88 Percent of Java Apps Susceptible to Widespread Attacks
from Known Security Defects, According to New Research from CA Veracode
from Known Security Defects, According to New Research from CA Veracode
Study Finds That Less Than 28 Percent of Organizations are
Actively Monitoring the Components That Could Lead to Security Breaches
Actively Monitoring the Components That Could Lead to Security Breaches
Singapore
– 1 November,
2017 – Veracode, Inc.,
a leader in securing the world’s software, and acquired by CA Technologies
(NASDAQ:CA), has announced findings from the 2017 State of Software Security Report,
a comprehensive review of application security testing data from scans
conducted by CA Veracode’s base of more than 1,400 customers. Among other
industry trends such as vulnerability fix rates and percent of applications
with vulnerabilities, the report exposes the pervasive risk from vulnerable
open source components. The CA Veracode report found that 88 percent of Java
applications contain at least one vulnerable component, making them susceptible
to widespread attacks. This is in part because fewer than 28 percent of
companies conduct regular composition analysis to understand which components
are built into their applications.
– 1 November,
2017 – Veracode, Inc.,
a leader in securing the world’s software, and acquired by CA Technologies
(NASDAQ:CA), has announced findings from the 2017 State of Software Security Report,
a comprehensive review of application security testing data from scans
conducted by CA Veracode’s base of more than 1,400 customers. Among other
industry trends such as vulnerability fix rates and percent of applications
with vulnerabilities, the report exposes the pervasive risk from vulnerable
open source components. The CA Veracode report found that 88 percent of Java
applications contain at least one vulnerable component, making them susceptible
to widespread attacks. This is in part because fewer than 28 percent of
companies conduct regular composition analysis to understand which components
are built into their applications.
“The
universal use of components in application development means that when a single
vulnerability in a single component is disclosed, that vulnerability now has
the potential to impact thousands of applications – making many of them
breachable with a single exploit,” said Lim Teng Sherng, vice president,
Security, Asia Pacific & Japan, CA Technologies.
universal use of components in application development means that when a single
vulnerability in a single component is disclosed, that vulnerability now has
the potential to impact thousands of applications – making many of them
breachable with a single exploit,” said Lim Teng Sherng, vice president,
Security, Asia Pacific & Japan, CA Technologies.
Over
the past 12 months, several high-profile breaches in Java applications were
caused by widespread vulnerabilities in open source or commercial components.
One example of a widespread component vulnerability was the “Struts-Shock” flaw disclosed
in March 2017. According to the analysis, 68 percent of Java applications using
the Apache Struts 2 library were using a vulnerable version of the component in
the weeks following the initial attacks.
the past 12 months, several high-profile breaches in Java applications were
caused by widespread vulnerabilities in open source or commercial components.
One example of a widespread component vulnerability was the “Struts-Shock” flaw disclosed
in March 2017. According to the analysis, 68 percent of Java applications using
the Apache Struts 2 library were using a vulnerable version of the component in
the weeks following the initial attacks.
This
critical vulnerability in the Apache Struts 2 library enabled remote code
execution (RCE) attacks using command injection, for which as many as 35
million sites were vulnerable. Using this pervasive vulnerability, cybercriminals
were able to exploit a range of victims’ applications, most notably the Canada
Revenue Agency and the University of Delaware.
critical vulnerability in the Apache Struts 2 library enabled remote code
execution (RCE) attacks using command injection, for which as many as 35
million sites were vulnerable. Using this pervasive vulnerability, cybercriminals
were able to exploit a range of victims’ applications, most notably the Canada
Revenue Agency and the University of Delaware.
The
2017 State of Software Security Report also shows that approximately 53.3
percent of Java applications rely on a vulnerable version of the Commons
Collections components. Even today, there are just as many applications using
the vulnerable version as there were in 2016. The use of components in
application development is common practice as it allows developers to reuse
functional code – speeding up the delivery of software. Studies show that up to
75 percent of a typical application’s code is made up of open source
components.
2017 State of Software Security Report also shows that approximately 53.3
percent of Java applications rely on a vulnerable version of the Commons
Collections components. Even today, there are just as many applications using
the vulnerable version as there were in 2016. The use of components in
application development is common practice as it allows developers to reuse
functional code – speeding up the delivery of software. Studies show that up to
75 percent of a typical application’s code is made up of open source
components.
Lim
continued, “development teams aren’t going to stop using components – nor
should they. But when an exploit becomes available, time is of the essence.
Open source and third-party components aren’t necessarily less secure than code
you develop in-house, but keeping an up-to-date inventory of what versions of a
component you are using. We’ve now seen quite a few breaches as a
result of vulnerable components and unless companies start taking this threat
more seriously, and using tools to monitor component usage, I predict the
problem will intensify.”
continued, “development teams aren’t going to stop using components – nor
should they. But when an exploit becomes available, time is of the essence.
Open source and third-party components aren’t necessarily less secure than code
you develop in-house, but keeping an up-to-date inventory of what versions of a
component you are using. We’ve now seen quite a few breaches as a
result of vulnerable components and unless companies start taking this threat
more seriously, and using tools to monitor component usage, I predict the
problem will intensify.”
The
use of vulnerable components is amongst the troubling application security
trends examined in the State of Software Security Report. For example, CA
Veracode’s SoSS Report findings show that while many organizations prioritize
fixing the most dangerous vulnerabilities, some still face challenges
efficiently remediating software issues. Even the most severe flaws require
significant time to fix (only 22 percent of very high severity flaws were
patched in 30 days or
less) and most attackers are leveraging vulnerabilities within days of
discovery. Hackers and nation state organizations are given ample time to
potentially infiltrate an enterprise network.
use of vulnerable components is amongst the troubling application security
trends examined in the State of Software Security Report. For example, CA
Veracode’s SoSS Report findings show that while many organizations prioritize
fixing the most dangerous vulnerabilities, some still face challenges
efficiently remediating software issues. Even the most severe flaws require
significant time to fix (only 22 percent of very high severity flaws were
patched in 30 days or
less) and most attackers are leveraging vulnerabilities within days of
discovery. Hackers and nation state organizations are given ample time to
potentially infiltrate an enterprise network.
In
addition to information regarding threat posed by the use of vulnerable
components, the 2017 State of Software Security Report also found:
addition to information regarding threat posed by the use of vulnerable
components, the 2017 State of Software Security Report also found:
· Vulnerabilities continue to crop up in previously untested
software at alarming rates. 77 percent of apps have at least one vulnerability
on initial scan.
software at alarming rates. 77 percent of apps have at least one vulnerability
on initial scan.
· Government organizations continue to underperform those in
other industries. Not only did they have a 24.7 percent pass rate at latest
scan, they also had the highest prevalence of highly exploitable
vulnerabilities like cross-site scripting (49 percent) and SQL injection (32
percent).
other industries. Not only did they have a 24.7 percent pass rate at latest
scan, they also had the highest prevalence of highly exploitable
vulnerabilities like cross-site scripting (49 percent) and SQL injection (32
percent).
· Comparatively, between first and last scan, critical
infrastructure had the strongest OWASP pass rate (29.8 percent) across all
industries studied, though it saw a slight decline in pass rate (29.5 percent)
on last scan. Two industries showing slight improvements between first and last
scan include healthcare (27.6 percent vs. 30.2 percent) and retail &
hospitality (26.2 percent vs. 28.5 percent).
infrastructure had the strongest OWASP pass rate (29.8 percent) across all
industries studied, though it saw a slight decline in pass rate (29.5 percent)
on last scan. Two industries showing slight improvements between first and last
scan include healthcare (27.6 percent vs. 30.2 percent) and retail &
hospitality (26.2 percent vs. 28.5 percent).
To
download the full 2017 State of Software Security report, please click here. To
view the infographic, please click here.
download the full 2017 State of Software Security report, please click here. To
view the infographic, please click here.
Methodology
Data
for the eighth volume of CA Veracode’s State of Software Security 2017 is
derived from scans conducted by CA Veracode’s base of 1,400+ customers, was
drawn from code-level analysis of nearly 250 billion lines of code, across
400,000 assessments performed during the 12-month period from April 1, 2016 to
March 31, 2017. The findings are representative of the application security
industry’s most comprehensive review of application testing data.
for the eighth volume of CA Veracode’s State of Software Security 2017 is
derived from scans conducted by CA Veracode’s base of 1,400+ customers, was
drawn from code-level analysis of nearly 250 billion lines of code, across
400,000 assessments performed during the 12-month period from April 1, 2016 to
March 31, 2017. The findings are representative of the application security
industry’s most comprehensive review of application testing data.
About
CA Veracode
CA Veracode
CA
Veracode enables the secure development and deployment of the software that
powers the application economy. With its combination of automation, process and
speed, CA Veracode becomes a seamless part of the software lifecycle,
eliminating the friction that arises when security is detached from the
development and deployment process. As a result, enterprises are able to fully
realize the advantages of DevOps environments while ensuring secure code is
synonymous with high-quality code.
Veracode enables the secure development and deployment of the software that
powers the application economy. With its combination of automation, process and
speed, CA Veracode becomes a seamless part of the software lifecycle,
eliminating the friction that arises when security is detached from the
development and deployment process. As a result, enterprises are able to fully
realize the advantages of DevOps environments while ensuring secure code is
synonymous with high-quality code.
CA
Veracode serves more than 1,400 customers worldwide across a wide range of
industries. The CA Veracode Platform has assessed more than 6 trillion lines of
code and helped companies fix more than 27 million security flaws.
Veracode serves more than 1,400 customers worldwide across a wide range of
industries. The CA Veracode Platform has assessed more than 6 trillion lines of
code and helped companies fix more than 27 million security flaws.
Copyright
© 2017 CA Veracode, Inc. All rights reserved. All other brand names, product
names, or trademarks belong to their respective holders.
© 2017 CA Veracode, Inc. All rights reserved. All other brand names, product
names, or trademarks belong to their respective holders.
For the LATEST tech updates,
FOLLOW us on our Twitter
LIKE us on our FaceBook
SUBSCRIBE to us on our YouTube Channel!
