{"id":1747,"date":"2013-04-15T12:09:40","date_gmt":"2013-04-15T16:09:40","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=1747"},"modified":"2013-04-15T12:09:40","modified_gmt":"2013-04-15T16:09:40","slug":"common-security-flaws-leave-applications-open-to-amateur-hackers-security-report-says","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2013\/04\/15\/common-security-flaws-leave-applications-open-to-amateur-hackers-security-report-says\/","title":{"rendered":"Common security flaws leave applications open to amateur hackers, security report says"},"content":{"rendered":"

\"\"<\/a><\/p>\n

The software industry’s inability to reduce the number of security flaws in its code is fueling an age of the “everyday hacker,” criminals who can exploit vulnerabilities with a minimum of technical skills, Security testing firm Vercode’s latest State of Software Security (SoSS) report suggests.
\nOf the 22,430 applications submitted to the firm’s code analysis service in an 18-month period ending June 2012, only 13 percent of web applications were able to pass the generic OWASP Top 10 list of security problems.
\nWhen it came to standalone applications, only 31 percent complied with the separate CWE\/SANS Top 25, a significant decrease on the compliance rate in the previous SoSS report caused, Veracode suggested, by a broader sample of companies using the service.
\nNevertheless, the percentage of applications containing common but serious flaws such as SQL injection remained static at 32 percent, with cross-site scripting also stubbornly entrenched at 67 percent.
\nIn short, these failure rates underscore that weak and insecure software development lifecycles are still an issue years after the industry was supposed to have started fixing the problem. Dataq breaches were an inevitable consequence.<\/p>\n

\"\"<\/a><\/p>\n

Expect SQL injection attacks
\nAnd having failed to eradicate issues such as SQL injection, the ability of non-technical hackers to hunt down and exploit them also augured badly for the industry, Veracode said.
\nThe company predicts that around one in three data breaches during 2013 will be caused by SQL injection alone, one of the easiest for “everyday hackers” to target.
\n“The pessimist remains very concerned that we are not seeing the dramatic decreases in exploitable coding flaws that I expect to see with each passing year,” said Veracode’s co-founder and CTO, Chris Wysopal in his introduction to the report.
\n“It’s as if for each customer, development team, or application that has become more secure, there are an equal number or more that do not,” he added. “Put more bluntly, we must figure out a way to code more securely simply to keep up with attacks from the most basic attacker.”
\nThe effect of failures in the SDL on the security professional and CISOs is open to some debate although Veracode claims that the average length of tenure could now be as low as 18 months. Is this an effect of data breaches, and therefore code insecurity? That’s not clear.
\nvia Common security flaws leave applications open to amateur hackers, security report says | PCWorld<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

The software industry’s inability to reduce the number of security flaws in its code is fueling an age of the […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[7,9],"tags":[453,1018],"class_list":["post-1747","post","type-post","status-publish","format-standard","hentry","category-security","category-software","tag-hackers","tag-sql-injection"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-sb","jetpack-related-posts":[{"id":6071,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/07\/30\/privacy-focused-tails-os-compromised-how-to-stay-safe-until-its-patched\/","url_meta":{"origin":1747,"position":0},"title":"Privacy-focused Tails OS compromised: How to stay safe until it’s patched","author":"NCCT","date":"July 30, 2014","format":false,"excerpt":"Vulnerabilities in the Tails operating system could reveal your IP address, but you can avoid trouble by taking a couple of precautions. Tails, a portable operating system that employs a host of privacy-focused components, plans to patch flaws contained in I2P, a networking tool developed by the Invisible Internet Project\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":8767,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/12\/07\/security-vulnerabilities-found-in-support-software-from-lenovo-toshiba-and-dell\/","url_meta":{"origin":1747,"position":1},"title":"Security vulnerabilities found in support software from Lenovo, Toshiba, and Dell","author":"NCCT","date":"December 7, 2015","format":false,"excerpt":"By Lucian Constantin | PCWorld The number of vulnerabilities discovered in technical support applications installed on PCs by manufacturers keeps piling up. New exploits have been published for flaws in Lenovo Solution Center, Toshiba Service Station and Dell System Detect.The most serious flaws appear to be in Lenovo Solution Center\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":5710,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/06\/10\/microsoft-pushes-out-massive-security-update-for-internet-explorer\/","url_meta":{"origin":1747,"position":2},"title":"Microsoft pushes out massive security update for Internet Explorer","author":"NCCT","date":"June 10, 2014","format":false,"excerpt":"Microsoft pushes out massive security update for Internet Explorer Six down, six to go. Today is the Microsoft Patch Tuesday for June, and it comes with seven new security bulletins. The good news is that five of the seven are only rated as Important, but one of the two Critical\u2026","rel":"","context":"In "Microsoft"","block_context":{"text":"Microsoft","link":"https:\/\/nccomputertech.com\/techtalk\/category\/microsoft\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":7685,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/02\/27\/hackers-impersonating-it-staff-popular-tactic-in-data-breaches-fireeye-finds\/","url_meta":{"origin":1747,"position":3},"title":"Hackers impersonating IT staff popular tactic in data breaches, FireEye finds","author":"NCCT","date":"February 27, 2015","format":false,"excerpt":"Fresh FireEye research suggests that today's cyberattackers are becoming smarter about the systems they seek to break, and are commonly using impersonation and social engineering to tap into the most common weakness in the security chain -- employees. Within FireEye's sixth annual M-trends report, which tracks the threat landscape and\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":6649,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/10\/16\/security-firm-discovers-windows-zero-day-claims-russian-hackers-used-it-to-target-nato-ukraine\/","url_meta":{"origin":1747,"position":4},"title":"Security firm discovers Windows zero-day, claims Russian hackers used it to target NATO, Ukraine","author":"NCCT","date":"October 16, 2014","format":false,"excerpt":"A Russian hacking group has been exploiting a security flaw in Microsoft Windows to spy on NATO, the Ukrainian government, the European Union, an American academic organization, and companies in telecommunications and energy sectors, according to cyber intelligence firm iSight Partners. The group, which has been active since at least\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":8385,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/06\/04\/security-breaches-a-monthly-headache-for-firms-deliberate-targeting-on-the-rise-cost-of-cleaning-up-doubles\/","url_meta":{"origin":1747,"position":5},"title":"Security breaches a monthly headache for firms, deliberate targeting on the rise, cost of cleaning up doubles","author":"NCCT","date":"June 4, 2015","format":false,"excerpt":"Image: Wessel du Plooy\/iStock A growing number of companies are being subjected to increasingly sophisticated attacks on their systems, as the cost of recovering from these assaults continues to rocket. According to the 2015 Information Security Breaches Survey report commissioned by the UK government, 90 percent of large organisations reported\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/1747","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=1747"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/1747\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=1747"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=1747"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=1747"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}