Your Applications Are Not Safe

By Nicholas Jackson

After testing more than 2,900 applications, Veracode, Inc., a Massachusetts-based risk management and Internet security company, found that more than half of them didn't meet "acceptable levels of security," according to a report released as part of the Gartner Security and Risk Management Summit held in London on Wednesday.

The results were based on tests done to a wide variety of applications that were submitted over the past 18 months to the company's cloud-based platform.

"In the past six months alone there have been multiple new zero-day vulnerabilities ... that reinforce concerns about unknown weaknesses lurking in everyday software," reads the press release that accompanies the report, "State of Software Security Report: Volume 2." Zero-day vulnerabilities refer to holes in the software that could be exploited by an attacker or virus on the same day that they become generally known. Without any time to respond, the developer is unable to distribute a fix.

The report also found that more than half of the submitted applications failed even when they lowered the security bar.

According to the report, eight out of every ten applications tested by the company would fail a different test, the PCI audit, too. That worldwide standard for peripheral devices was developed by the PCI Security Standards Council to spot potential problems with credit card fraud and protect consumers.

The only bright spot in the entire report is a note that security flaws are being identified and patched quicker than ever. Still, it takes an average of 16 days for organizations to repair the flaws in their applications, leaving customers vulnerable in the meantime.

This article available online at:

http://www.theatlantic.com/technology/archive/2010/09/your-applications-are-not-safe/63409/