Avoid getting burned by security defects. Click the vulnerabilities below to reveal data from our
State of Software Security Volume 12 and to learn how to stay cool with secure coding practices.
Security Flaw Heat Map
HEAT
THE
BEAT
Server Configuration
8.3%
Code Quality
8.6%
Credentials Management
13.8%
Authorization Issues
16.3%
Insufficient
Input Validation
17.3%
Information Leakage
24.3%
CRLF Injection
31.2%
Directory Traversal
37.5%
Cross-Site Scripting (XSS)
38.8%
Cryptographic Issues
52.0%
Code Injection
34.4%
Command or
Argument Injection
34.6%
CRLF Injection
35.4%
Encapsulation
36.5%
47.9%
Untrusted Initialization
50.6%
Information Leakage
54.7%
Directory Traversal
61.4%
Cryptographic Issues
71.0%
Cross-Site Scripting (XSS)
77.2%
Authorization Issues
6.8%
Code Quality
8.2%
Directory Traversal
16.0%
Authentication Issues
26.0%
Information Leakage
29.9%
Cryptographic Issues
31.0%
Insufficient
Input Validation
36.0%
Cross-Site Scripting (XSS)
38.0%
Credentials Management
43.5%
CRLF Injection
43.8%
API Abuse
14.7%
Encapsulation
17.0%
Insufficient
Input Validation
21.2%
Cross-Site Scripting (XSS)
22.5%
Credentials Management
24.9%
Directory Traversal
31.1%
49.6%
Information Leakage
50.9%
Code Quality
58.8%
CRLF Injection
64.8%
Untrusted Initialization
11.8%
Race Conditions
29.0%
Potential Backdoor
31.4%
Code Quality
39.3%
Buffer Overflow
39.7%
Directory Traversal
42.0%
Cryptographic Issues
44.8%
Numeric Errors
49.1%
Buffer Management Errors
53.5%
Error Handling
72.5%
SQL Injection
11.8%
Authentication Issues
14.2%
Cross-Site Scripting (XSS)
22.3%
Credentials Management
22.7%
CRLF Injection
30.0%
Directory Traversal
30.8%
Cryptographic Issues
46.6%
Insufficient
Input Validation
52.9%
Code Quality
59.3%
Information Leakage
64.8%
.net
11.8% SQL Injection
What it is
SQL injection vulnerabilities allow attackers to gain unauthorized access to backend databases. They do so by using malicious SQL statements as input for improper data handling.
the data
Veracode Static Analysis discovered that SQL injection flaws occur in 23.5% of applications.
Source: State of Software Security Volume 12
the fix
Prevent SQL injection attacks with secure coding practices, such as utilizing a parameterized query. Doing so will treat the input data as a parameter of the query and not as a potentially dangerous extension of the query.
.net
14.2% Authentication Issues
What it is
Authentication issues can occur when functions related to authentication are not implemented securely. This can allow threat actors access to passwords, session tokens, and more.
the data
Veracode Static Analysis discovered that authentication issues occur in 18.8% of applications.
Source: State of Software Security Volume 12
the fix
Utilize secure coding practices and security scans to ensure that your code is free of authentication issues. Implement strong password policies and validate that passwords meet these policies. Finally, whenever possible, implement multi-factor authentication.
.net
22.3% Cross-Site Scripting (XSS)
What it is
Cross-site scripting (XSS) flaws permit attackers to inject client-side scripts into an application. They lead to a wide attack surface for threat actors to hijack user accounts, spread worms and Trojans, access browser history and clipboard contents, control the browser remotely, and exploit online appliances and applications.
the data
Veracode Static Analysis discovered that XSS flaws occur in 40.1% of applications.
Source: State of Software Security Volume 12
the fix
You can prevent these vulnerabilities with secure coding practices. For example, always sanitize input from search fields and forms by validating that it’s the expected content for the field and then encoding it for the “endpoint.”
.net
22.7% Credentials Management
What it is
A credentials management attack is an exploit that attempts to breach username and password pairs to take control of user accounts. If threat actors are successful, they can steal, alter, or erase data, install malware, gain deeper access to your files and systems, and even initiate transactions.
the data
Veracode Static Analysis discovered that credentials management flaws occur in 43.5% of applications.
Source: State of Software Security Volume 12
the fix
Reduce your risk of an attack by storing encrypted passwords in restricted locations and avoid utilizing hard-coded credentials. For inbound authentication using passwords, we recommend using strong one-way hash functions and storing them in a protected configuration file or database.
.net
30.0% CRLF Injection
What it is
CRLF injection is a Carriage Return or Line Feed (CRLF) exploit. When threat actors inject a CRLF sequence into an HTTP stream, it enables them to maliciously manipulate a web application’s functions.
the data
Veracode Static Analysis discovered that CRLF injection exploits are rampant, appearing in a sizeable 64.7% of applications.
Source: State of Software Security Volume 12
the fix
Prevent CRLF injection flaws by never trusting user input. Sanitize user-supplied data with proper validation and encoding, and be sure to properly encode output in HTTP headers.
.net
30.8% Directory Traversal
What it is
Directory traversal, also sometimes known as path traversal, is a type of HTTP exploit used by threat actors to gain unauthorized access to restricted directories and files. This vulnerability uses web server software to exploit inadequate security mechanisms and access directories, as well as files stored outside of the web root folder.
the data
Veracode Static Analysis discovered that directory traversal flaws are found in 42.4% of applications.
Source: State of Software Security Volume 12
the fix
An attacker that exploits a directory traversal flaw can compromise the entire web server. To mitigate directory traversals, make sure you follow secure coding practices and validate user input from browsers, use filters to block certain user input, keep your web server software up to date with patches, and run frequent static analysis scans.
DOWNLOAD
.net
46.6% Cryptographic Issues
What it is
Cryptographic flaws include improperly validating certificates, using broken crypto algorithms, employing inadequate encryption strength, and storing sensitive information in cleartext. This flaw can lead to stolen or destroyed data – including your organization’s most sensitive information.
the data
Veracode Static Analysis discovered that cryptographic issues are found in nearly two-thirds (60.2%) of applications.
Source: State of Software Security Volume 12
the fix
Cryptographic vulnerabilities are preventable with secure coding practices. Most major languages inherently support good cryptographic practices, and concerns over incorrect implementation typically arise only on a case-by-case basis.
DOWNLOAD
.net
52.9% Insufficient Input Validation
What it is
Insufficient input validation occurs when input or data is not validated properly. This flaw is potentially dangerous as it can allow threat actors to perform cross-site scripting (XSS), as well as SQL injection attacks.
the data
Veracode Static Analysis discovered that insufficient input validation occurs in 42.6% applications.
Source: State of Software Security Volume 12
the fix
In addition to implementing secure coding practices, perform automated static analysis (SAST) and dynamic analysis (DAST) scans. This will help you detect insufficient input validation.
LEARN MORE
.net
59.3% Code Quality
What it is
Code quality refers to weaknesses in your code that can indicate to threat actors and attackers that the application has not been carefully developed or maintained. While code quality does not directly introduce flaws into your applications, it causes unpredictable app behavior that is easily abused.
the data
Veracode Static Analysis discovered that code quality issues occur in 56.4% of applications.
Source: State of Software Security Volume 12
the fix
Prevent poor code quality by practicing secure coding methodologies, utilizing consistent coding patterns, and automating security testing in your SDLC.
Download
.net
64.8% INFORMATION LEAKAGE
What it is
Information leakage can take on many forms. At a high level, it's as simple as your application making information or data available to users that shouldn't have access. Threat actors can use leaked information to find and exploit vulnerabilities in your application or simply steal the leaked data.
the data
the fix
Mitigating information leakage relies on secure coding practices and implementing security testing procedures as you develop code. Doing so will help ensure that you catch flaws or vulnerabilities where sensitive information is exposed.
LEARN MORE
For all the latest information on the recent State of
C++
23.3% Untrusted Initialization
What it is
Untrusted initialization flaws are a result of threat actors having control of parameters or system settings through external means. This can lead to interrupted service to customers or cause odd application performance.
the data
Veracode Static Analysis discovered that untrusted Initialization errors show up in 9.6% of applications.
Source: State of Software Security Volume 12
the fix
Implement proper secure coding processes and scan your code using static and dynamic analysis testing tools to identify and fix application weaknesses.
C++
29.0% Race Conditions
What it is
A race condition flaw occurs when a system is forced to perform two or more operations at once when it is designed to handle the tasks in a certain sequence. These exploits are difficult to execute, but if successful, threat actors can steal data, inject malicious code, deactivate controls,
and more.
the data
Veracode Static Analysis discovered that race conditions errors show up in just 6.0% of applications.
Source: State of Software Security Volume 12
the fix
You can prevent race conditions by implementing secure coding practices, as well as by scanning and reviewing your code through static analysis to look for race condition vulnerabilities.
C++
31.4% Potential Backdoor
What it is
Potential backdoor flaws may occur when threat actors discover “back end” access to an application, such as through cryptographic keys or hard-coded credentials, allowing them access to files.
the data
Veracode Static Analysis discovered that potential backdoor vulnerabilities show up in 7.6% of applications.
Source: State of Software Security Volume 12
the fix
Combine secure coding best practices with automated security testing in your developer workflow to find and fix backdoor flaws in your code before they become a problem.
learn more
C++
39.3% Code quality
What it is
Code quality refers to weaknesses in your code that can indicate to threat actors and attackers that the application has not been carefully developed or maintained. While code quality does not directly introduce flaws into your applications, it causes unpredictable app behavior that is easily abused.
the data
Veracode Static Analysis discovered that code quality issues occur in 56.4% of applications.
Source: State of Software Security Volume 12
the fix
Prevent poor code quality by practicing secure coding, utilizing consistent coding patterns, and automating security testing in your SDLC.
C++
39.7% Buffer Overflow
What it is
Buffer overflow issues are common coding mistakes that potentially allow a threat actor to access your system and crash it, or even to use it to create an entry point for an attack. C and C++ languages are more susceptible to buffer overflow flaws.
the data
Veracode Static Analysis discovered that buffer overflow shows up in just 1.5% of applications.
Source: State of Software Security Volume 12
the fix
To prevent buffer overflow mistakes, use a binary SAST technology to scan for vulnerabilities, especially when using open source code. Make sure to avoid standard library functions that aren't bounds-checked with C and C++ applications.
C++
42.0% Directory Traversal
What it is
Directory traversal, also sometimes known as path traversal, is a type of HTTP exploit used by threat actors to gain unauthorized access to restricted directories and files. This vulnerability uses web server software to exploit inadequate security mechanisms and access directories, as well as files stored outside of the web root folder.
the data
Veracode Static Analysis discovered that directory traversal flaws are found in 42.4%
of applications.
Source: State of Software Security Volume 12
the fix
An attacker that exploits a directory traversal flaw can compromise the entire web server. To mitigate directory traversals, make sure you follow secure coding practices and validate user input from browsers, use filters to block certain user input, keep your web server software up to date with patches, and run frequent static analysis scans.
C++
44.8% Cryptographic Issues
What it is
Cryptographic flaws include improperly validating certificates, using broken crypto algorithms, employing inadequate encryption strength, and storing sensitive information in cleartext. This flaw can lead to stolen or destroyed data – including your organization’s most sensitive information.
the data
Veracode Static Analysis discovered that cryptographic issues are found in nearly two-thirds (60.2%) of applications.
Source: State of Software Security Volume 12
the fix
Cryptographic vulnerabilities are preventable with secure coding practices. Most major languages inherently support good cryptographic practices, and concerns over incorrect implementation typically arise only on a case-by-case basis.
C++
49.1% Numeric Errors
What it is
Numeric errors are weaknesses that relate to the improper conversion or calculation of numbers within your code.
the data
Numeric errors occur in just 1.4% of applications.
Source: State of Software Security Volume 12
the fix
Make sure to check your numbers and calculations before implementing changes to your code. Avoid making conversions between numeric types if possible, and always check for the allowed ranges. Implement secure coding practices to get ahead of common flaws and exploits.
C++
53.5% Buffer Management Errors
What it is
A buffer management error potentially allows a threat actor to execute arbitrary code remotely, which can change the behavior of an application.
the data
Veracode Static Analysis discovered that buffer management errors show up in just 1.7% of applications.
Source: State of Software Security Volume 12
the fix
To avoid buffer management errors, use binary static application security testing (SAST) technology to scan for vulnerabilities, especially when using open source code.
learn more
C++
72.5% Error Handling
What it is
Error handling issues can introduce security risk, as attackers may use improperly managed error messages to access your system, exploit flaws, uncover sensitive data, and more.
the data
Veracode Static Analysis discovered that error handling shows up in just 4.4% of applications.
Source: State of Software Security Volume 12
the fix
Provide error messages that are clear and valuable without revealing sensitive system or application details. Make sure to test your sites and resources for errors and learn how they respond so you can remediate them more efficiently.
Java
14.7% API Abuse
What it is
API abuse is an attack where API functionality is exploited through automated attacks. This often results in threat actors taking over accounts, initiating credential stuffing, scraping content, and more.
the data
Veracode Static Analysis discovered that API abuse exploits occur in 10.7% of applications.
Source: State of Software Security Volume 12
the fix
Implement secure coding practices in your developer workflow to get ahead of API abuse. Close gaps in your security by protecting your APIs with robust encryption and monitor API calls for abnormal behavior.
Java
17.0% Encapsulation
What it is
An encapsulation attack occurs when applications fail to differentiate data or functionality within components. This allows bad code to move from component to component, which threat actors can exploit through unauthorized access to functions and data.
the data
Veracode Static Analysis discovered that encapsulation exists in 21.3% of applications.
Source: State of Software Security Volume 12
the fix
If you find an encapsulation flaw, block access to the affected application, database, or system until you can fully protect it. Also, make sure to back up your data and information so you can return to business as usual if there is a ransomware attack.
Java
21.2% Insufficient Input Validation
What it is
Insufficient input validation is potentially dangerous as it can allow threat actors to perform cross-site scripting (XSS), as well as SQL injection attacks.
the data
Veracode Static Analysis discovered that insufficient input validation occurs in 42.6% applications.
Source: State of Software Security Volume 12
the fix
In addition to implementing secure coding practices, perform automated static analysis (SAST) and dynamic analysis (DAST) scans. This will help you detect insufficient input validation.
Java
22.5% Cross-Site Scripting (XSS)
What it is
Cross-site scripting (XSS) flaws permit attackers to inject client-side scripts into an application. It leads to a wide attack surface for threat actors to hijack user accounts, spread worms and Trojans, access browser history and clipboard contents, control the browser remotely, and exploit online appliances and applications.
the data
Veracode Static Analysis discovered that XSS flaws occur in 40.1% of applications.
Source: State of Software Security Volume 12
the fix
You can prevent these vulnerabilities with secure coding practices. For example, always sanitize input from search fields and forms by validating that it’s the expected content for the field and then encoding it for the “endpoint.”
Java
24.9% CREDENTIALS Management
What it is
A credentials management attack is an exploit that attempts to breach username and password pairs to take control of user accounts. If threat actors are successful, they can steal, alter, or erase data, install malware, gain deeper access to your files and systems, and even initiate transactions.
the data
Veracode Static Analysis discovered that credentials management flaws occur in 43.5% of applications.
Source: State of Software Security Volume 12
the fix
Reduce your risk of an attack by storing encrypted passwords in restricted locations and avoid utilizing hard-coded credentials. For inbound authentication using passwords, we recommend using strong one-way hash functions and storing them in a protected configuration file or database.
Java
What it is
Directory traversal, also sometimes known as path traversal, is a type of HTTP exploit used by threat actors to gain unauthorized access to restricted directories and files. This vulnerability uses web server software to exploit inadequate security mechanisms and access directories, as well as files stored outside of the web root folder.
the data
Veracode Static Analysis discovered that directory traversal flaws are found in 42.4% of applications.
Source: State of Software Security Volume 12
the fix
An attacker that exploits a directory traversal flaw can compromise the entire web server. To mitigate directory traversals, make sure you follow secure coding practices and validate user input from browsers, use filters to block certain user input, keep your web server software up to date with patches, and run frequent static analysis scans.
Java
49.6% Cryptographic Issues
What it is
Cryptographic flaws include improperly validating certificates, using broken crypto algorithms, employing inadequate encryption strength, and storing sensitive information in cleartext. This flaw can lead to stolen or destroyed data – including your organization’s most sensitive information.
the data
Veracode Static Analysis discovered that cryptographic issues are found in nearly two-thirds (60.2%) of applications.
Source: State of Software Security Volume 12
the fix
Cryptographic vulnerabilities are preventable with secure coding practices. Most major languages inherently support good cryptographic practices, and concerns over incorrect implementation typically arise only on a case-by-case basis.
Java
50.9% Information Leakage
What it is
the data
the fix
Information leakage can take on many forms. At a high level, it's as simple as your application making information or data available to users that shouldn't have access. Threat actors can use leaked information to find and exploit vulnerabilities in your application or simply steal the leaked data.
Veracode Static Analysis discovered that information leakage flaws are found in 61.1% of applications.
Source: State of Software Security Volume 12
Mitigating information leakage relies on secure coding practices and implementing security testing procedures as you develop code. Doing so will help ensure that you catch flaws or vulnerabilities where sensitive information is exposed.
Java
58.8% Code Quality
What it is
Code quality refers to weaknesses in your code that can indicate to threat actors and attackers that the application has not been carefully developed or maintained. While code quality does not directly introduce flaws into your applications, it causes unpredictable app behavior that is easily abused.
the data
Veracode Static Analysis discovered that code quality issues occur in 56.4% of applications.
Source: State of Software Security Volume 12
the fix
Prevent poor code quality by practicing secure coding methodologies, utilizing consistent coding patterns, and automating security testing in your SDLC.
JAVA
66.2% CRLF Injection
What it is
CRLF injection is a Carriage Return or Line Feed (CRLF) exploit. When threat actors inject a CRLF sequence into an HTTP stream, it enables them to maliciously manipulate a web application’s functions.
the data
Veracode Static Analysis discovered that CRLF injection exploits are rampant, appearing in a sizeable 64.7% of applications.
Source: State of Software Security Volume 12
the fix
Prevent CRLF injection flaws by never trusting user input. Sanitize user-supplied data with proper validation and encoding, and be sure to properly encode output in HTTP headers.
JavaScript
6.8% Authorization Issues
What it is
Authorization issues occur when authorization controls are not in place, or they're misconfigured or insecure. They can impact a range of layers in applications, including functions at the app layer, server access, and database access.
the data
Veracode Static Analysis discovered that authorization issues occur in 9.9% of applications.
Source: State of Software Security Volume 12
the fix
To prevent authorization issues, implement secure coding practices in your developer workflow and push for consistent security testing. Locate and control access to privileged assets in your applications based on the principles of least privilege. Ensure all roles in the application are properly configured to access only the necessary data.
JavaScript
8.2% Code Quality
What it is
Code quality refers to weaknesses in your code that can indicate to threat actors and attackers that the application has not been carefully developed or maintained. While code quality does not directly introduce flaws into your applications, it causes unpredictable app behavior that is easily abused.
the data
Veracode Static Analysis discovered that code quality issues occur in 56.4% of applications.
Source: State of Software Security Volume 12
the fix
Prevent poor code quality by practicing secure coding methodologies, utilizing consistent coding patterns, and automating security testing in your SDLC.
JavaScript
16.0% Directory Traversal
What it is
Directory traversal, also sometimes known as path traversal, is a type of HTTP exploit used by threat actors to gain unauthorized access to restricted directories and files. This vulnerability uses web server software to exploit inadequate security mechanisms and access directories, as well as files stored outside of the web root folder.
the data
Veracode Static Analysis discovered that directory traversal flaws are found in 42.4% of applications.
Source: State of Software Security Volume 12
the fix
An attacker that exploits a directory traversal flaw can compromise the entire web server. To mitigate directory traversals, make sure you follow secure coding practices and validate user input from browsers, use filters to block certain user input, keep your web server software up to date with patches, and run frequent static analysis scans.
JavaScript
26.0% Authentication Issues
What it is
Authentication issues can occur when functions related to authentication are not implemented securely. This can allow threat actors access to passwords, session tokens, and more.
the data
Veracode Static Analysis discovered that authentication issues occur in 18.8% of applications.
Source: State of Software Security Volume 12
the fix
Utilize secure coding practices and security scans to ensure that your code is free of authentication issues. Implement strong password policies and validate that passwords meet these policies. Finally, whenever possible, implement multi-factor authentication.
JavaScript
29.9% Information Leakage
What it is
Information leakage can take on many forms. At a high level, it's as simple as your application making information or data available to users that shouldn't have access. Threat actors can use leaked information to find and exploit vulnerabilities in your application or simply steal the leaked data.
the data
Veracode Static Analysis discovered that information leakage flaws are found in 61.1% of applications.
Source: State of Software Security Volume 12
the fix
Mitigating information leakage relies on secure coding practices and implementing security testing procedures as you develop code. Doing so will help ensure that you catch flaws or vulnerabilities where sensitive information is exposed.
JavaScript
31.0% Cryptographic Issues
What it is
Cryptographic flaws include improperly validating certificates, using broken crypto algorithms, employing inadequate encryption strength, and storing sensitive information in cleartext. This flaw can lead to stolen or destroyed data – including your organization’s most sensitive information.
the data
Veracode Static Analysis discovered that cryptographic issues are found in nearly two-thirds (60.2%) of applications.
Source: State of Software Security Volume 12
the fix
Cryptographic vulnerabilities are preventable with secure coding practices. Most major languages inherently support good cryptographic practices, and concerns over incorrect implementation typically arise only on a case-by-case basis.
JavaScript
36.0% Insufficient Input Validation
What it is
Insufficient input validation is potentially dangerous as it can allow threat actors to perform cross-site scripting (XSS), as well as SQL injection attacks.
the data
Veracode Static
Analysis discovered
that insufficient input validation occurs in
42.6% of applications.
Source: State of Software Security Volume 12
the fix
In addition to implementing secure coding practices, perform automated static analysis (SAST) and dynamic analysis (DAST) scans. This will help you detect insufficient input validation.
JavaScript
38.0% Cross-Site Scripting (XSS)
What it is
Cross-site scripting (XSS) flaws permit attackers to inject client-side scripts into an application. They lead to a wide attack surface for threat actors to hijack user accounts, spread worms and Trojans, access browser history and clipboard contents, control the browser remotely, and exploit online appliances and applications.
the data
Veracode Static Analysis discovered that XSS flaws occur in 40.1% of applications.
Source: State of Software Security Volume 12
the fix
You can prevent these vulnerabilities with secure coding practices. For example, always sanitize input from search fields and forms by validating that it’s the expected content for the field and then encoding it for the “endpoint.”
JavaScript
43.5% CredentialS Management
What it is
the data
Veracode Static Analysis discovered that credentials management flaws occur in 43.5% of applications.
Source: State of Software Security Volume 12
the fix
Reduce your risk of an attack by storing encrypted passwords in restricted locations and avoid utilizing hard-coded credentials. For inbound authentication using passwords, we recommend using strong one-way hash functions and storing them in a protected configuration file or database.
JavaScript
43.8% CRLF Injection
What it is
the data
Veracode Static Analysis discovered that CRLF injection exploits are rampant, appearing in a sizeable 64.7% of applications.
Source: State of Software Security Volume 12
the fix
Prevent CRLF injection flaws by never trusting user input. Sanitize user-supplied data with proper validation and encoding, and be sure to properly encode output in HTTP headers.
PHP
34.4% Code Injection
What it is
Code injection, or failure to control generations of code, occurs when code syntax isn’t properly filtered from user-controlled input. This makes it possible for a threat actor to manipulate the code and alter the control flow of the application.
the data
Veracode Static Analysis discovered that code injection flaws are found in 5.9% of applications.
Source: State of Software Security Volume 12
the fix
Implement proper secure coding processes and scan your code using static and dynamic analysis testing tools to identify and fix application weaknesses.
PHP
34.6% Command or Argument Injection
What it is
A command injection is a class of critical application vulnerabilities that involve dynamically generated content. With command injection attacks, threat actors can execute commands on a host’s operating system by exploiting a vulnerable application.
the data
Veracode Static Analysis discovered that command injection flaws exist in 11.7% of applications.
Source: State of Software Security Volume 12
the fix
If you notice a command injection attack, cut off access to the application immediately. Follow secure coding practices to prevent manipulation at the source by writing and using code that doesn’t allow manipulation and reject unacceptable code that presents a risk.
PHP
35.4% CRLF Injection
What it is
CRLF injection is a Carriage Return or Line Feed (CRLF) exploit. When threat actors inject a CRLF sequence into an HTTP stream, it enables them to maliciously manipulate a web application’s functions.
the data
Veracode Static Analysis discovered that CRLF injection exploits are rampant, appearing in a sizeable 64.7% of applications.
Source: State of Software Security Volume 12
the fix
Prevent CRLF injection flaws by never trusting user input. Sanitize
user-supplied data with proper validation and encoding, and be sure to properly encode output in HTTP headers.
PHP
36.5% Encapsulation
What it is
An encapsulation attack occurs when applications fail to differentiate data or functionality within components. This allows bad code to move from component to component, which threat actors can exploit through unauthorized access to functions and data.
the data
Veracode Static Analysis discovered that encapsulation exists in 21.3% of applications.
Source: State of Software Security Volume 12
the fix
If you find an encapsulation flaw, block access to the affected application, database, or system until you can fully protect it. Also, make sure to back up your data and information so you can return to business as usual if there's a ransomware attack.
PHP
47.9% CREDENTIALS Management
What it is
A credentials management attack is an exploit that attempts to breach username and password pairs to take control of user accounts. If threat actors are successful, they can steal, alter, or erase data, install malware, gain deeper access to your files and systems, and even initiate transactions.
the data
Veracode Static Analysis discovered that credentials management flaws occur in 43.5% of applications.
Source: State of Software Security Volume 12
the fix
Reduce your risk of an attack by storing encrypted passwords in restricted locations and avoid utilizing hard-coded credentials. For inbound authentication using passwords, we recommend using strong one-way hash functions and storing them in a protected configuration file or database.
PHP
50.6% Untrusted INITIALIZATION
What it is
Untrusted initialization flaws are a result of threat actors having control of parameters or system settings through external means. This can lead to interrupted service to customers or cause odd application performance.
the data
Untrusted Initialization flaws are very common in PHP, showing up in about 50.6% of applications. However, Veracode Static Analysis discovered that in most languages, untrusted initialization flaws only exist in 9.6% of applications.
Source: State of Software Security Volume 12
the fix
Implement proper secure coding processes and scan your code using static and dynamic analysis testing tools to identify and fix application weaknesses.
PHP
54.7% Information Leakage
What it is
Information leakage can take on many forms. At a high level, it's as simple as your application making information or data available to users that shouldn't have access. Threat actors can use leaked information to find and exploit vulnerabilities in your application or simply steal the leaked data.
the data
Veracode Static Analysis discovered that information leakage flaws are found in 61.1% of applications.
Source: State of Software Security Volume 12
the fix
Mitigating information leakage relies on secure coding practices and implementing security testing procedures as you develop code. Doing so will help ensure that you catch flaws or vulnerabilities where sensitive information is exposed.
PHP
61.4% Directory Traversal
What it is
the data
the fix
Directory traversal, also sometimes known as path traversal, is a type of HTTP exploit used by threat actors to gain unauthorized access to restricted directories and files. This vulnerability uses web server software to exploit inadequate security mechanisms and access directories, as well as files stored outside of the web root folder.
Veracode Static Analysis discovered that directory traversal flaws are found in 42.4% of applications.
Source: State of Software Security Volume 12
An attacker that exploits a directory traversal flaw can compromise the entire web server. To mitigate directory traversals, make sure you follow secure coding practices and validate user input from browsers, use filters to block certain user input, keep your web server software up to date with patches, and run frequent static analysis scans.
PHP
71.0% Cryptographic Issues
What it is
Cryptographic flaws include improperly validating certificates, using broken crypto algorithms, employing inadequate encryption strength, and storing sensitive information in cleartext. This flaw can lead to stolen or destroyed data – including your organization’s most sensitive information.
the data
Veracode Static Analysis discovered that cryptographic issues are found in nearly two-thirds (60.2%) of applications.
Source: State of Software Security Volume 12
the fix
Cryptographic vulnerabilities are preventable with secure coding practices. Most major languages inherently support good cryptographic practices, and concerns over incorrect implementation typically arise only on a case-by-case basis.
PHP
77.2% Cross-Site Scripting (XSS)
What it is
Cross-site scripting (XSS) flaws permit attackers to inject client-side scripts into the application. They lead to a wide attack surface for threat actors to hijack user accounts, spread worms and Trojans, access browser history and clipboard contents, control the browser remotely, and exploit online appliances and applications.
the data
Veracode Static Analysis discovered that XSS flaws occur in 40.1% of applications.
Source: State of Software Security Volume 12
the fix
You can prevent these vulnerabilities with secure coding practices. For example, always sanitize input from search fields and forms by validating that it’s the expected content for the field and then encoding it for the “endpoint.”
Python
8.3% Server Configuration
What it is
Server configuration issues occur when your web server is misconfigured, which may lead to an attacker obtaining sensitive data, like credentials.
the data
Veracode Static Analysis discovered that server configuration vulnerabilities occur in 11.2% of applications.
Source: State of Software Security Volume 12
the fix
To reduce risk from server configuration issues, restrict access to files and either back them up or place them separately from the web root director. Follow secure coding practices for additional security protection.
Python
8.6% Code Quality
What it is
Code quality refers to weaknesses in your code that can indicate to threat actors and attackers that the application has not been carefully developed or maintained. While code quality does not directly introduce flaws into your applications, it causes unpredictable app behavior that is easily abused.
the data
Veracode Static Analysis discovered that code quality issues occur in 56.4% of applications.
Source: State of Software Security Volume 12
the fix
Prevent poor code quality by practicing secure coding methodologies, utilizing consistent coding patterns, and automating security testing in your SDLC.
Python
13.8% Credentials Management
What it is
A credentials management attack is an exploit that attempts to breach username and password pairs to take control of user accounts. If threat actors are successful, they can steal, alter, or erase data, install malware, gain deeper access to your files and systems, and even initiate transactions.
the data
Veracode Static Analysis discovered that credentials management flaws occur in 43.5% of applications.
Source: State of Software Security Volume 12
the fix
Reduce your risk of an attack by storing encrypted passwords in restricted locations and avoid utilizing hard-coded credentials. For inbound authentication using passwords, we recommend using strong one-way hash functions and storing them in a protected configuration file or database.
Phython
16.3% Authentication Issues
What it is
Authorization issues occur when authorization controls are not in place, or they're misconfigured or insecure. They can impact a range of layers in applications, including functions at the app layer, server access, and database access.
the data
Veracode Static Analysis discovered that authorization issues occur in 9.9% of applications.
Source: State of Software Security Volume 12
the fix
To prevent authorization issues, implement secure coding practices in your developer workflow and push for consistent security testing. Locate and control access to privileged assets in your applications based on the principles of least privilege. Ensure all roles in the application are properly configured to access only the necessary data.
Python
17.3% Insufficient Input Validation
What it is
Insufficient input validation is potentially dangerous as it can allow threat actors to perform cross-site scripting (XSS), as well as SQL injection attacks.
the data
Veracode Static Analysis discovered that insufficient input validation occurs in 42.6% of applications.
Source: State of Software Security Volume 12
the fix
In addition to implementing secure coding practices, perform automated static analysis (SAST) and dynamic analysis (DAST) scans. This will help you detect insufficient input validation.
Python
24.3% Information Leakage
What it is
Information leakage can take on many forms. At a high level, it's as simple as your application making information or data available to users that shouldn't have access. Threat actors can use leaked information to find and exploit vulnerabilities in your application or simply steal the leaked data.
the data
Veracode Static Analysis discovered that information leakage flaws are found in 61.1% of applications.
Source: State of Software Security Volume 12
the fix
Mitigating information leakage relies on secure coding practices and implementing security testing procedures as you develop code. Doing so will help ensure that you catch flaws or vulnerabilities where sensitive information is exposed.
Python
31.2% CRLF Injection
What it is
CRLF injection is a Carriage Return or Line Feed (CRLF) exploit. When threat actors inject a CRLF sequence into an HTTP stream, it enables them to maliciously manipulate a web application’s functions.
the data
Veracode Static Analysis discovered that CRLF injection exploits are rampant, appearing in a sizeable 64.7% of applications.
Source: State of Software Security Volume 12
the fix
Prevent CRLF injection flaws by never trusting user input. Sanitize user-supplied data with proper validation and encoding, and be sure to properly encode output in HTTP headers.
Python
37.5% Directory Traversal
What it is
Directory traversal, also sometimes known as path traversal, is a type of HTTP exploit used by threat actors to gain unauthorized access to restricted directories and files. This vulnerability uses web server software to exploit inadequate security mechanisms and access directories, as well as files stored outside of the web root folder.
the data
Veracode Static Analysis discovered that directory traversal flaws are found in 42.4% of applications.
Source: State of Software Security Volume 12
the fix
An attacker that exploits a directory traversal flaw can compromise the entire web server. To mitigate directory traversals, make sure you follow secure coding practices and validate user input from browsers, use filters to block certain user input, keep your web server software up to date with patches, and run frequent static analysis scans.
Python
38.8% Cross-Site Scripting (XSS)
What it is
Cross-site scripting (XSS) flaws permit attackers to inject client-side scripts into the application. It leads to a wide attack surface for threat actors to hijack user accounts, spread worms and Trojans, access browser history and clipboard contents, control the browser remotely, and exploit online appliances and applications.
the data
Veracode Static Analysis discovered that XSS flaws occur in 40.1% of applications.
Source: State of Software Security Volume 12
the fix
You can prevent these vulnerabilities with secure coding practices. For example, always sanitize input from search fields and forms by validating that it’s the expected content for the field and then encoding it for the “endpoint.”
Python
52.0% Cryptographic Issues
What it is
Cryptographic flaws include improperly validating certificates, using broken crypto algorithms, employing inadequate encryption strength, and storing sensitive information in cleartext. This flaw can lead to stolen or destroyed data – including your organization’s most sensitive information.
the data
Veracode Static Analysis discovered that cryptographic issues are found in nearly two-thirds (60.2%) of applications.
Source: State of Software Security Volume 12
the fix
Cryptographic vulnerabilities are preventable with secure coding practices. Most major languages inherently support good cryptographic practices, and concerns over incorrect implementation typically arise only on a case-by-case basis.
.NET
C++
Java
JavaScript
PHP
Python
Software Security, visit our Hub page.
CRLF injection is a Carriage Return or Line Feed (CRLF) exploit. When threat actors inject a CRLF sequence into an HTTP stream, it enables them to maliciously manipulate a web application’s functions.
Credentials Management
A credentials management attack is an exploit that attempts to breach username and password pairs to take control of user accounts. If threat actors are successful, they can steal, alter, or erase data, install malware, gain deeper access to your files and systems, and even initiate transactions.
DOWNLOAD
DOWNLOAD
DOWNLOAD
DOWNLOAD
DOWNLOAD
Download
DOWNLOAD
Download
Download
Download
DOWNLOAD
Download
Download
learn more
learn more
DOWNLOAD
Download
DOWNLOAD
Download
DOWNLOAD
Download
learn more
Download
DOWNLOAD
Download
DOWNLOAD
Download
Download
Download
Download
Download
DOWNLOAD
DOWNLOAD
learn more
learn more
Download
Download
DOWNLOAD
learn more
Download
Download
DOWNLOAD
DOWNLOAD
Download
Download
Download
Download
Download
Download
Download
Download
The most common flaw type in .NET (64.8%) applications is information leakage.
Source: State of Software Security Volume 12
DOWNLOAD
31.1% Directory Traversal
Avoid getting burned by security defects. Click the vulnerabilities below to reveal data from our State of Software Security Volume 12 and to learn how to stay cool with secure coding practices.
Security Flaw Heat Map
HEAT
THE
BEAT
Untrusted Initialization
11.8%
Race Conditions
29.0%
Potential Backdoor
31.4%
Code Quality
39.3%
Buffer Overflow
39.7%
Directory Traversal
42.0%
Cryptographic Issues
44.8%
Numeric Errors
49.1%
Buffer Management Errors
53.5%
Error Handling
72.5%
C++
PHP
Code Injection
34.4%
Command or
Argument Injection
34.6%
CRLF Injection
35.4%
Encapsulation
36.5%
Credentials Management
47.9%
Untrusted Initialization
50.6%
Information Leakage
54.7%
Directory Traversal
61.4%
Cryptographic Issues
71.0%
Cross-Site Scripting (XSS)
77.2%
JavaScript
Authorization Issues
6.8%
Code Quality
8.2%
Directory Traversal
16.0%
Authentication Issues
26.0%
Information Leakage
29.9%
Cryptographic Issues
31.0%
Insufficient
Input Validation
36.0%
Cross-Site Scripting (XSS)
38.0%
Credentials Management
43.5%
CRLF Injection
43.8%
Java
API Abuse
14.7%
Encapsulation
17.0%
Insufficient
Input Validation
21.2%
Cross-Site Scripting (XSS)
22.5%
Credentials Management
24.9%
Error Handling
31.1%
Directory Traversal
49.6%
Information Leakage
50.9%
Code Quality
58.8%
CRLF Injection
64.8%
SQL Injection
11.8%
Authentication Issues
14.2%
Cross-Site Scripting (XSS)
22.3%
Credentials Management
22.7%
CRLF Injection
30.0%
Directory Traversal
30.8%
Cryptographic Issues
46.6%
Insufficient
Input Validation
52.9%
Code Quality
59.3%
Information Leakage
64.8%
SQL Injection
11.8%
Authentication Issues
14.2%
Cross-Site Scripting (XSS)
22.3%
Credentials Management
22.7%
CRLF Injection
30.0%
Directory Traversal
30.8%
Cryptographic Issues
46.6%
Insufficient
Input Validation
52.9%
Code Quality
59.3%
Information Leakage
64.8%
.NET
Python
Server Configuration
8.3%
Code Quality
8.6%
Credentials Management
13.8%
Authorization Issues
16.3%
Insufficient
Input Validation
17.3%
Information Leakage
24.3%
CRLF Injection
31.2%
Directory Traversal
37.5%
Cross-Site Scripting (XSS)
38.8%
Cryptographic Issues
52.0%
For all the latest information on the
recent State of Software Security,
visit our Hub page.
Cryptographic Issues
Download