We have plenty of industry-provided reports that tell us what happened in the past. The annual Verizon Databreach Investigations Report is due out any day, providing data on breaches investigated by that company’s incident response professionals, as well as information from law enforcement agencies around the world. And, with the first quarter gone, its safe to assume that similar reports will follow from Symantec and others.
But what about the threats for 2013? That’s where Veracode’s State of Software Security (SoSS) report comes in. Released to the public today, SoSS documents the kinds of software vulnerabilities that company found during 2012. And, where there are vulnerabilities, there will be attacks, Veracode CTO Chris Wysopal says.
So what’s on tap for 2013? SQL injection attacks are likely to be one of the main attack types against web-based applications this year, as they were last year, Veracode says. That’s because SQL vulnerabilities are so common – affecting around one-third of all the applications Veracode tested in 2012. The company said that SQL injection is likely to remain a top tool for cyber criminals and other online attackers. Moreover, SQL injections are moving “down market,” with simple to use tools and tutorials putting them within reach of even novice hackers. Veracode predicts that around on third of breaches in 2013 will have links to a successful SQL injection attack.
As was the case last year, cross site scripting attacks and hacks that abuse shoddy cryptographic implementations will be common again in 2013, Veracode reported. Vulnerabilities of those types are common across platforms including Java, .NET, PHP and others.
Veracode said it has seen some progress on security in some areas. The percentage of applications with SQL injection vulnerabilities, for example, has declined six percentage points, from 38% in the first quarter of 2011 to %32 in the second quarter of 2012.
However, the overall trends for application security are flat. Though easy to spot and remediate, XSS and SQL injection flaws continue to be a significant challenge and will be difficult to eradicate, Veracode said, as more and more web-based applications come online and come under scrutiny.
Frequent web application changes and agile development techniques drive more new and updated web applications online with increasing frequency, Veracode said. With enterprise web application portfolios changing from week to week, enterprise portfolios an influx of new vulnerabilities.
The solution – more secure coding practices – also requires time, pain and sacrifice on the part of application publishers.
“Until secure coding techniques go from being recommended best practices to standard web application development practices, CISOs will struggle with maintaining constant vigilance over the website portfolios having a constant stream of new vulnerabilities, ” Veracode said.