Some 96 per cent of tested apps have an average of 14 vulnerabilities, according to research carried out by US application security intelligence provider Cenzic.
Cenzic’s Application Security Trends Report 2014 found that there were flaws in 96 per cent of tested applications – an improvement on the 99 per cent figure it found in 2013.
This was down to improvements in patch deployment and secure coding practices, it said.
However, the median number of vulnerabilities per application – 14 – is greater than it was the previous year (13). Cenzic suggested that this was because of the emergence of bring your own device (BYOD), cloud services and mobile applications and the “continued failure of organisations to detect and address exploits around information leakage, authentication and authorization, and session management”, which has kept vulnerabilities nearly ubiquitous.
Other key findings include: privacy violation and excessive privileges appearing in over 80 per cent of mobile applications, increasing incidences of vulnerabilities found in applications shared with third parties, and vulnerable apps leaking information.
“Around 23 per cent of vulnerabilities were related to information leakage, in which an application inappropriately discloses sensitive data, such as technical details of the application or user-specific data,” the report said.
A quarter of vulnerabilities were related to cross-site scripting (XSS), whereby an application allows attackers to send malicious scripts by relaying the script from an otherwise trusted URL.
Authentication or authorisation flaws made up 15 per cent of vulnerabilities, and session management errors accounted for 13 per cent.
“In the three years that we have compiled this study, the frequency of application vulnerabilities discovered has remained consistently, astoundingly high,” said Bala Venkat, chief marketing officer at Cenzic.
“While some improvements in the development process have been made, other newer areas of vulnerability have emerged. It’s a graphic illustration of the gigantic game of whack-a-mole that enterprises and software developers are playing – and a clear message that it’s time to rethink the way we develop and test our applications,” he said.
Cenzic advises enterprises to implement safe coding practices, use web application firewalls (WAFs) and ensure proper server configurations in order to secure their applications.
Venkat emphasised that software developers and enterprises need to stop thinking of vulnerability scanning as a one-time project.
“Applications development and security teams must get together and implement a plan for continuous proactive monitoring of vulnerabilities, rather than the traditional, annual quality assessment,” he said.