Veracode has introduced a free cross-site scripting (XSS) scanning service, which it claims will help developers spot vulnerabilities in web applications.

The firm, a provider of cloud-based application risk management services, claims XSS errors are responsible for more than half of all web application vulnerabilities and cloud allow cyber criminals to inject malicious code in to website.

Registered users can upload a Java-based application to the Veracode Free XSS Detection Service, which then scans the application’s code. Any vulnerabilities are then fed back to the user via a report along with recommendations for fixing the security holes. Users will also receive free access to Veracode’s XSS eLearning courses.

The cloud-based nature of the services means that developers do not have to worry about physically sending code to a third-party to test, which can be an expensive and time-consuming exercise according to Veracode CEO Matt Moynahan.

Speaking to CBR, Moynahan continued: "It’s a really great example of why it’s better than a tool; we’re expecting thousands of developers to use it from over 50 different countries. It’s a showcase for the power of the cloud. We have good relations with the developers because they are a key part of enterprise software industry and we’re making it easy for them to write secure code."

Matt Peachey, Veracode’s VP EMEA, said: "The reason we’ve focused on XSS is that today it’s still the number one flaw worldwide, despite all the experts document how to get rid of it. It’s a very simple thing to fix."

"At Veracode, we see thousands — sometimes tens of thousands — of XSS vulnerabilities a week. Many are those we describe as ‘trivial’ and can be fixed with a single line of code. Some of our customers upload a new build the following day; others never do. Motivation is clearly a factor," said Chris Eng, senior director of security research, Veracode.

"Think about the XSS vulnerabilities that hit highly visible websites such as Facebook, Twitter, MySpace and others. Sometimes those companies push XSS fixes to production in a matter of hours. Are their developers really that much better? Of course not. The difference is how seriously the business takes it. When they believe it’s important, you can bet it gets fixed," Eng added.