Report: Half of apps have security problems

Veracode report finds problems with applications, particularly third-party apps.

Elinor Mills Former Staff Writer

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.

See full bio

Elinor Mills

Sept. 22, 2010 4:00 a.m. PT

This chart shows the source of application and the failure rate for security acceptance based on how critical the app is to the business. Veracode

More than half of software used in enterprises has security problems, according to a new report to be released today from Veracode, an application security company.

Veracode looked at more than 2,900 applications over an 18-month period that were used by its cloud-based customers and found that 57 percent of all the apps were found to have unacceptable application security quality.

Eight out of 10 Web apps failed to meet the OWASP (Open Web Application Security Project ) Top 10 requirement that is necessary to achieve PCI (payment card industry) compliance for use in financial and e-commerce sites, Veracode said.

The report finds that third-party code, which is growing in use in enterprises, is often insecure. Third-party suppliers failed to achieve acceptable security standards 81 percent of the time, the report said.

Meanwhile, cross-site scripting remains the most common of all application vulnerabilities, and .NET applications showed "abnormally high" numbers of flaws, Veracode said.

"A lot of work still needs to be done around the work of software security," Sam King, vice president of product marketing at Veracode, told CNET.

Also on Wednesday, WhiteHat Security released a report that found that the average Web site had nearly 13 serious vulnerabilities.