More than half the applications used by enterprises contain vulnerabilities that could be used to launch cyberattacks similar to those suffered by Google earlier this year, according to code-testing company Veracode.
That is one of the key findings of a report published on Friday by Veracode, which analysed thousands of applications and over 50 billion lines of code over the past few months. The study looked at hundreds of internally developed, open-source, outsourced and commercial applications.
This analysis found that 58 percent of software submitted to Veracode for testing is susceptible to application layer attacks similar to those that breached Google's firewall. When measured against Veracode's most stringent criteria, which increases in severity depending on how critical the application is to a business, 88 percent of software failed to get an acceptable score.
The study also found that open-source software is as secure as commercial or outsourced software, and has quicker remediation times and fewer potential backdoors.
"I wouldn't say open-source software has good security: no source of software is good. There is no claim to greatness," Roger Oberg, senior vice president of marketing at Veracode, told ZDNet UK on Tuesday. "What challenges conventional wisdom on open source is that it's no more risky than commercial software."
Open-source applications took on average 36 days from first submission to reach an acceptable security score, while internally developed applications took 48 days, and commercial applications 82 days.
Veracode is not surprised by these findings given the complexity of development efforts at enterprises, Oberg said.
The most common vulnerability was cross-site scripting, the company found. "It's so clear that the speed in which you can remediate them [vulnerabilities] and the commonality of them begs for a verification stage in the software development lifecycle or in the acceptance of third-party code," Oberg said.
There were striking differences in levels of application security between vertical sectors. The financial and government sectors, which are subject to extensive compliance legislation, scored best. The least-secure applications are used at software companies themselves, the testing company found.
"No industry was secure, but it was surprising that companies that depend on selling the software didn't do as well," Oberg said.
Veracode's analysis was based on web and non-web applications, multiple parts of the software supply chain and multiple programming languages. The company used dynamic, static and manual testing in its analysis.
