/dec 15, 2020

State of Software Security v11: The Most Common Security Flaws in Apps

By Hope Goslin

For our annual State of Software Security report, we always look at the most common types of security flaws found in applications. It’s important to look at the various types of flaws present in applications so that application security (AppSec) teams can make decisions about how to address and fix flaws. For example, high-severity flaws, like those listed in OWASP Top 10 or SANS 25, or highly prevalent flaws can be detrimental to an application.

Injection flaws make up the first item in the OWASP Top 10 Web Application Security Risks. By looking back at our list of common security flaws over the past decade, you’ll notice that injection flaws are always listed. This year’s report shows that CRLF injection was found in more than 65 percent of applications with a flaw, and SQL injection was among the top 10 list of most common flaws found. Since these flaws are high-severity and present in a large portion of applications, AppSec teams should prioritize fixing these flaws.

Flaw types

But CRLF injection flaws are not the only security flaws to keep an eye on. As you’ll see in Figure 3 from the State of Software report volume 11, information leakage and cryptographic issues are also highly prevalent, each found in almost two out of three applications with flaws. And these three flaws – CRLF injection, information leakage, and cryptographic issues – have remained the top security flaws, in this same order, for a few years. In fact, the top 10 most common security flaws have remained fairly consistent over the past 10 years.

Luckily, there are proven methods for preventing and fixing the most common security flaws. For example, you can prevent CRLF injection flaws by properly encoding output in HTTP headers or logging entries that are otherwise visible to administrators and users. And you can prevent SQL injection flaws by implementing parameterized queries.  

But given the fact that the same flaws keep appearing year-over-year, it’s evident that developer security training is needed. Developers can’t fix or prevent flaws if they don’t have the necessary skills or tools. At Veracode, we offer Veracode Security Labs community edition to give developers free, real-world practice securing OWASP Top 10 vulnerabilities. Once developers have secure-code training, we encourage them to take proactive steps to avoid common security flaws.

To learn more about the top 10 security flaws, including how prevalent they are in applications, languages most affected, and ways to fix the flaws, check out our Vulnerability Hall of Fame webpage.

Related Posts

By Hope Goslin

Hope is part of the content team at Veracode, based in Burlington, MA. In this role, she focuses on creating engaging AppSec content for the security community.