Released October 24 2013
Read Forrester's "The CISO's Handbook - Presenting to the Board for tips on how to effectively articulate risk posture and security strategy so you can effectively position yourself as a key influencer in the boardroom.
Released February 2014
The second SANS Institute survey on application security programs and practices asks a number of pertinent questions. The maturity and effectiveness of application security programs are examined, as well as developer training, application security spend and what the future holds. Download to find out what organizations are doing about the risks posed by their web, database, mobile and cloud applications.
The survey identifies a number of trends within application security, including:
1. How widespread are application security programs?
2. How effective are these programs?
3. What practices and tools are organizations relying on most today, and what are they finding the most useful?
4. How is secure coding training for developers being done, and how effective is this training?
5. How are people justifying spending on Appsec, and where are they spending most of their efforts?
6. What will the future of Appsec look like?
Released on February 24th, 2012
Organizations are having to manage more and more critical software applications to conduct business. These applications may be developed in-house, by an outsourcer or commercially acquired. The vast majority of these software applications will contain flaws which can constitute a security risk.
This report, delivered by the analyst firm Quocirca, looks at how businesses are deploying software and what measures are in place for checking the security of applications. The report draws on new research conducted amongst US and UK enterprises from a range of industries and assesses the scale of the software security problem, the ways in which it can be mitigated, the extent to which this is being achieved, the costs involved and how they can be minimized.
Enterprise adoption of mobile apps create significant challenges. According to Forrester Inc., the challenges include how to distribute apps to thousands of end users in a timely, secure, and reliable fashion.
Stop assuming, start demanding security from your software suppliers. Ignoring the problem of the third party application security will only lead to risk for your enterprise.
This report examines application security quality, remediation and policy compliance statistics and trends. Our analysis of tens of thousands of applications with Veracode's cloud-based platform found that 87% of web applications are not compliant with the OWASP Top 10, while 69% of non-web applications are not compliant with the CWE/SANS Top 25.
The data analyzed represents multiple security testing methodologies (including static binary, dynamic and manual pen testingl) on a wide range of application types (web, mobile and legacy/non-web) and programming languages (including Java, C/C++, .NET, PHP and ColdFusion). We also expanded our analysis of the mobile vulnerability landscape with sections on Android, iOS and Blackberry applications. The resulting intelligence is unique in the breadth and depth it offers.
Volume 5 (40 Pages)
April 8th, 2013
Veracode has been publishing a semi-annual State of Software Security (SOSS) report since 2010. Over time we have received significant interest in our findings and numerous requests to investigate the dataset from many different perspectives that may not be routinely covered in our semi-annual reports. To satisfy the curiosity of our readers and to allow us to extend our investigation to topical areas, we are moving to a new reporting format in 2012. This year we are publishing shorter feature supplements that are designed to address a particular, focused topic, and only release the full SOSS report once a year. This report is the first feature supplement for 2012.
This featured supplement focuses on the state of enterprise programs that assess the security of software purchased from vendors. Veracode can uniquely report on how program practices evolve because our analysis is based on data aggregated from companies as they test real applications. The data represents intelligence gleaned from over 900 application builds submitted by software vendors to Veracode's cloud-based platform in an 18 month time-frame.
Enterprises are still experiencing the paradigm shift towards mobile computing and still struggling to implement both their mobility strategies and Bring-Your-Own-Device (BYOD) programs. While IT understands the enterprise benefits of this shift, there is a gap between mobility eagerness and its readiness to deal with the new types of application security risks inherent with all mobile platforms.
Download the whitepaper authored by the FS-ISAC Third Party Software Security Working Group to understand the recommended controls for addressing third party software risk.
This independent paper analyzes control options and offers specific recommendations on control types for financial services to add to their vendor governance programs
Mobile devices, particularly those owned by employees and used to access work applications, represent the latest front for attackers. Employees are downloading applications vulnerable to or infected with malware that mix with company e-mail, productivity/workforce, and other business applications.
Because of this new threat, SANS conducted a survey to discover organizational awareness and the procedures around mobile risk.
The Veracode Application Perimeter Monitoring (APM) solution enables enterprises to reduce the risk of data breaches by providing a rapid and massively scalable approach for gathering vulnerability intelligence across every enterprise web application.
Learn how we help the world's largest enterprises reduce global application risk across web, mobile and third-party applications.
Tyler Shields gave a presentation at ShmooCon 2010 on the threats of mobile spyware, particularly as it relates to data privacy. Smart phones and mobile applications have grown tremendously popular over the past couple of years, and it seemed like an appropriate time to raise awareness of what these applications are capable of.
Anti-debugging is the implementation of one or more techniques within computer code that hinders attempts at reverse engineering or debugging a target binary. Within this paper we will present a number of the known methods of antidebugging in a fashion that is easy to implement for a developer of moderate expertise.
Backdoors and malicious code pose significant operational risk to software that is too significant for organizations to ignore. This whitepaper discusses how binary (compiled code) analysis is the ideal platform for detecting backdoors and conducting the most complete independent security test, validation and verification of applications.
View the demo of Veracode's Platform. Learn how to create an Application Profile and Submit your application for analysis.
View the demo of Veracode's Platform. Learn how to access and understand your results once the scan has completed. You will see how to access the summary and detailed results and also how to use Veracode's developer tools.