84% of Applications Have Security Holes – Government at Most Risk

A new report from Veracode, reveals that of 10,000 applications tested only 16% received a passing security grade on their first attempt.

The report compiles the results of eighteen months of automated and manual testing on 9,900 applications said Sam King, Veracode’s Senior Vice President of Marketing.

SQL injection and cross site scripting vulnerabilities were among the most commonly used holes exploited by groups such as Anonymous and LulzSec in the last year, King noted. In just one attack in April, dubbed “Lizamoon,” thousands of websites around the globe were targeted with SQL injection attacks that redirected visitors to a rogue anti-virus (AV) site. Indeed, many security experts consider SQL injection attacks to be an “epidemic.”

Veracode found 40% of government Web sites were found to contain SQL injection vulnerabilities on their first scan, compared with 29% of Web sites for financial-sector firms and 30% of software vertical sites. Overall, the prevalence of SQL injection holes declined from the same period six months ago, Veracode found, though that wasn’t the case with government sites.

The story was even more grim with cross site scripting vulnerabilities. Seventy five percent of the government Web sites Veracode tested had cross site scripting holes on their first try. Finance sites faired only slightly better: 67% contained at least one cross site scripting hole and 55% of software industry Web sites.

Bim Parmar

Bim oversees all aspects of global marketing including corporate communications, product marketing, demand generation, and the company’s presence on the Web. He has over 16 years of experience in Enterprise and Security software working at McAfee Security and Business Objects.