Tag Archives: Veracode

Most Mobile Apps Have Encryption Issues

Veracode, a company who assists developers to improve software code quality analyzes the data of their customer’s testing and releases summary data to help the industry understand code quality issues.  Below are a few scary results from their most recent report.

87% of Android apps and 80% of iOS apps have cryptographic issues.  This means that while mobile developers want to create secure applications, they really do not understand how to do that and worse yet, these problems are not detected via the developer’s internal testing processes.

The language that the applications are written in affects code quality.  Over 50% of applications written in Microsoft ASP, ColdFusion and PHP had at least one SQL injection vulnerability on initial assessment compared to 29% of .Net applications and 21% of Java applications.

in addition, Veracode found a 28% higher fix rate for bugs found by static code analysis vs. dynamic code analysis.  Why this is true is not clear and it does not mean that developers should abandon dynamic code analysis.

In looking at the cryptographic issues found in mobile apps, Veracode found these types of issues:

  • Insufficient entropy – 67%
  • Improper validation of certificates – 50%
  • Clear text storage of sensitive information – 41%
  • Use of broken or risky crypto algorithm – 40%

Additional issues are clear text storage on hard disk, inadequate key length, use of hard coded keys, improper verification of cyptographic signature, improper following of a certificate’s chain of trust and missing encryption of sensitive data.

The Veracode report linked below provides additional detail, but what is clear is that while many developers want to protect their user’s information, they don’t seem to be able to do it.  On top of that, testing only detects the presence of bugs, not the absence, meaning that there are likely additional security bugs that were not detected.

Given that the hackers are getting better, the developers need to get better as well.   Veracode also found that developer training improved the fix rate of security bugs by 30%.  That is pretty impressive.  Time for developers to evolve.

Information for this post came from Veracode and SC Magazine.

What The Boardroom Thinks About Data Breach Liability

The New York Stock Exchange and Veracode surveyed 276 board directors or senior execs of publicly traded companies on the subject of data breach liability and I find the results interesting.

It is important to understand that these are very large companies and when it comes to cyber risk, they are likely at the top of the learning curve.  Still, what they think today is likely what the rest of the companies will think in a few years.

That said, here are some of the results:

  1. 90% believe that regulators should hold companies liable for breaches if they didn’t properly secure their data.  This answer really hinges on the definition of “properly”.  Still, these board members are not trying to get out of their responsibility, which I think is great.
  2. 90% also think that third party software providers should be held liable for vulnerabilities in their code.  While this sort of tracks with #1 above, if you are a software vendor and sell to big companies, I would worry about this.  If what this means is that they want you to fix the bug, that is not a big deal.  If what it means is that they want you to pay for the breach if the attackers got in due to a bug in your software, that is a BIG problem.
  3. 65% say that they either have already or are planning to include liability clauses in their contracts with software suppliers.  If you are a software vendor, this could dramatically affect your business and would likely change what cyber liability coverages you buy and at what amount and indirectly, your cost of doing business.
  4. When it comes to cyber insurance, 91% have some form of insurance including business interruption and data restoration.  54% have coverage for fines, breach notification and extortion.  35% say they want coverage for software coding and human error when it leads to a breach.  This last coverage is not well defined yet and could be expensive.
  5. 52% say they are buying employee or insider threat coverage.  This is smart because a goodly percentage of breaches are due to acts of omission or commission by insiders.

What is unclear at this point is what the regulators and insurance companies are going to demand.  Companies can wait for the regulators (like the very detailed proposed rules from the NYDFS) or companies can get ahead of the power curve.

What seems clear is that with insurance companies beginning to raise premiums and deductibles significantly (premiums in retail went up 32% in the first half of 2015;  Anthem had to accept a $25 million deductible when the renewed their insurance this year), what is next is insurance companies examining business practices much more closely before granting or renewing coverage – some carriers have already started doing this.

Businesses have two choices – wait and hope they can scramble fast enough when the regulators or insurance carriers call on them or get ahead of the power curve – the choice is a business decision that may impact the future of the company.  Big NYSE companies can afford to hire experts when this happens and pay them $50 million to get the tushes out of a crack.  For smaller companies, even if that bill scales down to $5 million, it might be a problem.  And, even if you spend the money, the inside resources that are needed to execute these plans will likely be significant.

Interesting food for thought.

Information for this post came from Dark Reading.