Over half of the applications scanned by a software testing company fail to meet security acceptance standards. More worryingly, products and services provided by security vendors themselves are often full of gaps and are putting organisations at risk.

The results form part of the third edition of Veracode’s State of Software Security Report. The company analysed nearly 5,000 different applications,featuring a mix of internally-built software, commercial applications and open source software.

According to Veracode, 58% of applications tested failed to meet acceptable security standards upon first submission, while eight out of 10 web applications failed against OWASP top 10. The two most common flaws found in web applications were cross site scripting (XSS) and SQL injection vulnerabilities.

Acceptable security standards are set by the customer and are rated by how critical the application is, according to Matt Peachey, VP EMEA at Veracode.

What is perhaps more worrying about this report is that security companies, purveyors of products that are supposed to keep customers safe, are even more guilty of producing software riddle with security flaws.

According to the report, 72% of the security products and services analysed failed to meet acceptable standards when first submitted. This is the second-worst performing area, after customer support software, where 82% of applications fail upon first submission.

"When you buy a security product you make the assumption that it’s going to be safe," Peachey told CBR. "The security industry needs to improve significantly from a product security point of view. The problem is that developers develop, they are not security experts, even if they work for a security company. You need structure, process and a programme to assess security. You also get a lot of moving around of development resources from company to company. If they have bad habits, they’ll move with them. There is also quite a lot of re-used code."

It is not all bad news though. Once Veracode makes software developers aware of the flaws in their products, they are quick to react. The vast majority (90%) fix issues within 30 days, while for security companies that figures comes down to just three days.