Secure coding practices have helped developers get a better handle on software security vulnerabilities, but increased mobile usage has contributed to a steady rise in the number of mobile security flaws and application risks overall, according to a recent study. The Cenzic Application Security Trends Report 2014 found that 96 percent of all tested applications contained security flaws, and issues around information leakage, authentication and authorization are ubiquitous, particularly in the mobile space.
According to the study, the incidence of security flaws in mobile applications has grown steadily, and more than 80 percent contain excessive privileges. Some of the biggest problems are in applications shared with third parties, and nearly a quarter of applications are prone to information leakage, in which an application shares excessive technical or user details. Cross-site scripting errors are still common, but flaws in authentication and authorization are also a major problem, accounting for 15 percent of vulnerabilities, as are session management errors, which comprise 13 percent of flaws.
"While old standbys such as XSS and SQL injection may be coming under better control, emerging classes of vulnerabilities – such as information leakage, which is common in mobile applications – are growing," Cenzic CMO Bala Venkat said. "The growth of emerging technologies and new application categories – such as cloud and mobile apps – increases the complexity of the security effort."
Venkat noted that application flaws have remained consistently high over the past three years, even as improvements in the coding process have been made, due to the increase in new vulnerability types. The median number of applications per vulnerability actually increased from 13 to 14 in the past year.
Improving software security at the developer level
The good news is that even the emerging classes of vulnerabilities are largely preventable, the report noted. In particular, developers can protect their applications by implementing safe coding practices like source code analysis and peer code review.
"Consistent, high-quality coding practices are the most effective deterrent to attacks," the company explained in a statement.
Many of the barriers to secure software stem from institutional practices or mindsets that companies can work to adjust, security expert Jeff Williams noted in a recent InformationWeek column. For instance, application security is often most effective when carried out in the development process, since developers have the best tools to fix the problems. As a result, companies can make the mistake of blaming developers for flaws, setting off a vicious cycle of resentment around security.
A more effective approach can be to empower developers by giving them tools to educate themselves on better security practices. With static analysis software, developers can see their errors as they occur and learn to avoid them, while a code review program might enable mentorship from senior developers. While application security remains a rampant problem, with the right tools, companies can continue building a culture that supports better overall product quality.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.