A new report from Veracode, reveals that of 10,000 applications tested only 16% received a passing security grade on their first attempt.
The report compiles the results of eighteen months of automated and manual testing on 9,900 applications said Sam King, Veracode’s Senior Vice President of Marketing.
SQL injection and cross site scripting vulnerabilities were among the most commonly used holes exploited by groups such as Anonymous and LulzSec in the last year, King noted. In just one attack in April, dubbed “Lizamoon,” thousands of websites around the globe were targeted with SQL injection attacks that redirected visitors to a rogue anti-virus (AV) site. Indeed, many security experts consider SQL injection attacks to be an “epidemic.”
Veracode found 40% of government Web sites were found to contain SQL injection vulnerabilities on their first scan, compared with 29% of Web sites for financial-sector firms and 30% of software vertical sites. Overall, the prevalence of SQL injection holes declined from the same period six months ago, Veracode found, though that wasn’t the case with government sites.
The story was even more grim with cross site scripting vulnerabilities. Seventy five percent of the government Web sites Veracode tested had cross site scripting holes on their first try. Finance sites faired only slightly better: 67% contained at least one cross site scripting hole and 55% of software industry Web sites.