/mar 7, 2012

Safe Coding and Software Security Infographic

By Niru Raghavan

The need for secure application coding is greater than ever! This Veracode infographic represents anonymized data from billions of lines of code submitted for analysis by large enterprises, commercial software providers, open source projects, and software outsourcers in Veracode’s cloud-based application risk management services platform. Safe Coding and Software Security

Add this Infographic to Your Website for FREE!


Small Version

Infographic by Veracode Application Security

Large Version

Infographic by Veracode Application Security

Infographic by Veracode Application Security As 2011 proved to be the year of the hack, the need for secure application coding is even greater than ever. Application security requirements are heightening in the wake of critical application breaches, meaning knowledge and training must rise to ensure safe coding.

What’s the Big Deal?

Previously, attackers used application vulnerabilities to cause embarrassment and disruption. But now these attackers are exploiting vulnerabilities to steal data and much more:

  • IP Theft
  • Modifying victims’ websites to deploy malware to website visitors
  • Taking over high-value accounts
  • Breaching organization perimeters

Are Applications Really That Unsafe?

Over 8 out of 10 applications failed to pass OWASP Top 10 when first tested. More than half of all developers received a grade of C or lower on a basic application security assessment.  

Top 5 Application Vulnerabilities

Category Percentage of Hacks Web Applications Affected
SQL Injection 20% 32%
XSS 10% 68%
Information Leakage 3% 66%
Cryptographic Issues 2% 53%
OS Command Injection 1% 9%

While other flaws such as XSS account for a higher volume of findings, SQL injection accounts for 20 percent of hacks.

Where Are Vulnerabilities Found?

Top 3 Vulnerabilities by Language

Java ColdFusion C/C++ .NET PHP Android Java ME
Cross-site Scripting (XSS) 56% XSS (87%) Error Handling (26%) XSS (47%) XSS (75%) Cryptographic Issues (44%) Cryptographic Issues (58%)
CRLF Injection (16%) SQL Injection (8%) Buffer Overflow (20%) Information Leakage (18%) Directory Traversal (10%) CRLF Injection (28%) Information Leakage (38%)
Information Leakage (10%) Directory/Traversal/Information Leakage/CRLF Injection (1%) {Tied} Buffer Mgmt Errors (18%) Cryptographic Issues (10%) SQL Injection (7%) Information Leakage (10%) Directory Traversal (3%)


Top Vulnerabilities by Supplier

Internally Developed Commercial Open Source Outsourced
Cross-site Scripting (XSS)(58%) XSS (44%) XSS (41%) CRLF Injection (47%)
CRLF Injection (12%) Information Leakage (11%) Directory Traversal (13%) XSS (28%)
Information Leakage (10%) CRLF Injection (8%) Information Leakage (13%) Information Leakage/Encapulation(6%) {Tied}


Developer Performance on First Submission

Supplier Type Acceptable Not Acceptable
Internally Developed 17% 83%
Commercial 12% 88%
Open Source 12% 88%
Outsourced 7% 93%
Overall 16% 84%


Even Your Androids Aren't Safe

Flaw Category Applications Affected (%)
Cryptographic Issues Insufficient Entropy 61%
Cryptographic Issues Use of Hard-coded Cryptographic Key 42%
Information Leakage Information Exposure Through Sent Data 39%
Information Leakage Information Exposure Through Error Message 6%

In Java applications, this is usually due to the use of the statistical random number generator (RNG) rather than the cryptographic RNG. This common mistake can be fixed with a SINGLE LINE OF CODE.  

What Are Your Partners Giving You?

60 percent of third-party software performance failed against Enterprise Policy.

How Easy Is It To Get Safe?


Supplier Type 0-1 Week 2-3 Weeks 3-4 Weeks 4+ Weeks
Internally Developed 82% 3% 3% 12%
Commercial 79% 3% 7% 11%
Open Source 98% - - 2%
Outsourced 100% - -  
Overall 82% 3% 4% 11%

82 percent of flaws can be fixed in a week or less.  

How Can You Stay Safe?

  • Continue to scan your applications: Building secure software or requiring it from your suppliers does not have to be time consuming.
  • Get Training/Education: Measure your knowledge of application security fundamentals and take Application Security Training sessions.
  • Ask application suppliers to prove the security of their apps: Get your suppliers to scan their code and write security approval language into contracts.

While there is not a statistical direct correlation between application security knowledge and application security, there is a strong association. Training seems to pay off - invest in it.

Veracode Security Guides
Data Security Resources
Veracode Security Solutions

Vulnerability Assessment Tools Web Vulnerability Scanner Apple iOS Security Mobile Phone Security Facebook Security Issues SDLC Phases SQL Injection Attack Android Application Security

Related Posts

By Niru Raghavan

Niru Raghavan joined the Veracode team in late 2011 as an Acquisition Marketing Manager. In this role, Niru is responsible for demand generation and program management primarily for online marketing programs. Prior to joining Veracode, Niru held positions of increasing responsibility at Liberty Mutual and Staples, successfully planning and implementing sophisticated online and offline marketing initiatives. She has managed product development efforts, launch activities and online marketing programs geared toward mid to large sized businesses in select vertical markets. Her specialties include product marketing, marketing strategy, and market research/analysis. She is also a keen web analytics enthusiast and Occam’s Razor by Avinash Kaushik is her all time favorite blog.