Thursday, February 9, 2023
Home Events A worrying amount of apps found to have high-severity security flaws

A worrying amount of apps found to have high-severity security flaws

Audio player loading…

A worrying amount of commonly-used apps have high-severity security flaws, especially those used by companies in the technology sector, new research has found.

A report from Veracode analyzing 20 million scans across half a million applications in technology, manufacturing, retail, financial services, healthcare, and government sectors, found 24% of apps in the technology sector carry high-severity flaws. 

Comparatively, that’s the second-highest proportion of applications with security flaws (79%), with only the public sector having it worse (82%).

Fixing the flaws

Among the most common types of vulnerabilities are server configurations, insecure dependencies, and information leakage, the report further states, saying that these findings “broadly follow” a similar pattern to other industries. However, the sector has the highest disparity from the industry average when it comes to cryptographic issues and information leakage, prompting the researchers to speculate how devs in the tech industry are savvier on data protection challenges.

When it comes to the number of fixed issues, the tech sector is somewhere in the middle. The companies are relatively fast to address the problems, though. It takes them up to 363 days to fix 50% of the flaws. While this is better than the average, there’s still plenty of room for improvement, Veracode added. 

For Chief Research Officer at Veracode, Chris Eng, it’s not just about discovering the flaws, it’s also about reducing the number of flaws introduced into the code, in the first place. Furthermore, he believes businesses need to focus more on security testing automation. 

“Log4j sparked a wake-up call for many organizations last December. This was followed by government action in the form of guidance from the Office of Management and Budget (OMB) and the European Cyber Resilience Act, both of which have a supply chain focus,” said Eng. “To improve performance in the year ahead, technology businesses should not only consider strategies that help developers reduce the rate of flaws introduced into code, but also put greater emphasis on automating security testing in the Continuous Integration/Continuous Delivery (CI/CD) pipeline to increase efficiencies.” 

Cybercriminals often analyze internet-facing apps used by businesses, for vulnerabilities and flaws in the code. When they find one, they often use it to deploy web shells, which subsequently give them access to the company network, and endpoints (opens in new tab). After mapping out the network, and identifying all of the devices and data, they can launch the second stage of the attack, which is often either ransomware, malware, or data wipers. 

- Advertisment -

Most Popular

Getting COVID-19 vaccine during pregnancy helps protect newborns: study

Getting vaccinated against COVID-19 during pregnancy passes along protection against infection and hospitalization to newborns, a Canadian study says. The research, published in the BMJ...

Give tax break so small Canadian firms can invest in cybersecurity, Parliament told

Ottawa should deploy a wide range of strategies, including tax breaks, to encourage small businesses to take cybersecurity more seriously, a member of a...

Texas man pleads guilty to federal charges in 2019 El Paso Walmart mass shooting

A Texas man pleaded guilty Wednesday to federal hate crime and weapons charges in the racist attack at an El Paso Walmart in 2019,...

Sleep-deprived Calgarian still waiting for CPAP machine following massive recall

The massive worldwide recall of a vital piece of medical equipment by Philips continues to cause serious problems for some Canadians, including a Calgary woman. Gail...