Banks and financial services companies are leaving themselves at risk of being hacked thanks to poorly-written code, according to new research.
Software analysis firm CAST reviewed 278 million lines of code from more than 1,380 applications developer using Java EE and .NET, and discovered more than 1.3 million vulnerabilities caused by errors and sloppy code hygiene.
Financial services companies, IT consultants and telcos were found to be most guilty of this, with the highest number of common weakness enumerations (CWEs) per thousand lines of code.
"We found that overall, organisations are taking application security quite seriously. However, there are clear outliers to this broad finding that put companies and their customers at significant risk," said CAST's senior vice president and chief scientist Bill Curtis. "Without a clear understanding of existing application security vulnerabilities, organisations are not addressing some of the biggest software risks that pose a threat to their business."
Interestingly, the report found that outsourcing had little measurable impact on code quality, with significant differences in the CWE rate of apps developed in-house compared to those outsourced to other firms.
Similarly, there were little statistical differences between onshore and offshore-developed apps. Application size also did not appear to affect the amount of weaknesses present. The biggest indicator of risk appeared to be age, with applications between five and 10 years old presenting the greatest potential for flaws.
The report also had harsh words about Microsoft's .NET programming language, warning that .NET applications had more vulnerabilities on average than Java apps, though it didn't provide numbers. Microsoft's .NET apps developed with the waterfall software evelopment method had the worst scores overall.
However, CAST cautioned that continuous deployment can prove risky, too. Java apps with six or more annual releases had the largest number of CWE vulnerabilities, which could prove a problem for companies that have adopted an agile, DevOps-centric development model.
Picture: Bigstock
-
LaunchDarkly to "double down" on observability with Highlight acquisitionNews Highlight's observability tools will be integrated into LaunchDarkly's Guarded Releases software deployment service
-
Samsung Galaxy Tab S10 FE reviewReviews The Tab S10 FE retains the feel and core capabilities of Samsung's high-end S10 tablets, but compromises on the display and the performance
-
Walking the line: GitOps and Shift Left securityWhitepaper Scalable, developer-centric supply chain security solutions
-
Thwart cyberthreats fast with security operations + AI OpsWhitepaper How automated collaboration saves the day
-
Three steps to transforming security operationsWhitepaper How to be more agile, effective, collaborative, and scalable
-
“Full speed ahead” mentality in cloud native space causing security headachesNews Red Hat says the rapid development of cloud native technologies means that security issues could go unnoticed
-
IBM LinuxONE for dummiesWhitepaper Secure your data, build an open hybrid cloud environment, and realise the cost benefits of consolidation
-
Bridging the DevSecOps divide: Spotlight on zero trustWhitepaper Security at the forefront
-
70% of IT workers skip key security steps due to work pressuresNews Report finds that a fifth of DevOps and security professionals have considered quitting their jobs due to stress
-
GitLab patches API flaw that exposed private group dataNews GitLab private projects that were formerly public could have been accessed through search APIs
