The US government sector is markedly worse than private industry at eliminating a range of common but serious flaws from software code, an analysis of real applications submitted for review to testing company Veracode has found.
The company found that 75 percent of government applications (including federal, state and local government) suffered from potentially-serious cross-site scripting (XSS) flaws, considerably above the 67 percent for finance and 55 percent for the software industry itself.
Earlier this year, Veracode started offering a free service to hunt down XSS flaws in a single Java-based app.
Another significant issue, SQL injection, was also high at 40 percent of tested applications, again above the 30 percent for finance and 29 percent for software. Only on information leakage from applications was government roughly as poor at finance and software industries, with a prevalent of 66 percent.
SQL injection and XSS flaws matter in the real world. The report quotes the Web hacking database, which cites SQL injection as being connected to 20 percent of all hacking incidents, including high-profile breaches such as that suffered by Sony earlier this year. XSS, meanwhile, is a top-three in terms of its seriousness in real attacks.
Government application code was found to comprise a mixture of .NET, Java, and ColdFusion in that order of precedence, with the latter reflecting the heavy bias in the sector to web applications.
ColdFusion was a particular source for XSS issues, caused, the researchers say, by the lower experience levels of programmers using the language.
“Essentially the percentage of affected web Government applications has not changed over the past two years for cross-site scripting, SQL Injection, and information leakage vulnerabilities,” the report notes.
“This [the incidence] is discouraging because of all the attention that has been devoted to these three high visibility and wide-spread vulnerabilities,”say Veracode’s researchers.
When it comes to remediation (the time it takes to fix issues once discovered), government does better, with 80 percent of flaws achieve a reasonable state with a week compared to 71 percent for finance and 76 percent for software.
Veracode’s State of Software Security volume 4 (registration) derived its statistics from 9,910 application builds submitted for analysis by a range of organisations. The report also looked at a range of other application and industry sectors.
Veracode is not the only company offering code review; HP bought rival outfit Rival Fortify Software in 2010.