The most prevalent vulnerability by overall frequency identified by the report is cross-site scripting (XSS).

Most software used by large companies in critical business applications is insecure, according to a report released by a company that tests programs for security vulnerabilities.

In a report titled “State of Software Security,” the company, Veracode, of Burlington, Mass. disclosed that when it first tested some 1600 business critical applications, 58 percent of them failed to achieve an acceptable security score.

The worst culprits were programs developed by companies for internal use. Failure rates for those applications were as high as 88 percent, the report said.

“Extrapolating from the application sample set, more than half of the software deployed in enterprises today is potentially susceptible to an application layer attack similar to that used in the recent Heartland or Google security breaches,” it noted.

The most secure software submitted to Veracode for testing originated with the financial industry or government sector. More than half the applications from those industries passed muster on their first go-round with testers, which placed them at the top of the list of 15 industries represented in the study’s data set.

The report also plugged open source software as a viable solution for businesses. The failure rate for open source programs was on par with their commercial counterparts–39 percent for open source, 38 percent for commercial wares.

What’s more, the speed at which security vulnerabilities were addressed in open source programs was far better than their competitors–36 days for open source, 48 days for internal software and 82 days for commercial apps.

In addition, open source programs contained the fewest vulnerabilities that could potentially be converted into backdoors which could be exploited by crackers for havoc. “The relative absence of potential backdoors is apparent testimony to the positive effect of transparency in the Open Source community,” the report reasoned.

The most prevalent vulnerability by overall frequency identified by the report is cross-site scripting (XSS). It’s also the third most prevalent by number of applications. Some 40 percent of internally developed applications had XSS vulnerabilities; 22 percent of commercial apps; 41 percent of open source wares; and 16 percent of outsourced software.

“Despite nearly a decade of focus on cross-site scripting as a serious security threat,” the report maintained, “its continued prevalence reflects both the pervasive nature of the problem and the evolving threat landscape (i.e. increasing use of dynamic Web content).”

“Cross-site scripting remains as rampant as ever,” it added, undeterred by the wide availability of libraries intended to eliminate the risk via proper output encoding.”

The report argued that the persistence of XSS vulnerabilities may be attributable to developers focusing on writing strong functional code and hitting shipping dates without regard to security considerations.

It may also mean, it added, that security testing among developers is immature and that proper threat modeling processes haven’t been implemented.

“Better education of web developers on this vulnerability and others such as SQL Injection is essential,” it added.

A surprising finding by the report writers was the dearth of outsourced software submitted for testing–only two percent of the total sample.

“With the primary motivation being cost reduction, it is likely that these outsourcing contracts neglect to define specific security acceptance requirements,” the report reasoned. “This could be one reason why outsourced software was underrepresented in our data.”

“However, as noted earlier,” it continued, “most applications labeled as internally developed actually contained a significant percentage of third-party code, including outsourced components that were not identified separately.”

The report estimated that from 30 to 40 percent of all code in internally developed applications could be identified as coming from third-parties, such as open source components or outsourced or commercial libraries and components. What’s more, the third-party components often contain borrowed code from other third-parties.

“For executives,” the report warned, “the evidence points to an increasing percentage of software infrastructure and associated liability coming from unknown and unmanaged third-parties.”

The report called on companies to look beyond ex post facto solutions to cure their security problems.

“Without a change in the way organizations are protecting themselves from the exploitation of software vulnerabilities, progress won’t be made,” it declared. “Patching quicker and updating anti-virus and IDS/IPS signatures faster is not stemming the tide.”

“The Application Threat Space moves extremely quickly,” it continued. “Veracode recommends keeping the layered defenses but shifting some resources to fixing the root cause of data compromise which are without doubt the software vulnerabilities themselves.”