BURLINGTON, Mass.--(BUSINESS WIRE)--Cross-site scripting (XSS) errors are responsible for more than half of all web application vulnerabilities1. So, in this age of accountability and expectations for secure, high quality software, what’s being done about it? Veracode, Inc., provider of the world’s only independent cloud-based application risk management platform, today announced a solution to this problem: the Veracode Free XSS Detection Service. Veracode’s new service empowers global developers and security professionals to quickly and easily identify dangerous and costly XSS vulnerabilities, while offering remediation recommendations to produce higher security web applications.
OWASP includes XSS on its list of the Top 10 most dangerous software risks, and despite the high prevalence, Veracode is certain that XSS vulnerabilities can be easily eliminated once detected. Veracode Free XSS Detection Service removes perceived complexity from the detection process, and with access to proper education and training, developers can avoid introducing the flaws into software in the first place. According to OWASP, XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute scripts in the victim’s browser that can hijack user sessions, deface web sites, or redirect the user to malicious sites.
Here’s how the Veracode Free XSS Detection Service works:
- Sign up for a Free XSS Detection Service account and login at http://www.veracode.com/freeservice
- Users submit one Java application, free of charge
- The Veracode platform will search for XSS errors and produce a detailed report with location and remediation information
- Participants will also receive complimentary access to Veracode’s dedicated XSS eLearning courses
“At Veracode, we see thousands — sometimes tens of thousands — of XSS vulnerabilities a week. Many are those we describe as ’trivial’ and can be fixed with a single line of code. Some of our customers upload a new build the following day; others never do. Motivation is clearly a factor,” said Chris Eng, senior director of security research, Veracode. “Think about the XSS vulnerabilities that hit highly visible websites such as Facebook, Twitter, MySpace and others. Sometimes those companies push XSS fixes to production in a matter of hours. Are their developers really that much better? Of course not. The difference is how seriously the business takes it. When they believe it’s important, you can bet it gets fixed.”
Veracode’s patented cloud-based application security verification service enables organizations to quickly and cost-effectively validate the security of internally developed software applications, third-party components and purchased or outsourced software applications. Veracode’s “State of Software Security Report: Volume 2”showed that, with the appropriate knowledge, developers are capable of fixing security issues quickly. In cases where developers chose to remediate flaws and rescan the application, they reached an “acceptable” level of security in an average of 16 days.
“We strongly believe that many XSS errors are straightforward and easy to fix, and that much can be done to greatly reduce their occurrence. Our Free XSS Detection Service is an important step toward demonstrating that reality,” said Matt Moynahan, CEO, Veracode. “Developer and product security teams must accept greater accountability for writing better code. With this new service, there is no excuse. They can quickly and easily test an application in its final state to identify flaws before it’s made available to their partners, customers or introduced into the software supply chain.”
Additional XSS Assets
Following are links to valuable resources addressing XSS vulnerabilities:
- Read the new “Eradicate Cross-Site Scripting” whitepaper written to empower organizations to expand their web security programs
- Listen to Veracode’s Senior Director of Research Chris Eng explain why XSS is easy to detect, attack and fix in this informative video, “What is Cross-Site Scripting?”
- Review background from OWASP and CWE/SANS: http://www.owasp.org/index.php/XSS, http://cwe.mitre.org/top25/#CWE-79
Additionally, on Wednesday, February 2 at 1 p.m. EST, Veracode will co-host a webinar with Chenxi Wang, Ph.D., vice president, principal analyst, Forrester Research. The event, “No More Excuses: End Cross-site Scripting Now,” will not only discuss the challenges and best practices for securing software from XSS, but also explore the actionable strategies organizations can take to implement a successful application security program even when resources are limited.
For more information on the Veracode Free XSS Detection Service, visit http://www.veracode.com/freeservice. Or, learn about the new service by visiting Veracode at the RSA Conference 2011 in San Francisco, booth #629.
1 – Veracode’s “State of Software Security Report: Volume 2,” September 2010
About Veracode
Veracode is the only independent provider of cloud-based application intelligence and security verification services. The Veracode platform provides the fastest, most comprehensive solution to improve the security of internally developed, purchased or outsourced software applications and third-party components. By combining patented static, dynamic and manual testing, extensive eLearning capabilities, and advanced application analytics Veracode enables scalable, policy-driven application risk management programs. Veracode delivers unbiased proof of application security to stakeholders across the software supply chain while supporting independent audit and compliance requirements for all applications no matter how they are deployed, via the web, mobile or in the cloud. The company’s more than 175 customers include Barclays PLC, California Public Employees’ Retirement System (CalPERS), Computershare and the Federal Aviation Administration (FAA). For more information, visit www.veracode.com, read the ZeroDay Labs’ blog or follow on Twitter @Veracode.
Copyright © 2011Veracode, Inc. All Rights Reserved. All other brand names, product names, or trademarks belong to their respective holders.