Code review company Veracode is offering corporate developers the chance to have one app run through the company’s online security service for cross-site scripting (XSS) errors free of charge.
It’s only one app and that must be Java-based, but it’s not a bad place to start looking for XSS problems, Veracode reckons. XSS vulnerabilities are one of the commonest problems to afflict software from a security point of view despite being, the company says, relatively easy to spot and fix.
In their simplest form, XSS flaws allow attackers to inject untrusted data to hijack web pages in a way that makes a mockery of access controls. The severity of the effect depends on the type of website and the nature of the element being manipulated by the attacker. As many companies know to their cost, they can be deadly.
Developers interested in trying out the offer should visit the Free XSS Detection Service website, submit a single Java app, and await a report that comes with location and remediation advice. It doesn’t fix the flaw but it will give the coder some idea of the implications of the vulnerability and tell them how to best fix it.
“At Veracode, we see thousands of XSS vulnerabilities a week. Many are those we describe as ’trivial’ and can be fixed with a single line of code,” commented Vercode security researcher, Chris Eng. “Some of our customers upload a new build the following day; others never do. Motivation is clearly a factor.”
After launching its cloud-based testing system in 2008, Veracode has divided its service into a number of more targeted uses, including last year’s service to spot programming back doors inserted by outsourced teams for their own convenience.
“Developer and product security teams must accept greater accountability for writing better code. With this new service, there is no excuse,” said Veracode CEO, Matt Moynahan.