88 per cent of Java apps susceptible to widespread attacks from known security defects, according to new research from CA Veracode
Announcement posted by CA Technologies 02 Nov 2017
Study finds that less than 28 per cent of organisations are actively monitoring the components that could lead to security breaches
SYDNEY – 2 November 2017 – Veracode, Inc., a leader in securing the world’s software, and acquired by CA Technologies (NASDAQ:CA), has announced findings from the 2017 State of Software Security Report, a comprehensive review of application security testing data from scans conducted by CA Veracode’s base of more than 1,400 customers. Among other industry trends such as vulnerability fix rates and per cent of applications with vulnerabilities, the report exposes the pervasive risk from vulnerable open source components. The CA Veracode report found that 88 per cent of Java applications contain at least one vulnerable component, making them susceptible to widespread attacks. This is in part because fewer than 28 per cent of companies conduct regular composition analysis to understand which components are built into their applications.
“The universal use of components in application development means that when a single vulnerability in a single component is disclosed, that vulnerability now has the potential to impact thousands of applications – making many of them breachable with a single exploit,” said Lim Teng Sherng, vice president, Security, Asia Pacific & Japan, CA Technologies.
Over the past 12 months, several high-profile breaches in Java applications were caused by widespread vulnerabilities in open source or commercial components. One example of a widespread component vulnerability was the “Struts-Shock” flaw disclosed in March 2017. According to the analysis, 68 per cent of Java applications using the Apache Struts 2 library were using a vulnerable version of the component in the weeks following the initial attacks.
This critical vulnerability in the Apache Struts 2 library enabled remote code execution (RCE) attacks using command injection, for which as many as 35 million sites were vulnerable. Using this pervasive vulnerability, cybercriminals were able to exploit a range of victims’ applications, most notably the Canada Revenue Agency and the University of Delaware.
The 2017 State of Software Security Report also shows that approximately 53.3 per cent of Java applications rely on a vulnerable version of the Commons Collections components. Even today, there are just as many applications using the vulnerable version as there were in 2016. The use of components in application development is common practice as it allows developers to reuse functional code – speeding up the delivery of software. Studies show that up to 75 per cent of a typical application’s code is made up of open source components.
Lim continued, “development teams aren’t going to stop using components – nor should they. But when an exploit becomes available, time is of the essence. Open source and third-party components aren’t necessarily less secure than code you develop in-house, but keeping an up-to-date inventory of what versions of a component you are using. We’ve now seen quite a few breaches as a result of vulnerable components and unless companies start taking this threat more seriously, and using tools to monitor component usage, I predict the problem will intensify.”
The use of vulnerable components is amongst the troubling application security trends examined in the State of Software Security Report. For example, CA Veracode’s SoSS Report findings show that while many organisations prioritise fixing the most dangerous vulnerabilities, some still face challenges efficiently remediating software issues. Even the most severe flaws require significant time to fix (only 22 per cent of very high severity flaws were patched in 30 days or less) and most attackers are leveraging vulnerabilities within days of discovery. Hackers and nation state organisations are given ample time to potentially infiltrate an enterprise network.
In addition to information regarding threat posed by the use of vulnerable components, the 2017 State of Software Security Report also found:
To download the full 2017 State of Software Security report, please click here. To view the infographic, please click here.
Methodology
Data for the eighth volume of CA Veracode’s State of Software Security 2017 is derived from scans conducted by CA Veracode’s base of 1,400+ customers, was drawn from code-level analysis of nearly 250 billion lines of code, across 400,000 assessments performed during the 12-month period from April 1, 2016 to March 31, 2017. The findings are representative of the application security industry’s most comprehensive review of application testing data.
About CA Veracode
CA Veracode enables the secure development and deployment of the software that powers the application economy. With its combination of automation, process and speed, CA Veracode becomes a seamless part of the software lifecycle, eliminating the friction that arises when security is detached from the development and deployment process. As a result, enterprises are able to fully realise the advantages of DevOps environments while ensuring secure code is synonymous with high-quality code.
CA Veracode serves more than 1,400 customers worldwide across a wide range of industries. The CA Veracode Platform has assessed more than six trillion lines of code and helped companies fix more than 27 million security flaws.
Learn more at www.veracode.com, on the CA Veracode blog and on Twitter.
Copyright © 2017 CA Veracode, Inc. All rights reserved. All other brand names, product names, or trademarks belong to their respective holders.
Follow CA Technologies
Twitter
Social Media Page
Press Releases
Blogs
Legal Notices
Copyright © 2017 CA. All Rights Reserved. All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.
Press Contact
Belinda Truong
H+K Strategies for CA Technologies
Tel: +61 2 9286 1243
belinda.truong@hkstrategies.com
“The universal use of components in application development means that when a single vulnerability in a single component is disclosed, that vulnerability now has the potential to impact thousands of applications – making many of them breachable with a single exploit,” said Lim Teng Sherng, vice president, Security, Asia Pacific & Japan, CA Technologies.
Over the past 12 months, several high-profile breaches in Java applications were caused by widespread vulnerabilities in open source or commercial components. One example of a widespread component vulnerability was the “Struts-Shock” flaw disclosed in March 2017. According to the analysis, 68 per cent of Java applications using the Apache Struts 2 library were using a vulnerable version of the component in the weeks following the initial attacks.
This critical vulnerability in the Apache Struts 2 library enabled remote code execution (RCE) attacks using command injection, for which as many as 35 million sites were vulnerable. Using this pervasive vulnerability, cybercriminals were able to exploit a range of victims’ applications, most notably the Canada Revenue Agency and the University of Delaware.
The 2017 State of Software Security Report also shows that approximately 53.3 per cent of Java applications rely on a vulnerable version of the Commons Collections components. Even today, there are just as many applications using the vulnerable version as there were in 2016. The use of components in application development is common practice as it allows developers to reuse functional code – speeding up the delivery of software. Studies show that up to 75 per cent of a typical application’s code is made up of open source components.
Lim continued, “development teams aren’t going to stop using components – nor should they. But when an exploit becomes available, time is of the essence. Open source and third-party components aren’t necessarily less secure than code you develop in-house, but keeping an up-to-date inventory of what versions of a component you are using. We’ve now seen quite a few breaches as a result of vulnerable components and unless companies start taking this threat more seriously, and using tools to monitor component usage, I predict the problem will intensify.”
The use of vulnerable components is amongst the troubling application security trends examined in the State of Software Security Report. For example, CA Veracode’s SoSS Report findings show that while many organisations prioritise fixing the most dangerous vulnerabilities, some still face challenges efficiently remediating software issues. Even the most severe flaws require significant time to fix (only 22 per cent of very high severity flaws were patched in 30 days or less) and most attackers are leveraging vulnerabilities within days of discovery. Hackers and nation state organisations are given ample time to potentially infiltrate an enterprise network.
In addition to information regarding threat posed by the use of vulnerable components, the 2017 State of Software Security Report also found:
- Vulnerabilities continue to crop up in previously untested software at alarming rates. 77 per cent of apps have at least one vulnerability on initial scan.
- Government organisations continue to underperform those in other industries. Not only did they have a 24.7 per cent pass rate at latest scan, they also had the highest prevalence of highly exploitable vulnerabilities like cross-site scripting (49 per cent) and SQL injection (32 per cent).
- Comparatively, between first and last scan, critical infrastructure had the strongest OWASP pass rate (29.8 per cent) across all industries studied, though it saw a slight decline in pass rate (29.5 per cent) on last scan. Two industries showing slight improvements between first and last scan include healthcare (27.6 per cent vs. 30.2 per cent) and retail & hospitality (26.2 per cent vs. 28.5 per cent).
To download the full 2017 State of Software Security report, please click here. To view the infographic, please click here.
Methodology
Data for the eighth volume of CA Veracode’s State of Software Security 2017 is derived from scans conducted by CA Veracode’s base of 1,400+ customers, was drawn from code-level analysis of nearly 250 billion lines of code, across 400,000 assessments performed during the 12-month period from April 1, 2016 to March 31, 2017. The findings are representative of the application security industry’s most comprehensive review of application testing data.
About CA Veracode
CA Veracode enables the secure development and deployment of the software that powers the application economy. With its combination of automation, process and speed, CA Veracode becomes a seamless part of the software lifecycle, eliminating the friction that arises when security is detached from the development and deployment process. As a result, enterprises are able to fully realise the advantages of DevOps environments while ensuring secure code is synonymous with high-quality code.
CA Veracode serves more than 1,400 customers worldwide across a wide range of industries. The CA Veracode Platform has assessed more than six trillion lines of code and helped companies fix more than 27 million security flaws.
Learn more at www.veracode.com, on the CA Veracode blog and on Twitter.
Copyright © 2017 CA Veracode, Inc. All rights reserved. All other brand names, product names, or trademarks belong to their respective holders.
Follow CA Technologies
Social Media Page
Press Releases
Blogs
Legal Notices
Copyright © 2017 CA. All Rights Reserved. All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.
Press Contact
Belinda Truong
H+K Strategies for CA Technologies
Tel: +61 2 9286 1243
belinda.truong@hkstrategies.com