Bad coding is leaving banks exposed to cyber attacks
While software vulnerabilities are all too widespread, new research has uncovered some unlikely worst culprits - the banking industry.
A rigorous review and investigation into applications across all major sectors found that financial services, telecoms and IT consulting industries had the highest mean common weakness enumerations (CWEs) per thousand lines of code. Energy and utility companies had the lowest scores.
Software analysis firm CAST reviewed 278 million lines of code from more than 1,380 application developers in Java EE and .NET, and discovered more than 1.3 million vulnerabilities caused by errors and poor code hygiene.
Although mean CWE density scores among different types of applications varied little between Java EE and .NET, the variation in different types of applications told a different story, especially in .NET.
ERP and analytics apps had the highest CWE densities of all the applications types, with the largest variations in density scores to boot. Meanwhile, customer website, CRM and enterprise portals had the lowest density of CWEs, but had several high-density outliers.
Developers of .NET applications also got a rude wake-up call from the research, which found huge .NET coding consistency variations depending on the methodology followed. While applications developed using Agile, Hybrid or no method at all had similar density levels of CWEs, levels exploded in applications developed using waterfall methods. In fact, 75 per cent of CWE densities in applications developed by all other methods would fall in the lower half of these developed through waterfall methods.
Another interesting finding was that Java EE applications that were released more than six times per year had significantly higher CWE densities than those released fewer than six times a year - a variation that did not affect .NET applications. The researchers noted that as the industry moves toward continuous release cycles, Agile development and DevSecOps-style strategies in order to improve user experience, the shift is actually putting applications at greater risk of security defects.
This trend strikes a chord with research conducted by High-Tech Bridge, which led to the development of a new free service, ImmuniWeb Discovery, which provides businesses with a comprehensive inventory and classification of their external web and mobile applications, as well as their APIs.
Ilia Kolochenko, CEO High-Tech Bridge commented: “Today, many companies are frustrated and disoriented with their application security strategy, lost in DevSecOps hype. Most of the application security incidents and data breaches involve abandoned and vulnerable applications that companies simply forget in the course of business development. GDPR imposes severe sanctions for loss of personal data that is unavoidable without holistic inventory and classification of corporate applications. At High-Tech Bridge, we designed this vendor-independent service to enable companies to take back control of their applications.”
ImmuniWeb Discovery is part of ImmuniWeb Application Security Testing (AST) Platform, designed to reduce AST costs, minimize external attack surface and help achieve compliance and regulatory requirements.