« AppSec EU 2012 To Be Held in Athens

Report on Dynamic Application Security Testing (DAST) Solutions »

06 January 2012

State of Software Security Report Volume 4

Veracode has previously published significant data about software security in volumes 1, 2 and 3 of their State of Software Security Report.

Cover page from Volume 4 of Veracode's State of Software Security Report - The Intractable Problem of Insecure Software

In Volume 4 of State of Software Security Report additional analysis has been possible due to the larger data set available. In this volume emphasis is given to the analysis of the (primarily US?) governmental sector, as well as more data on the effect of developer training and education on software security. On this Veracode report that a "high level of application security knowledge also delivered higher security quality applications". That's encouraging since developer training is one of the first areas where effort should be expended in creating a secure software development lifecycle programme.

On of the other interesting conclusions was the potential fast turnaround for remediation and re-testing to solve problems suggesting that "development agility and application security are not mutually exclusive".

Cross-site scripting continues to be the most prevalent vulnerability overall — there was an interesting discussion last week about what this means in terms of business impact on the Web Application Security - From the Start blog.

Volume 4 also includes some initial results on static code analysis of Android applications. If you are developing mobile applications, do read the OWASP Mobile Security Project's Top 10 Mobile Controls and Design Principles.

Posted on: 06 January 2012 at 21:17 hrs

Comments (0) | Permalink | Send | Post to Twitter

Comments

Comments are filtered automatically and should appear shortly after they been checked.

Post a comment

Latest Posts

Website Security Statistics Report 2013

Enterprise Application Usage

Wish List for Security of Outsourced Payment Card Forms/Pages

User Profiling and "Significant Impact"

Request to Participate in the OWASP CISO Survey 2013

Presentation from OWASP London, 3rd June 2013

Discussion Activity

Dirk Wetter on Upcoming OWASP Conferences

Jeff Williams on Horsemeat and the Software Supply Chain

Edwin Hayward on Trust Direct.UK?

kasterma on Tricolour Alphanumerical Spaghetti

Someone on Web Application Security Scanner Comparison

Security Principles

confidentiality

availability

integrity

authenticity

non-repudiation

compliance

Topic Tags

about accessibility administrative aggregation architecture authentication authorisation automation availability awareness business logic caching categories classification code configuration continuity cookies corrective cryptography data protection defense design detective development disposal dns domains due diligence encoding firewalls guidelines hosting identity ids incidents information assurance infrastructure injection insurance ip addresses leakage legislation load logging maturity metrics mobile monitoring operation padss pcidss physical poisoning policies preventative privacy procedures reputation requirements retention risks safety sdlc servers session specification sql ssl standards technical testing threats transaction traversal trust validation vulnerabilities xsrf xss

Subscribe

Subscribe to the full RSS feed or partial (summarised) RSS feed. Alternatively receive the blog via email by submitting your email address below.

Search

Clerkendweller

Colin Watson (Clerkendweller) is a chartered information technology professional, certified information systems security professional and certified information systems auditor, based mainly in London. The views expressed here are his own personal ones and do not represent the views of any employer, professional association or other body he is associated with. More about...

Photograph of Colin Watson MSc CITP CISSP

Colin Watson also has profiles on LinkedIn and Twitter.

End notes

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

The Web Security, Usability and Design blog is published by Clerkendweller under the following terms of use and privacy statement.

© 2012-2013 clerkendweller.com

State of Software Security Report Volume 4

http://www.clerkendweller.com/2012/1/6/State-of-Software-Security-Report-Volume-4

ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/2012/1/6/State-of-Software-Security-Report-Volume-4
Requested by 184.73.7.143 on Wednesday, 19 June 2013 at 10:37 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2012-2013 clerkendweller.com