BURLINGTON, Mass. – April 8, 2013 - Veracode, Inc., the leader in cloud-based application security testing, today released its annual State of Software Security Report (SoSS). The report includes the latest research on software vulnerability trends as well as predictions on how these flaws could be exploited if left unaddressed and what this may mean for organizations security professionals.
Among the predictions offered by Veracode, the research suggests there will be a rise in everyday hackers. A simple Google search for SQL injection hack provides 1.74 million results, including videos with explicit instructions on how to exploit SQL injection vulnerabilities. The ready availability of this information makes it possible for less technically skilled hackers to take advantage of this common flaw. Although SQL injection flaws are easy to identify and fix, Veracode found that 32 percent of web applications are still affected by SQL injection vulnerabilities. As a result, Veracode believes that as many as 30 percent of breaches in 2013 will be from SQL injection attacks.
Despite significant improvements in awareness of the importance of securing software, we are not seeing the dramatic decreases in exploitable coding flaws that should be expected,said Chris Eng, vice president of research, Veracode. For each customer, development team or application that has become more secure, there are an equal number that have not. Veracode's 2013 State of Software Security Research Report provides organizations with ways to reduce the success of potential attacks on company infrastructure by understanding the threat to the application layer and outlines the implications of these trends if organizations continue on their current paths.
The research also concluded that the leading cause of security breaches and data loss for organizations is insecure software. The report found that 70 percent of software failed to comply with enterprise security policies on their first submission for security testing. This indicates that though there have been improvements in organizations fixing flaws within their existing applications, the demand for rapid development means new vulnerabilities are constantly being introduced into their software portfolio.
The amount of risk an organization accepts should be a strategic business decision – not the aftermath of a particular development project, said Chris Wysopal, co-founder and CTO, Veracode. The time for organizations to act is now. My hope is that readers will use this research to estimate their current application risk, and then consider how they can act to improve the security posture of their organization by addressing the applications that are currently in development and/or production.
In addition to conclusions drawn about everyday hackers, Veracode also predicts:
- Average CISO tenure will continue to decline.
- A decrease injob satisfaction/higher turn-over for security professionals.
- Default encryption, not opt-in will become the norm for mobile applications.
Download the Report to learn of more research findings and predictions.