New research shows that worryingly many apps are susceptible to serious security flaws, particularly those used by technology companies.
Veracode analysed 20 million scans from half a million apps in technology, manufacturing and financial services. 24% of the technology sector’s apps have high-severity flaws, according to a report.
Comparatively, that’s the second-highest proportion of applications with security flaws (79%), with only the public sector having it worse (82%).
Fixing the problems
Among the most common types of vulnerabilities are server configurations, insecure dependencies, and information leakage, the report further states, saying that these findings “broadly follow” a similar pattern to other industries. However, the sector shows the greatest disparity with the industry average in terms of cryptographic issues, information leakage, and this led the researchers to speculate about how the tech industry is better at data protection.
The tech sector is somewhere in middle when it comes down to the number of issues that can be fixed. The companies are able to resolve the problems relatively quickly. It can take them up to 363 business days to fix half of the issues. While this is better than the average, there’s still plenty of room for improvement, Veracode added.
For Chief Research Officer at Veracode, Chris Eng, it’s not just about discovering the flaws, it’s also about reducing the number of flaws introduced into the code, in the first place. He believes that businesses should focus more on security testing automation.
“Log4j sparked a wake-up call for many organizations last December. This was followed by government action in the form of guidance from the Office of Management and Budget (OMB) and the European Cyber Resilience Act, both of which have a supply chain focus,” said Eng. “To improve performance in the year ahead, technology businesses should not only consider strategies that help developers reduce the rate of flaws introduced into code, but also put greater emphasis on automating security testing in the Continuous Integration/Continuous Delivery (CI/CD) pipeline to increase efficiencies.”
Cybercriminals often look for flaws in code and vulnerabilities in internet-facing apps. Once they find one, they often use them to deploy web shells which give them access to the company’s network and endpoints. (opens in a new tab). After After mapping the network and identifying all devices and data, they are able to launch the second stage of attack. This is often ransomware, malware or data wipers.