New study shows that a disturbing number of popular applications, notably those used by businesses in the technology industry, have serious security problems.
According to a survey by Veracode, which analysed 20 million scans across 500 thousand applications in the technology, manufacturing, retail, financial services, healthcare, and government sectors, 24% of apps in the technology sector include high-severity defects.
That’s the second-worst percentage of insecure apps behind the public sector (82%).
Resolving the problems
The paper adds that server setups, unsecured dependencies, and information leakage are some of the most frequent types of vulnerabilities, and that these findings “broadly follow” a similar trend to those seen in other sectors. Even though, the business as a whole has the largest discrepancy when it comes to cryptography problems and data leakage, leading experts to wonder how developers in the computer industry are smarter on data protection concerns.
The amount of problems that have been resolved in the IT industry is around average. However, businesses often react quickly to issues. On average, they spend 363 days fixing 50% of the problems. Veracode said that while this is an improvement above the norm, there is still potential for development.
Chris Eng, Veracode’s Chief Research Officer, believes that it’s important to not just find vulnerabilities in software, but also to minimise the amount of vulnerabilities that are created during development. Even more importantly, he thinks that companies should invest heavily in automated security testing.
A lot of companies got a rude awakening in December because to Log4j. Later, “government action” came in the shape of supply chain-focused directives from the Office of Management and Budget (OMB) and the European Cyber Resilience Act, said Eng. It has been suggested that in order to boost productivity in the coming year, tech companies should focus more on automating security testing in the Continuous Integration/Continuous Delivery (CI/CD) pipeline and on implementing strategies to help developers reduce the rate at which bugs are introduced into code.
Internet-facing business applications are a common target for hackers who are looking for security holes. When they do, they usually utilise it to launch web shells that provide them access to the rest of the company’s network and any endpoints connected to it (opens in new tab). The second phase of an assault often involves the deployment of ransomware, malware, or data wipes, after the attackers have mapped the network and identified all of the devices and data.
Subtly charming pop culture geek. Amateur analyst. Freelance tv buff. Coffee lover