Veracode, a company who assists developers to improve software code quality analyzes the data of their customer’s testing and releases summary data to help the industry understand code quality issues. Below are a few scary results from their most recent report.
87% of Android apps and 80% of iOS apps have cryptographic issues. This means that while mobile developers want to create secure applications, they really do not understand how to do that and worse yet, these problems are not detected via the developer’s internal testing processes.
The language that the applications are written in affects code quality. Over 50% of applications written in Microsoft ASP, ColdFusion and PHP had at least one SQL injection vulnerability on initial assessment compared to 29% of .Net applications and 21% of Java applications.
in addition, Veracode found a 28% higher fix rate for bugs found by static code analysis vs. dynamic code analysis. Why this is true is not clear and it does not mean that developers should abandon dynamic code analysis.
In looking at the cryptographic issues found in mobile apps, Veracode found these types of issues:
- Insufficient entropy – 67%
- Improper validation of certificates – 50%
- Clear text storage of sensitive information – 41%
- Use of broken or risky crypto algorithm – 40%
Additional issues are clear text storage on hard disk, inadequate key length, use of hard coded keys, improper verification of cyptographic signature, improper following of a certificate’s chain of trust and missing encryption of sensitive data.
The Veracode report linked below provides additional detail, but what is clear is that while many developers want to protect their user’s information, they don’t seem to be able to do it. On top of that, testing only detects the presence of bugs, not the absence, meaning that there are likely additional security bugs that were not detected.
Given that the hackers are getting better, the developers need to get better as well. Veracode also found that developer training improved the fix rate of security bugs by 30%. That is pretty impressive. Time for developers to evolve.