Veracode released its annual State of Software Security Report, which includes research on software vulnerability trends as well as predictions on how these flaws could be exploited if left unaddressed and what this may mean for organizations’ security professionals.
Research suggests there will be a rise in everyday hackers. A simple Google search for “SQL injection hack” provides 1.74 million results, including videos with explicit instructions on how to exploit SQL injection vulnerabilities.
The ready availability of this information makes it possible for less technically skilled hackers to take advantage of this common flaw.
Although SQL injection flaws are easy to identify and fix, Veracode found that 32 percent of web applications are still affected by SQL injection vulnerabilities. As a result, as many as 30 percent of breaches in 2013 will be from SQL injection attacks.
“Despite significant improvements in awareness of the importance of securing software, we are not seeing the dramatic decreases in exploitable coding flaws that should be expected,” said Chris Eng, vice president of research, Veracode.
“For each customer, development team or application that has become more secure, there are an equal number that have not. Veracode’s 2013 State of Software Security Research Report provides organizations with ways to reduce the success of potential attacks on company infrastructure by understanding the threat to the application layer and outlines the implications of these trends if organizations continue on their current paths,” Eng added.
The research also concluded that the leading cause of security breaches and data loss for organizations is insecure software. The report found that 70 percent of software failed to comply with enterprise security policies on their first submission for security testing.
This indicates that though there have been improvements in organizations fixing flaws within their existing applications, the demand for rapid development means new vulnerabilities are constantly being introduced into their software portfolio.
“The amount of risk an organization accepts should be a strategic business decision – not the aftermath of a particular development project,” said Chris Wysopal, co-founder and CTO, Veracode. “The time for organizations to act is now. My hope is that readers will use this research to estimate their current application risk, and then consider how they can act to improve the security posture of their organization by addressing the applications that are currently in development and/or production.”
Veracode also predicts:
- Average CISO tenure will continue to decline.
- A decrease in job satisfaction/higher turn-over for security professionals.
- Default encryption, not “opt-in” will become the norm for mobile applications.
The complete report is available here (registration required).