Since our last report, the risks associated with vulnerable software deployed in enterprise environments have been highlighted in the news on nearly a weekly basis. The majority of reported breaches that exposed customer data or intellectual property were caused by attackers exploiting weaknesses in web applications or desktop software. We have also witnessed the rise of new attacker categories: cyber spies focused on stealing intellectual property, and hacktivists motivated by publicly embarrassing companies and individuals.
Essentially, if your organization has anything worth protecting—money, intellectual property or a trusted reputation—you need to be concerned about the security of the software that is embedded within every
aspect of your enterprise.
Over the horizon, we see changes that are adding risk, not reducing it. The risks associated with the consumerization of IT have gripped enterprise security teams as they face unrelenting threats, often at the
hands of their very own employees. They lack consistent, proactive policies to manage vulnerabilities associated with the “BYOD” or Bring Your Own Device trend. In fact, according to a Wall St. Journal article
(Sept. 26, 2011), Danger-to-Go,” mobile devices “come with one huge challenge: How do you make sure all that valuable information is secure?” Further, “the increasing presence of such devices elevates the threat of accidental and intentional security breaches.” Based on what we’re witnessing among our customer base, verifying the security of the software being downloaded to those devices is increasingly becoming a business priority. This is especially true when it is believed that platforms like Google’s Android do minimal vetting of the safety of applications they allow consumers to download from their App store.
In version 4 of our State of Software Security report, we continue our analysis and examine emerging trends associated with vulnerabilities in applications – whether they are internally developed or procured from third parties such as outsourcers or commercial software vendors. For the first time, we also take a closer look at Android security trends and highlight key takeaways for organizations seeking to balance employee mobility and productivity against mobile security risk.
With multiple pieces of proposed legislation currently being examined by Congress, the topic of federal cyber security has garnered attention in recent months, suggesting that it is an area warranting further investigation in this report. With renewed commitments to sharing data breach information and evolving best practices for more effectively managing cyber security threats, we have witnessed several positive steps being taken across the public and private sectors.
That message was emphasized last summer when I had the opportunity to meet with Senate staffers on the Homeland Security and Governmental Affairs Committee in order to help create better awareness and understanding about cyber attacks against the Government and private firms. As part of that experience, we realized the importance of educating federal audiences about cyber security risks in a vendor agnostic role. To that end, in this report we delved deeper into the nature of government software applications and how they fare relative to peers in private industry sectors.
In this volume, Veracode analyzed more than 9,000 application builds, across 40 different industry sectors. In addition to mobile application and government security trends analysis, we revisit several findings
highlighted in previous reports. This includes measuring the security quality of third-party software from large and small software vendors, at the request of enterprises, continuing to debunk the myth that any vendor is “too big to test.” We also reexamine the impact of dedicated training and ongoing educational programs for software developers and security managers while updating our list of the most common software vulnerabilities that put entire software portfolios at risk.
As you examine the information presented here, we welcome your questions and ideas about what we can do as an industry to ensure a long-term commitment to protecting our software infrastructure and continuing
to raise the visibility of software-related business risk.
Enjoy the report.
Written by: Chris Wysopal