Today Veracode released a special supplement to the Veracode State of Software Security report, "Study of Software Related Cybersecurity Risks in Public Companies." This feature supplement hones in particularly on the vulnerabilities in the software applications of publicly traded companies, following new SEC guidance issued in the US last year relating to disclosure of cybersecurity risks in company filings. According to Chris Wysopal, CTO and Co-Founder of Veracode, "Companies can put all of the other cybersecurity controls in place but if there are application weaknesses, hackers have the will and time to find and exploit them. The issue simply cannot be neglected anymore. Over the last year some of the most prominent breaches that were carried out against the most preeminent names in business took advantage of weaknesses in software applications to infiltrate traditional perimeter defense security controls. This should be a wake up call. Particularly in public company disclosures, the issue needs to be discussed in much more detail". Some findings that emerged from the supplement include:
- Public companies fare no better than companies at large on software security or developer knowledge
- Reliance on third-party applications is widespread, but formal risk assessments are not.
- Many companies defining custom policy chose to measure applications against PCI
To download the full report, click here. Report Methodology: This report captures data collected from 126 public companies over the past 18 months from applications that were submitted to Veracode’s cloud-based application security testing platform. These applications include both internally developed and those procured from third-party vendors. Earlier this year, Veracode released the State of Software Security Report Volume 4 which analyzed data from 9,910 application builds. You can access this report here.