Source Code Analysis
- “75% of security breaches happen at the application” – Gartner
- “Over 70% of security vulnerabilities exist at the application layer, not the network layer” – Gartner
- “If only 50% of software vulnerabilities were removed prior to the application going live in production, costs would be reduced by 75%” – Gartner
- “92% of reported vulnerabilities are in applications not in networks” – NIST (National Institute of Standards and Technology)
- “The cost of fixing a bug in the field is $30,000 vs $5,000 during coding” – NIST (National Institute of Standards and Technology)
Research argues that the general security level of web applications is decreasing. Code developers pay more attention to the functionality than to the security of web applications. As a result, many administration flaws appeared, they are classified as low-severity vulnerabilities, but by exploiting them, a hacker can obtain sensitive data (in case of its disclosure on the pages of application) or gain unauthorized access (as a result of brute-force or session attacks). All applications regardless of development tools and industry are vulnerable.
Each of the applications studied by the experts had at least a medium-severity vulnerability, while 70% had critical flaws. An intruder may exploit code errors not only to obtain full control over the server, but also to attack application users that may cause significant reputation damages. The 2016 research results demonstrate a necessity to regularly analyze web applications security. It is important to analyze security at all development stages and regularly (e.g. twice a year) in the course of operational use. According to the results, the white-box testing with source code analysis is more efficient than other methods. Moreover, this testing can be conducted automatically (by the use of a source code analyzer) that is more usable than manual testing. More than a half (62.5%) of applications put into production contained critical vulnerabilities. This can lead to sensitive data disclosure, system compromise or failure.