Outsourced apps a security minefield, study finds

But open source developers do well

Outsourced software is a hotspot for the sort of hidden security problems that leave applications vulnerable, an analysis by code testing outfit Veracode has warned.

The company's latest 'State of Software' analysis looked at nearly 3,000 applications submitted by third-parties for security code review, finding that 57 percent failed to meet acceptable levels for security-worthiness on first pass.

In terms of exposure to the OWASP (Open Web Application Security Project) Top 10 most critical web application flaws, only 40 per cent made the grade.

Drilling down by development sector, Veracode found that outsourced software code posed the biggest security risk, with a staggering 93 per cent of apps looked at failing to reach an acceptable standard on first assessment.

Although the numbers involved are small - the company only assessed around 30 outsourced apps out of a total of 2,922 - the issue of outsourced code vulnerability is not a new worry. In 2008, recently acquired rival Fortify Software found that outsourced code was a major area of unknown coding behaviour which could lead to problems.

Up to 76 per cent of internal code had elements of outsourced of third-party code within it, so some of the problem could be hidden within this sector.

"It indicates the amount of security testing and education that has gone on," said Veracode CTO, Chris Wysopal of outsourced app houses.

Open source meanwhile scored above other development sectors in terms of the OWASP Top 10 most critical web application flaws, with 49 per cent of open source apps passing this test on pass one, against 12 per cent of internally-developed apps, and only 7 per cent of commercially-developed apps.

For general security flaws, 58 per cent of open source apps failed on first inspection, roughly on par with the 54 per cent figure for internal apps, but better than the 66 per cent of commercial apps that failed at this stage.

In Wysopal's view, some of this differences between sectors might be explainable by the fact that the commercial apps submitted were more likely to be interactive apps inherently more prone to security problems.

Internal apps, by contrast, tended to be higher quality for a simple reason. "They [the development team] are going to run the code they write. They have a vested interest in security." Open source also did respectably because of the process of open code review that was inherent to its development model.

Once security issues had been identified, open source remediated the problems in an average of 12 days, internal software in 15 days, and commercial software in 19 days.

Fifty-two percent of the vulnerabilities that needed remediation in static analysis were found to be cross-site scripting related, with .NET showing an unusually high frequency of this issue. Java was another soft spot.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags securityVeracodeSME

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

John E Dunn

Techworld
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?