More than half of mobile applications are not secure, says a report released by Veracode. Out of more than 2,900 applications tested over the past 18-month period, 57 percent of all applications were found to have unacceptable application security quality on first submission to Veracode’s testing service, even when standards were lowered for those considered less business critical. According to the Veracode study, third-party code is an essential and rapidly growing part of an enterprise’s software portfolio, making up nearly 30 percent of all applications submitted to Veracode for review, with third-party components comprising between 30-70 percent of internally developed applications. Of particular note, third-party suppliers failed to achieve acceptable security standards 81 percent of the time. Suppliers of cloud/web applications made up nearly 60 percent of all third-party assessments requested of Veracode. Similar to the results of testing other types of third-party software, cloud/web applications show low levels of acceptable security. Eight out of 10 web applications would fail a PCI audit. Says Veracode, “Based on automated analysis,we found that eight out of 10 web applications failed to comply with the Open Web Application Security Project (OWASP) top 10 industry standard for security quality, and therefore would not pass a PCI audit.” Fifty-six percent of finance-related applications failed upon first submission to Veracode’s testing service. Analysis shows that software quality of applications from banking, insurance and financial services industries is not commensurate with the security requirements expected for business critical applications, though the financial services industry performed better than banking and insurance overall. While, cross-site scripting remains prevalent, accounting for 51 percent of all vulnerabilities uncovered in the testing process; .NET applications exhibited abnormally high cross-site scripting vulnerabilities. Additionally, “potential backdoors” broke into the top 10 most common vulnerabilities. However, Veracode found that the security issues are being resolved faster, with the time it takes for organizations to repair flaws to achieve acceptable levels of security decreased from between 36-82 days, to 16 days on average.