A worrying number of widely used applications have serious vulnerabilities, especially those used by companies in the tech sector, new research has revealed.
A report by Veracode, analyzing 20 million scans across half a million applications in the technology, manufacturing, retail, financial services, healthcare and government sectors, found that 24% of applications in the technology sector have serious defects.
By comparison, this is the second highest percentage of vulnerabilities (79%), with only the public sector worse (82%).
Among the most common types of vulnerabilities are server configurations, insecure dependencies and information leaks, the report goes on to say that these findings “largely overlap” with a similar pattern to other industries. However, the sector has the largest divergence from the industry average when it comes to crypto issues and information leaks, which has led researchers to speculate how tech developers are better at handling data protection challenges.
When it comes to the number of problems fixed, the tech sector is somewhere in the middle. However, companies are relatively quick to solve problems. It takes them up to 363 days to fix 50% of defects. While this is better than average, there is still work to be done, added Veracode.
For Veracode’s Chief Research Officer Chris Eng, it’s not just about finding bugs, it’s about reducing the number of bugs introduced into the code. In addition, he believes that companies need to focus more on automating security testing.
“Log4j caused alarm in many organizations last December. Then, government action was taken in the form of guidelines from the Office of Management and Budget (OMB) and the European Cyber Resilience Act, which focus on the supply chain,” said Eng. “To improve performance over the coming year, tech companies should not only consider strategies to help developers reduce code errors, but also put more emphasis on automating security testing in the Continuous Integration/Continuous Delivery (CI/CD) pipeline to increase efficiencies.” .
Cybercriminals often analyze web applications used by companies for security vulnerabilities and code errors. Once they find one, they often use it to deploy network shells, which then give them access to the corporate network and endpoints (opens in a new tab). After mapping the network and identifying all devices and data, they can launch the second stage of the attack, which is often ransomware, malware, or data wipe.