Cryptographic Software Flaws Extremely Common – Study
Inexperienced developers and complex software libraries create an environment of widespread business application failures. In the realm of Cryptography the scale of the problem is significant. Many subtle factors surround proper implementation of robust cryptographic systems beyond writing strong code.
In 2014, Gartner reported $12 billion spent securing network perimeters. In contrast, only $.6 billion was spent securing applications. There is opportunity at the application layer to reduce risk but liabilities will remain until solutions are implemented. For hackers those liabilities are opportunities.
The threat space continues to grow in size and sophistication and seemingly no industry is spared. Web application attacks remain one of the most frequent patterns in confirmed breaches and account for up to 35 percent of breaches in some industries according to the 2015 Verizon Data Breach Investigations Report. Yet we still see some organizations only assessing a small percentage of even their Internet-facing applications. – Chris Wysopal, Veracode CTO, CISO
Patient Health Information at Greatest Risk
Across all industries, Veracode ranked Healthcare the most vulnerable to cryptographic software flaws. Across all security issues Government, Healthcare and Financial services performed the worst. Technology, Manufacturing and Retail/Hospitality were scored the best.
Programming languages effect on security can vary. Higher level languages such as Java or .Net may completely eliminate some issues in system-level languages such as C/C++. Among the higher risk industries .NET languages were used the most. Among the more securely rated industries Java was most prevalent. Mitigation of cryptographic software flaws reliable more on implementation and process than language-specific quirks.
Over 200,000 application assessments were analyzed across an 18 month period. Company size, software designation (commercial, open source, etc), was disregarded. Applications were counted once even in instances where the application possessed multiple security flaws. Veracode subjected the applications to static analysis, dynamic analysis or manual penetration testing.
Veracode also tracked the number of remediations taken by industries to correct problems identified through their analysis. Manufacturing and Finance fixed the highest number of vulnerabilities – 81% and 65% respectively. While government organizations lagged behind at 27%.
Images from Veracode and Shutterstock.