Ellen Moss (U.S.)
Veracode State of Software Security Report Shows Suppliers of Cloud/Web-Based Applications Face Greatest Scrutiny by CXOs
With More Than Half of All Software Not Meeting Acceptable Security Levels and Eight Out of 10 Web Applications at Risk of Failing a PCI Audit, Greater Software Industry Accountability Is Critical
LONDON-Gartner Security & Risk Management Summit 2010– September 22, 2010 – In the past six months alone there have been multiple new zero-day vulnerabilities reported in Microsoft Windows and widely covered uneasiness about the security of mobile apps, cloud service providers and SCADA systems that reinforce concerns about unknown weaknesses lurking in everyday software. To address those concerns, Veracode, Inc. analyzed more than 2,900 applications to publish the “State of Software Security Report: Volume 2.” Similar to the first report, findings show that overall quality of applications remains poor, with 57 percent failing to meet acceptable levels of security. New results demonstrate that cloud/web-based applications are the most commonly scrutinized, and with good reason: 80 percent of web applications would not pass a PCI audit.
The goal of the report is to create greater enterprise security intelligence among the C-suite, security managers and developers regarding their application portfolio. The data empowers informed decision-making around IT infrastructure choices including selecting the best mobile platform, policies about the use of Open Source software and how to best structure third-party software procurement contracts. Findings are based on analysis of Internally Developed, Open Source, Outsourced and Commercial applications that have been submitted to Veracode for testing using its cloud-based platform over the past 18 months. Veracode reports a nearly 200 percent increase in the number of applications submitted for review during the past six months, indicating greater industry awareness about software security. Following is a summary of key findings:
Unlike surveys or other industry reports that perform post-mortem analysis on reported breaches and disclosed vulnerabilities, Veracode’s State of Software Security Report examines unknown vulnerabilities by analyzing the DNA of applications – prior to a breach (and often prior to deployment) – to identify what the applications are comprised of and where potential weaknesses exist.
“The traditional disjointed approach to enterprise security needs to give way to a comprehensive approach that enables advanced security, improved analytics and optimal decision making,” said Joseph Feiman, vice president and Gartner fellow, Gartner. “We are calling this new approach “ESI” [Enterprise Security Intelligence], and we believe that both technology providers and their enterprise customers must begin laying the groundwork for its development, adoption and implementation. The concept of “intelligence” is crucial, because it makes it clear that vulnerability scanning, monitoring and reporting are no longer adequate.”
Rise of a New Market for Third-Party Assessments
Of interest to CIOs and CISOs is the rise of a new market sector for third-party risk assessments. Veracode noted a significant increase in the number of applications it has been asked to review at the request of a buyer of software or software development services since its last report. Third-party assessments (similar to having a pre-purchase home inspection) are among the fastest growing types of assessments requested of Veracode – a sign that organizations are taking increased responsibility for managing risk within their software supply chain and the growing use of independent, cloud-based application risk management services.
“Veracode has already begun laying the groundwork for greater enterprise security intelligence for applications, with Volume 2 of our State of Software Security Report providing an accurate reflection of what is happening in the larger software industry and offering real data that enterprises can use for better IT infrastructure decision-making,” said Matt Moynahan, CEO, Veracode, Inc. “Only Veracode’s cloud-based platform makes this sort of application intelligence possible; it’s the insight gained from the data that empowers organizations to protect their software infrastructure. That’s why the State of Software Security is required reading for anyone responsible for enterprise risk management.”
Following are additional resources related to the State of Software Security Report:
The State of Software Security draws on continuously updated information in Veracode’s cloud-based application risk management services platform. New in Volume 2 is data from third-party assessments, the first inclusion of PHP and ColdFusion applications, a comparison of static binary, dynamic and manual testing effectiveness, and additional depth on financial industry applications. The data comes from actual code-level analysis of billions of lines of code and thousands of applications. The resulting security intelligence cannot be found anywhere else. It represents multiple testing methodologies (static binary, dynamic and manual) on the full spectrum of application types (components, shared libraries, web and non-web applications) and programming languages (including Java, C/C++, .NET, ColdFusion and PHP) from every part of the software supply chain (Internally Developed, Open Source, Outsourced, Commercial).
Veracode is the world’s leader in cloud-based application risk management. With patented binary code analysis, dynamic Web assessments and developer e-learning, Veracode SecurityReview® is the most accurate and cost-effective way to independently verify application security in both internally developed applications and third-party software without requiring source code or expensive tools. Veracode provides the most simple, complete way to implement security best practices, reduce operational cost and comply with internal security policies or external standards such as OWASP Top 10, CWE/SANS Top 25 and PCI. Veracode works with global organizations across multiple vertical industries including Barclays PLC, California Public Employees’ Retirement System (CalPERS), Computershare and the Federal Aviation Administration (FAA). For more information, visit www.veracode.com, follow on Twitter: @Veracode or read the ZeroDay Labs blog.
Copyright © 2010 Veracode, Inc. All Rights Reserved. All other brand names, product names, or trademarks belong to their respective holders.