Safe Coding and Software Security Infographic
The need for secure application coding is greater than ever! This Veracode infographic represents anonymized data from billions of lines of code submitted for analysis by large enterprises, commercial software providers, open source projects, and software outsourcers in Veracode’s cloud-based application risk management services platform.
Add this Infographic to Your Website for FREE!
Small Version
Large Version
Infographic by Veracode Application Security
As 2011 proved to be the year of the hack, the need for secure application coding is even greater than ever. Application security requirements are heightening in the wake of critical application breaches, meaning knowledge and training must rise to ensure safe coding.
What’s the Big Deal?
Previously, attackers used application vulnerabilities to cause embarrassment and disruption. But now these attackers are exploiting vulnerabilities to steal data and much more:
- IP Theft
- Modifying victims’ websites to deploy malware to website visitors
- Taking over high-value accounts
- Breaching organization perimeters
Are Applications Really That Unsafe?
Over 8 out of 10 applications failed to pass OWASP Top 10 when first tested.
More than half of all developers received a grade of C or lower on a basic application security assessment.
Top 5 Application Vulnerabilities
| Category | Percentage of Hacks | Web Applications Affected |
| SQL Injection | 20% | 32% |
| XSS | 10% | 68% |
| Information Leakage | 3% | 66% |
| Cryptographic Issues | 2% | 53% |
| OS Command Injection | 1% | 9% |
While other flaws such as XSS account for a higher volume of findings, SQL injection accounts for 20 percent of hacks.
Where Are Vulnerabilities Found?
Top 3 Vulnerabilities by Language
| Java | ColdFusion | C/C++ | .NET | PHP | Android | Java ME |
| Cross-site Scripting (XSS) 56% | XSS (87%) | Error Handling (26%) | XSS (47%) | XSS (75%) | Cryptographic Issues (44%) | Cryptographic Issues (58%) |
| CRLF Injection (16%) | SQL Injection (8%) | Buffer Overflow (20%) | Information Leakage (18%) | Directory Traversal (10%) | CRLF Injection (28%) | Information Leakage (38%) |
| Information Leakage (10%) | Directory/Traversal/Information Leakage/CRLF Injection (1%) {Tied} | Buffer Mgmt Errors (18%) | Cryptographic Issues (10%) | SQL Injection (7%) | Information Leakage (10%) | Directory Traversal (3%) |
Top Vulnerabilities by Supplier
| Internally Developed | Commercial | Open Source | Outsourced |
| Cross-site Scripting (XSS)(58%) | XSS (44%) | XSS (41%) | CRLF Injection (47%) |
| CRLF Injection (12%) | Information Leakage (11%) | Directory Traversal (13%) | XSS (28%) |
| Information Leakage (10%) | CRLF Injection (8%) | Information Leakage (13%) | Information Leakage/Encapulation(6%) {Tied} |
Developer Performance on First Submission
| Supplier Type | Acceptable | Not Acceptable |
| Internally Developed | 17% | 83% |
| Commercial | 12% | 88% |
| Open Source | 12% | 88% |
| Outsourced | 7% | 93% |
| Overall | 16% | 84% |
Even Your Androids Aren’t Safe
| Flaw | Category | Applications Affected (%) |
| Cryptographic Issues | Insufficient Entropy | 61% |
| Cryptographic Issues | Use of Hard-coded Cryptographic Key | 42% |
| Information Leakage | Information Exposure Through Sent Data | 39% |
| Information Leakage | Information Exposure Through Error Message | 6% |
In Java applications, this is usually due to the use of the statistical random number generator (RNG) rather than the cryptographic RNG. This common mistake can be fixed with a SINGLE LINE OF CODE.
What Are Your Partners Giving You?
60 percent of third-party software performance failed against Enterprise Policy.
How Easy Is It To Get Safe?
| Supplier Type | 0-1 Week | 2-3 Weeks | 3-4 Weeks | 4+ Weeks |
| Internally Developed | 82% | 3% | 3% | 12% |
| Commercial | 79% | 3% | 7% | 11% |
| Open Source | 98% | - | - | 2% |
| Outsourced | 100% | - | - | |
| Overall | 82% | 3% | 4% | 11% |
82 percent of flaws can be fixed in a week or less.
How Can You Stay Safe?
- Continue to scan your applications: Building secure software or requiring it from your suppliers does not have to be time consuming.
- Get Training/Education: Measure your knowledge of application security fundamentals and take Application Security Training sessions.
- Ask application suppliers to prove the security of their apps: Get your suppliers to scan their code and write security approval language into contracts.
While there is not a statistical direct correlation between application security knowledge and application security, there is a strong association. Training seems to pay off – invest in it.
Veracode Security Guides
Data Security Resources
Veracode Security Solutions
Vulnerability Assessment Tools
Web Vulnerability Scanner
Apple iOS Security
Website Security
Mobile Phone Security
Online Internet Security
Facebook Security Issues
SDLC Phases
SQL Injection Attack
Android Application Security
Subscribe by RSS
