Old and sloppily written code is exposing businesses to hackers, new research has warned, with the financial sector at the highest risk.
After reviewing more than 278 million lines of code in 1,388 applications worldwide, researchers have found 1.3 million weaknesses which could allow hackers to take advantage of corporate systems.
Research by software company CAST found that financial services institutions had the worst code, according to a benchmark called the Common Weakness Enumeration (CWE).
CWE is a repository of known security weaknesses hackers could take advantage of and covers software architecture as well as the code itself.
Software in the financial sector has the most coding mistakes and non-secure coding practices for every thousand lines of code in its applications – its CWE density.
The report said: “Applications installed in 2012 are more than due for a health check. Applications between five and 10 years old have the greatest potential for security flaws.”
It added: “Poor coding is likely due to the fact 37% of developers are not graded on code quality.”
Dr Bill Curtis, the chief scientist at CAST, said: “We found that overall, organisations are taking application security quite seriously. However, there are clear outliers to this broad finding that put companies and their customers at significant risk.”
He added: “Without a clear understanding of existing application security vulnerabilities, organisations are not addressing some of the biggest software risks that pose a threat to their business.”
The telecommunications sector also performed poorly compared to other areas of industry. Also ranking quite high for errors was the IT consulting sector.
Some of the worst code was written with Microsoft’s .NET framework, although applications developed in Java that were released more than six times per year had the very highest CWE densities.
The manufacturing, energy, and pharmaceuticals sector had the least vulnerable code.