Research from software analysis and measurement provider CAST reveals growing numbers of global data breaches and security incidents directly linked to poor code quality.
Ongoing research on application software health reveals finance and retail industry applications are most vulnerable to data breaches, with 70% of retail and 69% of financial services applications having data input validation violations.
CAST EVP Lev Lesokhin, who led the analysis, said: “So long as IT organisations sacrifice software quality and security [to meet] unrealistic schedules, [we will see] more high-profile attacks.” He said these will potentially lead to the exposure and exploitation of customers’ data.
Issues with input validation were flagged up massively earlier this year due to the Heartbleed bug, which exposed more than 60% of global online servers to intrusion, through a ‘missing bounds check’ on the TLS heartbeat extension’s implementation.
On June 21 2014, there were an estimated 309,197 public web servers deemed as still vulnerable. This follows a report showing input validation attacks were exploited in 80% of attacks against retail industry applications last year. The most notable was the infamous eBay data breach, which saw hackers obtaining access to more than 145 million customer records.
In its upcoming biennial CRASH Report on the global state of quality in business applications, CAST flags up a significant correlation between the robustness of applications, their ability to avoid failures, and security of applications.
Dr Bill Curtis, chief scientist and the report’s author, said that certain experts in the security field have argued that the security of software differs from software quality, and as such, must be treated separately.
However, he stated that data from The CRASH Report proves this assumption is dangerous and false. He also warned that the use of badly-constructed software also leaves open a variety of potentially disastrous security gaps.