Network Security, Patch/Configuration Management, Vulnerability Management

HPE study finds app security lacking; weak SSL tops list of critical flaws

Share

HPE Cyber Risk Report 2016

A software security analysis conducted between October 2014 and October 2015 revealed that 35 percent of approximately 7,000 web/desktop software applications and 75 percent of over 450 mobile apps contained a critical or high-severity vulnerability.

These findings, detailed in Hewlett Packard Enterprise's (HPE) just-released Cyber Risk Report 2016, were derived from HPE's annual Software Security Taxonomy research, which provides a snapshot of the state of application security over the previous year.

According to the report, the most commonly spotted critical vulnerabilities in both mobile and non-mobile apps were related to insecure data transport, including weak Secure Socket Layer (SSL) protocols. Of the software studied, 25 percent of web/desktop apps had a critical SSL weakness and 30 percent of mobile apps had a critical flaw pertaining to insecure transport.

SSL technology secures data in motion by generating an encrypted link between a web server and browser. “It's likely that many applications continue to use weak SSL protocols and ciphers for backward compatibility purposes, but it's still a dangerous choice,” the report reads.

Jewel Timpe, senior manager, security research communications at HPE in Palo Alto, Calif., explained to SCMagazine.com that a lack of strong computer language skills, combined with a demand to build apps quickly, is a key reason many developers take SSL shortcuts. “There are all these tools where you can literally put [software] pieces together like a puzzle to create an app and you don't have to be well-versed in the languages of computer science,” she said. Consequently, developers “don't understand how to implement [SSL] properly, or the criticality of it, and so we end up with a lot more vulnerabilities.”

For web/desktop apps, the most common non-critical (albeit still troublesome) security issue was external system information leaks (50 percent of studied apps suffered a non-critical leak), while for mobile apps the most common non-critical issue was internal system information leaks (83 percent).

 “We already know how to write secure software. We've been doing it on the traditional computing side more than a decade,” said Timpe — and yet many app developers still don't cover the basics of security. “It's a problem that we've already solved but it's still hurting us.”

HPE study finds app security lacking; weak SSL tops list of critical flaws

In a recent software security analysis, 35 percent of approximately 7,000 web/desktop software applications and 75 percent of over 450 mobile apps were found to have a critical or high-severity vulnerability.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.