I recently came across an interesting blog post by a team member at Acunetix that addressed a challenge many enterprises are facing when it comes to securing third-party components. This is a pretty hot topic in certain circles these days, and understandably so – studies have suggested that as many as 65% of an enterprise’s mission critical applications are developed externally. Additionally, Veracode research shows that a typical internally developed applications contains somewhere between 30% and 70% of externally developed code, indicating that even internally developed apps are utilizing code originating outside of their own walls.

Tomorrow Veracode co-founder and CTO/CISO Chris Wysopal, and Josh Corman co-founder of Rugged Software and Director of Security Intelligence at Akamai Technologies will be filming a video segment with Paul Roberts of The Security Ledger. The trio will be chatting about a variety of topics trending in the Appsec field including but not limited to; recent changes to the OWASP Top 10, security of third party software components, and industry culture.

The ISSC released its latest survey of information security pros, which found application security issues at the top of their list of security threats. Are we surprised?

Our entire Research team is in town this week for a round table catch up and this fun artist’s rendition of them materialized. Given that I haven’t personally met them all I was unable to identify a few of them by these cartoons. I figured I’d turn to our trusty community to help me out, comment below if you you think you know an avatar’s human counterpart with the number next to them and their full name.

A developer’s main goal usually doesn’t include creating flawless, intrusion proof applications. In fact the goal is usually to create a working program as quickly as possible. Programmers aren’t security experts, and perhaps they shouldn’t be. But when 70% of applications failing to company with enterprise security standards (data from Veracode SoSS vol 5), it is clear more attention needs to be given to secure programming techniques.

The case of serial killer (and nurse) Charles Cullen shows that arcane application security issues like race conditions can literally be matters of life and death in the healthcare field.

UBM Tech Director of Content, Jonas Tichenor, interviews Evan Fromberg, Senior Director of Channel Sales and Business Development at Veracode. The interview hits the topics of enterprise application security, marketplace challenges in appsec and the partner program at Veracode. A transcript of the interview is available in the full post.

A survey of 3,500 developers by the firm Sonatype found that use of open source software is exploding in the application development community. Alas, much of it is unchecked, with few if any controls over what- or how components are being used.

Application security analytics at Veracode is “living in interesting times.” With each passing month, the data set is growing dramatically in both size and variety. An increasingly diverse set of organizations are submitting their applications for review. New programs such as VAST create usage patterns of Veracode’s services that reflect an evolving security supply chain. On top of this, Veracode’s platform for finding, classifying, and reporting discovered flaws continues to expand to address new challenges such as mobile apps, new vulnerability classes, new scanning technologies and revised policies for defining acceptable application software security. The challenge with all this newness is striking the right balance between keeping the analysis the same to track trends over time and developing new analysis to convey some new findings.

Business to business links with partners are a growing source of data breaches and security incidents in the healthcare field. Coming changes to regulations like HIPAA may bring more accountability.

Yesterday the Associated Press joined the pool of victims who can say they’ve suffered a hacked or stolen Twitter account. The highly publicized event saw the AP have it’s main Twitter account hacked (@AP) sometime in the afternoon and a tweet appeared around 1 p.m. reporting: “Breaking: Two Explosions in the White House and Barack Obama is injured.” As you can imagine the tweet set off a chain reaction of retweets and alarm even causing the Dow Jones to plunge nearly 143 points in only a 3 minute span following the breaking news.

While Facebook grants its users lots of control over their privacy settings, keeping up with the latest privacy controls can be difficult. As a result, many users end up sharing their information and photos with a far wider audience than intended. This edition of our CyberSecurity 101 series should serve as a user guide for configuring Facebook privacy settings for optimal security.

Our team is overseas this week in London for the 18th annual Infosecurity Europe conference. Stop by the Veracode stand(H21) to learn about S.O.U.P. and what you can do to stop it from hurting your company. We will also be giving away £500 GBP to a random lucky winner!

Apple’s iOS mobile operating system accounted for almost all the mobile OS vulnerabilities documented in 2012, but Google’s Android mobile OS accounted for almost all the malware. When it comes to application security, do ‘bad neighborhoods’ matter?

What vulnerabilities threaten the integrity of your software supply chain and data? Can your enterprise really influence software vendors to meet your most important security policies and remediate insecure software? Enterprises are taking on unbounded risk as a result of increased investment in outsourced, commercial, SaaS, mobile and open source applications. Enterprises are leaving themselves particularly vulnerable because buyers so rarely think to secure the software they purchase. Why accept this risk?