According to Gartner, DevOps will be a mainstream strategy by 2016. In turn, organizations will need solutions — including those for security — that facilitate DevOps. These solutions will need to align with the DevOps philosophy, which Gartner defines as “focused on the adoption of agile and lean methodologies and a collaborative relationship between development (Dev) and operations (Ops), with a singular goal of timely, successful application production rollout.”
This Gartner report offers eight practical tips CISOs can use to link risk and security programs to corporate performance.
Forrester Consulting conducted research on the benefits independent software vendors realize using Veracode and found a three-year, risk-adjusted 131% return on their investment and a 68% reduction in security vulnerabilities.
With concern rising about the risk of advanced persistent threats from compromised supply chains, and breaches due to vulnerable third party software, a global industrial manufacturing company did an ad hoc audit of its purchased software – and found more than 90% of its purchased applications had critical security vulnerabilities. With Veracode's built-to-scale cloud platform and systematic approach for risk reduction, the company built a third party software security program that drove security requirements into contract language, onboarded 100 vendor applications in the first year of the program, and worked with vendors to fix over 10,000 vulnerabilities.
A global media and technology company had little control over the quality or security of the apps published to iTunes or Playstore. Using Veracode’s cloud-based service, the company gained visibility into its mobile app perimeter, finding it had 100% more apps published than originally thought. Through finding these apps and assessing their behavior, the company ensured all published apps adhere to its app policies for security and privacy and gain tighter control of its mobile footprint.
Learn how Veracode’s cloud-based service and policy-based approach helped a large financial services firm not only pass its PCI audit in the short term -- but also continuously reduce its enterprise risk in the long term.
As software applications are increasingly distributed through cloud and mobile platforms, the risk of vulnerabilities rises. Application managers need ways to control their disparate applications and to build security into the development process.
In this special videocast sponsored by Veracode and moderated by Dark Reading, two of the IT security industry’s best-known voices – Chris Wysopal, CTO & CISO of Veracode and Jim Nelms, CISO of The Mayo Clinic – will discuss the changing role of the CISO and how the importance of that role is growing within the organization.
This report examines application security quality, remediation and policy compliance statistics and trends. Our analysis of tens of thousands of applications with Veracode's cloud-based platform found that 87% of web applications are not compliant with the OWASP Top 10, while 69% of non-web applications are not compliant with the CWE/SANS Top 25.
The data analyzed represents multiple security testing methodologies (including static binary, dynamic and manual pen testingl) on a wide range of application types (web, mobile and legacy/non-web) and programming languages (including Java, C/C++, .NET, PHP and ColdFusion). We also expanded our analysis of the mobile vulnerability landscape with sections on Android, iOS and Blackberry applications. The resulting intelligence is unique in the breadth and depth it offers.
Volume 5 (40 Pages)
April 8th, 2013
Veracode has been publishing a semi-annual State of Software Security (SOSS) report since 2010. Over time we have received significant interest in our findings and numerous requests to investigate the dataset from many different perspectives that may not be routinely covered in our semi-annual reports. To satisfy the curiosity of our readers and to allow us to extend our investigation to topical areas, we are moving to a new reporting format in 2012. This year we are publishing shorter feature supplements that are designed to address a particular, focused topic, and only release the full SOSS report once a year. This report is the first feature supplement for 2012.
This featured supplement focuses on the state of enterprise programs that assess the security of software purchased from vendors. Veracode can uniquely report on how program practices evolve because our analysis is based on data aggregated from companies as they test real applications. The data represents intelligence gleaned from over 900 application builds submitted by software vendors to Veracode's cloud-based platform in an 18 month time-frame.
As software applications are increasingly distributed through cloud and mobile platforms, the risk of vulnerabilities affecting enterprises rises. Both builders and defenders of apps are well aware that these new types of applications—and the languages and frameworks they are developed in—pose substantial, complex risks.
The rise of the digital economy means the world now runs on applications. As a result, every company is becoming a software company. Yet, research done by IDG revealed that almost two-thirds of applications are not assessed for security.
This whitepaper provides guidance on preparing for a high-profile vulnerability disclosure so risk-management or security teams can respond with the appropriate level of urgency. Teams can use it as a starting point to formulate a strategy for vulnerability responses and be prepared for the eventual disclosure.
Integration between Veracode and MDM platforms, including MobileIron, IBM MaaS360/ Fiberlink, and AirWatch, enables IT teams to automatically enforce what actions to take when Veracode identifies apps that are not compliant with policy or have a high malware rating.
Veracode’s cloud-based app reputation service provides behavioral intelligence about mobile apps to help you determine which apps violate corporate policies for security and privacy. Our integration with IBM Fiberlink MaaS360 uses automated workflows and centralized policies to give IT full visibility and control of app risks in a scalable way.
Veracode’s cloud-based app reputation service provides the AirWatch enterprise mobility platform with an instant on, continuously updated intelligence source that evaluates all mobile applications on enterprise managed devices against policies designed to keep corporate information secure. The service taps information about hundreds of thousands of mobile applications that have been assessed using Veracode’s unique behavioral analysis technology. Using the app reputation service, organizations can roll out a BYOD program that includes both preventative and detective controls to keep corporate data safe from risky mobile applications.
Anti-debugging is the implementation of one or more techniques within computer code that hinders attempts at reverse engineering or debugging a target binary. Within this paper we will present a number of the known methods of antidebugging in a fashion that is easy to implement for a developer of moderate expertise.
Backdoors and malicious code pose significant operational risk to software that is too significant for organizations to ignore. This whitepaper discusses how binary (compiled code) analysis is the ideal platform for detecting backdoors and conducting the most complete independent security test, validation and verification of applications.
This technical whitepaper describes a new way to classify backdoor vulnerabilities in applications and discusses static detection of backdoors.
View the demo of Veracode's Platform. Learn how to create an Application Profile and Submit your application for analysis.
View the demo of Veracode's Platform. Learn how to access and understand your results once the scan has completed. You will see how to access the summary and detailed results and also how to use Veracode's developer tools.