Application security in a "grim state"

Application security is "in a grim state", according to new research. Almost half of application security vulnerabilities are readily exploitable through entirely preventable defects.
The typical ebusiness application is at serious risk of compromise because of security flaws introduced early in the design cycle, but these risks could easily be reduced by as much as 80 per cent, according to security firm @stake.

While analysing 45 popular ebusiness applications, @stake found a "grim" level of security and noted that not all applications are created equal.

The research found that "the best designed applications have one quarter as many security defects as the worst. As a result, these applications carry 80 per cent less business-adjusted risk than the least secure."

When contrasting the performers with regards to security, the six areas that differentiated the top performers from the bottom ones are: early design focus on user authentication and authorisation; mistrust of user input; end-to-end session encryption; safe data handling; elimination of administrator backdoors and default settings; and security quality assurance.

Dan Geer, @stake's chief technical officer, said: "Our research shows that the primary difference between the top and bottom performers is due to superior practices in designing, coding and deploying secure applications."

The company discovered that 47 per cent of applications suffer from readily exploitable security flaws that fall into nine common classes.

These are weaknesses in administrative interfaces; authentication/access control; configuration management; cryptographic algorithms; information gathering; input validation; parameter manipulation; sensitive data handling; and session management.

The most common application security mistake is a lack of adequate authentication and access control.

According to the firm, user session security remains the Achilles heel of most ebusiness applications because user input is trusted implicitly or relies on client-side validation, rather than having the server itself check for inappropriate data.

"Many companies treat security as 'penetrate and patch' rather than employing secure software engineering practices that would have produced a safer application from the start," said Andrew Jaquith, program director at @stake.

-----

source: www.vnunet.com

regards.

paul