Enterprises are taking on unbounded risk as a result of increased investment in outsourced, commercial, SaaS, mobile and open source applications. Enterprises are leaving themselves particularly vulnerable because buyers so rarely think to secure the software they purchase. Why accept this risk?
On October 11th, guest speaker Chenxi Wang, Vice President & Principal Analyst, Forrester Research, Inc. will present in a live webcast how enterprises can better understand and reduce security risks associated with the use of vendor-supplied software - register here.
Most enterprises carry too much risk across their software supply chain due to the large number of third-party supplied applicationsi: enterprises possess an average of 300 applications sourced from independent software vendors (ISVs) and other suppliersii. Contrast that number with Veracode’s latest State of Software Security report which finds that 84% of all applications fail basic security testing (see figure 1 below). What does that lead you to conclude about your third-party software? At least you control the software developed internally; you know those developers and you can audit the source code at your discretion. When addressing the vulnerability of third-party developed software, attesting to the security of that code is the challenge.
Figure 1: Veracode State of Software Security Report Vol. 4
*Low Sample Size
Third-party software developers (commercial vendors and outsources) are facing challenges of their own. As Paul Roberts mentioned in his recent post, “Welcome to the Jungle: Cleaning Up the Mess That Is the Software Supply Chain”, independent software developers and outsourcers are in a race to the bottom. Developers are being driven by economics to produce software at breakneck speeds without enough training in secure development practices – more than half of all developers get a grade of C or lower on application security fundamentalsiii. While flaw-free software is unrealistic, poorly written code leaves enterprises and their customers open to compromise.
As a security community, we need to acknowledge the severity of this issue; we have become reliant on third-party developed code and must now build a scalable program for securing the software supply chain.
Join guest speaker Chenxi Wang, Vice President & Principal Analyst, Forrester Research, Inc. next Thursday October 11th, as she presents a step-by-step guide for building a meaningful vendor application security compliance program which will allow enterprises to better understand and reduce security risks associated with the use of vendor-supplied software.
i, “Five Best Practices of Vendor Application Security Management” Veracode, September 2012
ii, “Outsourcing the Problem of Software Security”, Quocirca, February 2012
iii, “State of Software Security volume 4” Veracode, December 2012