Old and poorly composed code is presenting security challenges to businesses, new research has cautioned, with the financial sector at the most elevated risk.
Subsequent to auditing more than 278 million lines of code in 1,388 applications around the world, specialists have discovered 1.3 million shortcomings which could enable hackers to exploit corporate infrastructure.
Research by CAST Software found that financial services institutions had the most exceedingly bad code, as indicated by a benchmark called the Common Weakness Enumeration (CWE).
CWE is a vault of known security shortcomings programmers could exploit and covers programming engineering and in addition the code itself.
Programming in the financial sector has the most coding botches and non-secure coding practices for each thousand lines of code in its applications. This metric is also referred to as the CWE density.
The report stated: “Applications introduced in 2012 are more than due for a health check. Applications between five and ten years of age have the best potential for security defects.” Included, “Poor coding is likely due to the fact 37% of developers are not graded on code quality.”
Dr Bill Curtis, the central researcher at CAST, stated: “We found that overall, organisations are taking application security quite seriously. However, there are clear outliers to this broad finding that put companies and their customers at significant risk.” Adding, “Without a clear understanding of existing application security vulnerabilities, organisations are not addressing some of the biggest software risks that pose a threat to their business.”
Both telecommunications sector and IT consulting sector also ranked poorly compared to other industries when looking at cod quality. The manufacturing, energy, and pharmaceuticals sectors had the least vulnerable code,
Key findings from the report include:
- CWE density is not related to application size.
- Financial Services and Telecommunications have the highest CWE densities compared to other industries.
- Applications developed using .NET have higher CWE densities and produce some of the poorest software quality overall.
- Neither source nor shore impact CWE densities across application portfolios.
- Java applications released more than six times per year have the highest CWE densities.