Application security company Veracode is demonstrating to developers how easy it is to test and identify vulnerabilities in their applications by granting free access to one of its services. Veracode’s offerings include automated binary analysis in the cloud and as of today, developers can register to upload one application to the cloud and test for cross-site scripting (XSS) vulnerabilities at no cost. XSS, a common security exploit where attackers put malicious coding into a link that releases itself when a user clicks the link, is a veteran problem in application development and responsible for major security breaches.
Veracode hopes to demonstrate how avoidable XSS vulnerabilities are while highlighting their application security testing offerings, boasting their ability to serve both SMBs and large organizations. Most development oversights are minor, but can have major repercussions, which is why Veracode is doing its part to aid in the “long road to eliminating XSS.” In a recent blog post, application security researcher at Veracode Chris Eng likens fixing XSS vulnerabilities to squashing ants, but that doesn’t mean the problem isn’t major just because its solution can be:
At Veracode, we see thousands — sometimes tens of thousands — of XSS vulnerabilities a week. Many are of the previously described trivial variety that can be fixed with a single line of code. Some of our customers upload a new build the following day; others never do. Motivation is clearly a factor. Think about the XSS vulnerabilities that hit highly visible websites such as Facebook, Twitter, MySpace, and others. Sometimes those companies push XSS fixes to production in a matter of hours! Are their developers really that much better? Of course not. The difference is how seriously the business takes it. When they believe it’s important, you can bet it gets fixed.
In a climate that’s teeming with new security threats every hour, a company’s security priority list can be the difference between a close call and a major setback. Proactivity is key. There’s no such thing as a free lunch, but when a company is offering free security testing, it makes reprioritizing not only appealing but affordable. What does your company have at the top of its security priority list this year? Do you anticipate taking application security testing in the cloud for a spin? Let us know in the comments or send me an email at Melanie@ITKnowledgeExchange.com.