Gov Web apps expose themselves to common attacks, study finds

The most commonly exploited security holes in Web applications are more common on government websites than on those in other sectors, according to the latest survey by application security provider Veracode.

Vulnerabilities to cross-site scripting (XSS) and SQL injection, which have played a part in high-profile attacks from hacker groups such as Anonymous, affected a higher percentage of government sites than the other industry sectors tested, Veracode reports in its semiannual State of Software Security Report, which suggests that inexperienced developers could be one reason for the problem.

XSS issues affected 75 percent of government — federal, state and local — applications, compared with 67 percent for the finance sector and 55 percent for the software sector (the other two sectors tested), according to the report.


Related stories:

Why Androids are less secure than iPhones

Mobile security ‘dicey’ but doable


SQL injection vulnerabilities were found in 40 percent of government apps, compared with 29 percent for finance apps and 30 percent for software. While incidences of  SQL injection were declining in other sectors, they were holding steady in government.

One reason for the higher exposure to XXS attacks is that a higher percentage of government are built using the Adobe ColdFusion development platform, according to the report. ColdFusion was found in 25 percent of government apps, but only 2 percent of apps overall.

“ColdFusion has a higher incidence of XSS issues as compared to other platforms,” the report states. “ColdFusion also tends to be used by less experienced developers for creating Web applications with greater ease. These developers are also less likely to be experienced in secure coding practices.”

Veracode recommends government organizations “double down” security staff training and make use of automated testing for vulnerabilities.

On the bright side, government was slightly better at fixing vulnerabilities quickly, remediating problems within one week 80 percent of the time, compared with 76 percent for the finance and 71 percent for the software sectors.

Veracode performed automated and manual tests on 9,910 applications over 18 months in producing the survey. Overall, it found that only 16 percent of Web applications passed its security tests on the first try.

In its previous report in April, which tested a set of 4,835 applications, 42 percent of applications passed, although the drop is mostly due to stricter testing rules, company officials told ThreatPost.

For the first time, Veracode also specifically tested Android applications, reflecting the growing popularity of Google’s mobile platform. Although Android apps made up only 1 percent of its test sample, “we found that mobile developers tend to make the same mistakes as enterprise developers,” the report states.

One problem involves hard-coded cryptographic keys used in more than 40 percent of the Android apps tested. Encryption is good, but if a hard-coded key is compromised, all security on a smart phone is ineffective. “Android applications are easy to decompile, making it trivial for an attacker to extract and publicize hard-coded keys,” the report says.

“Mobile applications are inherently more exposed than web applications because a motivated attacker can start reverse-engineering simply by copying the executable off their phone.” The report continues. “With that in mind, information embedded into the application — including cryptographic keys — should never be considered secret.”


 

About the Author

Kevin McCaney is editor of Defense Systems. Follow him on Twitter: @KevinMcCaney.

Reader Comments

Thu, Dec 8, 2011 John Menkart Bethesda MD

HP Fortify has both a source code and dynamic testing capability that can not only identify these problems but integrates with developer IDE's. This allows not only identification of the issues (like Veracode's less robust Internet based capabilities) but more rapid and complete resolution of the issues by the developers. We have been working closely with the Govt and Commercial customers to close the holes.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above