspects the code, and composition analysis which checks third-party libraries against a database of known flaws.
The three types of analysis reveal different flaws. Top issues found by static analysis are CRLF injection (when an unexpected line terminator is not removed from input), cryptographic issues, and information leakage. Top in dynamic analysis is server misconfiguration, insecure dependencies, and again information leakage. Composition analysis puts information leakage top, followed by insufficient input validation, and encapsulation, which is where applications “fail to separate or differentiate critical data or functionality within components.”
SQL injection remains a common problem, with over 22 percent of statically analysed applications vulnerable and 32% of composition analyses, as does cross-site scripting, 38.5 percent in static analysis and 44.7% in composition analysis.
Another by-the-way nugget of information is that “over 90 percent of Java applications are third-party code.” Much of modern application development is about assembling and controlling components and libraries, rather than writing fresh code.
Applications evolve over time and according to this survey, “the average application grows about 40 percent per year, regardless of its original size,” though growth slows down after 5 years or so. Unfortunately this also means new flaws may be introduced. According to the survey, typically fewer flaws are introduced in the first 18 months of an application’s life, but after that the rate creeps up. “The percentage of applications with flaws climbs as applications age,” say the researchers, stating that fewer than half of apps less than one year old have flaws, but by the time they are four or five years old, two-thirds have flaws, and at 10 years old, 90 percent of them.
Exactly why these trends exist is open to speculation. Perhaps newer applications are more likely to have a company’s top software engineers, for example. Recommendations in the report – which comes from a company selling application security tools – include greater automation and developer training, and clarity over who is responsible for each application.