Application Security Research Update: 5 lessons for software teams

The number of reported software vulnerabilities skyrocketed last year. How do you deal with this explosion of vulnerabilities? That's up to both developers and application security specialists, but their success depends on the tools they use to catch errors before they cause vulnerabilities in production code, according to the newly released Application Security Research Update from Micro Focus' Software Security Research team.

This year's report, which analyzes trends in software vulnerabilities and research,  found that implementing security features continues to open security holes, open-source components are a continuing source of vulnerabilities, and companies continue to have trouble preventing even the flaws on the OWASP Top 10.

Alexander Hoole, head of Software Security Research at Micro Focus, sums up one key takeaway from the report.

"We need to do a better job of educating developers globally about application security vulnerabilities, the underlying weaknesses, and how to prevent ourselves from creating them. Cross-site scripting continues to be in the top 10 of vulnerabilities. We have known about the issue for a long time, but we are still injecting those weaknesses into the code."
—Alexander Hoole

The report, which reviews an analysis by Micro Focus' Fortify on Demand Platform of a subset of some 7,800 web applications and 700 mobile applications, points to major trends such as the ubiquity of open-source components, concern over Europe's General Data Protection Regulation (GDPR), and the difficulty of deploying security features.

Here are five lessons from the Application Security Research Update 2018 for software development teams and application security specialists.

Application Security Research Update: The State of App Sec in 2018

1. App sec is a must-do for privacy

Companies have renewed their focus on privacy in the past 12 months, driven by the GDPR, which went into force on May 25. The regulation, passed in 2016, specifies that data collected on a person belongs to that person, not to the business collecting the data. Companies with operations in Europe are now responsible for handling and protecting data in accordance with the GDPR.

While many businesses have focused on data security, such as encrypting data and tokenization, application security is just as, if not more, important to securing the technology.

"Once you have identified sensitive data, is data security enough to make your application secure? No. One vulnerability can undermine any protection you've deployed to protect your sensitive data, so development teams need to pay attention to application security, not just data security."
—Alexander Hoole

The GDPR classifies a person's name, home address, email address, personal ID numbers, and location information as protected data. But unlike many other privacy regulations, it also includes Internet Protocol (IP) addresses, cookies, and advertising identifiers as protected data.

Several application vulnerabilities could cause violations of the GDPR, including access violations, insufficient data protection, and a variety of privacy violations. Companies should focus on key management. Unfortunately, that's difficult to implement correctly, according to the report.

"It is not too hard to create secure encryption schemes, but devising secure ways to implement key management is much, much harder," the report stated. "Anything that can go wrong with hardware or software can affect the security of key management."

2. Enterprises must go beyond OWASP

Companies intent on implementing secure development will often turn to the OWASP Top 10 list of critical security risks in software. In 2017, OWASP released the latest list, replacing the previous one, released in 2013.

The top three categories of the 2017 list are command injection vulnerabilities, broken authentication, and sensitive data exposure.

Companies need to treat the list as a starting point, not a goal. The OWASP Top 10 list includes a fraction of the more than 700 common software security weaknesses identified by MITRE Corp.'s Common Weakness Enumeration (CWE) framework, and the nearly 900 defined in the Fortify Taxonomy of Software Security Errors.

In its tests on behalf of clients, Micro Focus found that 49% of discovered vulnerabilities were not covered by the Top 10 list. Two common vulnerabilities—cross-site request forgery and unvalidated redirects—dropped from the list in 2017. 

The report noted:

"The OWASP Top 10 is the bare minimum you need to avoid negligence—the bare minimum. We can tell developers 1,000 things not to do, and still not have told them everything, but developers need to build things, so we need to take a positive approach and tell them the most secure way of doing things."

3. Poor security implementation plagues firms

Developers continue to make mistakes in implementing security features, with 93% of tested applications having a vulnerability related to an application security feature, up from 91% in 2016, according to the Micro Focus report.

The most common flaws include inadvertently including passwords in the configuration file, using a weak SSL protocol or cipher, and using a hard-coded password. Static analysis tools are good at detecting these classes of vulnerabilities, but organizations need to search code sooner in the development process to catch issues earlier, said Micro Focus's Hoole.

"We know that companies are starting to use these tools more, and when you see these vulnerabilities being remediated faster, that is a positive first step. But the question is, can we get to the next step of not introducing the weaknesses in the first place?"
—Alexander Hoole

Security features make up one of the Seven Pernicious Kingdoms, a taxonomy of software vulnerabilities affecting security. The seven kingdoms often include an eighth group, environment, that accounts for everything outside the application. In the report, environmental issues were the second most significant source of vulnerabilities in software, with 81% of applications having a vulnerability related to the environment in 2017, up from 76% in 2016.

4. Beware of leaky apps

Data handling continues to be a major problem for application developers. A review of specific classes of application vulnerabilities found that external system information leaks were the most common issue found in web applications, affecting 58% of all software. Failing to send cookies over SSL and not setting the secure web communications protocol, HSTS, were the second and third most common errors in web-facing software.

Andrew van der Stock, senior principal consultant at Synopsys, said people don't handle data correctly.

"They don't think about data classification, the first step in any privacy analysis. And they rarely, if ever, encrypt that data, the bare minimum they should be doing."
Andrew van der Stock

In mobile applications, internal system leaks affected 66% of all applications. While internal leaks might appear to be less serious, allowing one application on a mobile device to collect data from other applications is a critical privacy issue, said Micro Focus's Hoole.

"Just because an application has a system information leak that's internal does not mean that something cannot get out. You are running multiple apps, so if there is common storage, something can get at that storage."
—Alexander Hoole

In addition to internal leakage, mobile applications' No. 2 and No. 3 issues are insecure storage that does not protect data, and weak cryptographic hashing, respectively, according to the report.

5. Dependencies need better management

Open-source components have become a ubiquitous part of application development. In 2017, all applications tested by Micro Focus had at least one open-source component, up from 83% the previous year. Almost 300 external libraries were used—more than 1,200 if each version is counted separately—and included at least 434 vulnerabilities reported in 2017.

The most popular libraries include three from the Apache Commons—BeanUtils, FileUpload, and HTTPClient—as well as Jackson Databind and WebMVC, from the Spring framework. At least one quarter of all tested applications included one of those libraries.

The ubiquity of open-source components should convince companies to regularly scan their software to discern which components are being used, said Synopsys's van der Stock. "It is not just about open-source, but all dependencies—if you use WebSphere, those components need to be managed as well," he said. "I heartily recommend a software composition analysis. It should break the build if there is a vulnerable component."

All of these issues and recommendations mean that developers have to keep their focus on security, even while meeting deadlines and pushing out code, said Hoole.

"You can never say you are secure. You need to keep doing your due diligence, and you need to step up."
—Alexander Hoole

Topics: Security