Cyberattacks cost UK businesses £18 billion in lost revenue and £16 billion in increased IT spending per year as a result of breaches. And the issue is widespread — 81 percent of UK businesses reported a breach in 2014.
Awareness is growing around the importance of application security, particularly when the software comes from third parties. At the same time, CISOs trying to address that risk are facing a maze of technical, legal and organizational constraints.
According to Gartner, DevOps will be a mainstream strategy by 2016. In turn, organizations will need solutions — including those for security — that facilitate DevOps. These solutions will need to align with the DevOps philosophy, which Gartner defines as “focused on the adoption of agile and lean methodologies and a collaborative relationship between development (Dev) and operations (Ops), with a singular goal of timely, successful application production rollout.”
This Gartner report offers eight practical tips CISOs can use to link risk and security programs to corporate performance.
Forrester Consulting conducted research on the benefits independent software vendors realize using Veracode and found a three-year, risk-adjusted 131% return on their investment and a 68% reduction in security vulnerabilities.
The Forrester “Planning for Failure” report offers practical guidance to create a breach response plan that will help your enterprise respond quickly and appropriately to minimize damage.
Forrester predicts that in 2015 “at least 60 percent of organizations will suffer a security breach₁”
According to this Gartner report, “Policy is an important form of communication about risk, and the impact on the reader will be maximized if the text is well-crafted in organizational appropriateness and writing style.” The report also states that: “Fortunately, the use of a few best practices for the planning and writing of policy can make a big difference in its effectiveness in reducing risk.”
Read this report to learn about Forrester's 5-step plan for seizing control of your destiny as a CISO – and why the top 3 skills required to succeed are leadership, strategic thinking, and business knowledge.
Learn how a G2000 financial services company secured its critical outsourced and internally-developed applications with Veracode’s cloud-based service – and generated a 3-year ROI of 192 percent.
Released on 1 July 2014
Veracode is a Leader in the Magic Quadrant
Read the "Magic Quadrant for Application Security Testing" (July 2014) to find out why there is a critical need to reduce risk in Web, cloud and mobile applications.
Gartner, Inc. 2014 “Magic Quadrant for Application Security Testing” by Neil MacDonald, Joseph Feiman. July 1, 2014
Released on October 16th, 2012
Former CISO Wendy Nather explains how Veracode's SaaS offering "takes both effort and cost away from the enterprise CISO" and "lowers the barriers to appsec testing."
This independent report details the unique advantages of Veracode's binary static analysis technology for testing third-party applications. It describes how Veracode's cloud-based platform and program management service address the scale and complexity challenges of reducing third-party software risk enterprise-wide, and provides a SWOT analysis of the Veracode VAST Program.
Released February 2014
The second SANS Institute survey on application security programs and practices asks a number of pertinent questions. The maturity and effectiveness of application security programs are examined, as well as developer training, application security spend and what the future holds. Download to find out what organizations are doing about the risks posed by their web, database, mobile and cloud applications.
The survey identifies a number of trends within application security, including:
1. How widespread are application security programs?
2. How effective are these programs?
3. What practices and tools are organizations relying on most today, and what are they finding the most useful?
4. How is secure coding training for developers being done, and how effective is this training?
5. How are people justifying spending on Appsec, and where are they spending most of their efforts?
6. What will the future of Appsec look like?
Released on February 24th, 2012
Organizations are having to manage more and more critical software applications to conduct business. These applications may be developed in-house, by an outsourcer or commercially acquired. The vast majority of these software applications will contain flaws which can constitute a security risk.
This report, delivered by the analyst firm Quocirca, looks at how businesses are deploying software and what measures are in place for checking the security of applications. The report draws on new research conducted amongst US and UK enterprises from a range of industries and assesses the scale of the software security problem, the ways in which it can be mitigated, the extent to which this is being achieved, the costs involved and how they can be minimized.
Released on December 20th, 2012
Applications are hard to monitor, full of vulnerabilities and easy to manipulate. It's no surprise that applications have become the top vector of attack. But what may surprise IT professionals is what organizations are doing about the risks posed by their web, database, mobile and cloud applications.
What application security policies are emerging in organizations with sensitive data to protect? Read the findings of a new SANS Survey on Application Security Policies in the Enterprise.
Questions of interest include:
Released on May 15th, 2012
Critical infrastructure has become dependent on complex software applications. The responsibility of ensuring safe and secure functioning of these systems has typically rested solely with critical infrastructure providers. Efforts to secure and defend networks largely consisted of the deployment of defensive technologies, but far less attention was paid to the underlying code that makes applications vulnerable to begin with.
This report from Good Harbor Consulting examines the security advantages and market incentives for developing software applications for critical infrastructure through a security development process.