Software of Unknown Pedigree: SOUP. Once an industry buzzword around safety-involved or critical systems like medical software, this term deserves resurrection. Mid-size businesses and enterprises leverage more third-party software than ever for business-critical functions. Technology increasingly instills itself in every area of our daily lives, which is a trend that shows no sign of slowing and feels inevitable. The number of safety-involved and critical systems that run on software is increasing in parallel. From Near Field Communication technology to utilities, the growing landscape of software means one thing to hackers: opportunity. SOUP doesn't just deserve resurrection, it should be focused on. There's a reason identity theft is so commonplace that there's a movie being made about it. If your company stores sensitive customer data or controls any type of safety-critical software - which by the way, the list of companies that do these is growing rapidly, you need to be focusing on software security. And your focus should not only be on the software you produce; the software you resell, the software you package and put in front of customers or the software you purchase to operate your business-critical functions. Software security needs more focus, it needs widespread awareness.

Add this Infographic to Your Website for FREE!


Small Version




Large Version

Infographic by Veracode Application Security


Veracode Security Solutions

iOS Security

Web Security

Mobile Phone Security

Internet Security Scan

Web Vulnerability Scanner

Facebook Security Tips

SQL Injection Attack

Android Mobile Security

Security Vulnerability Assessment

What is SDLC?

 

The Use of Vendor Supplied Software is Growing

Breakdown of Software Procurement in a Global Enterprise

  • 44% - Off the Shelf Vendors (COTS)
  • 28% - Outsourced Development
  • 15% - On-Demand (SaaS) Providers
  • 15% - Open Source Code
  • 7% - Mobile Apps Development

84% of Enterprises did not test vendor supplied applications

 

 

Why it's Important to Inspect Soup

82% of Enterprise Auditors are asking if vendor supplied software is secure

 

Some ingredients of S.O.U.P. may be harmful to your enterprise

Tender of Vendor-Supplied Software Inspection Failure Rate Possible Enterprise Side Effects
Customer Support Applications 80% Customer Data Loss
Security Applications 76% Gaps in enterprise security defenses against attackers
Business and IT Operations 72% Corporate IP theft or malicious process manipulation
Financial Applications 59% Increased fraud of financial data loss

 

 

No S.O.U.P. For You!

Enterprises from many industries are saying no to S.O.U.P. and inspecting vendor supplied applications

  • 21% - Financial Services
  • 14% - Software and IT Services
  • 14% - Technology
  • 6% - Telecommunications
  • 5% - Healthcare
  • 3% - Business Services
  • 3% - Entertainment and Media

 

 

Recipe Card for a Programmatic Approach to Vendor Software Security Testing

  1. Prep Time - 3 Months
  2. Test Time - 1-4 Weeks (use SaaS provider to compress testing time)
  3. Remediation Time - Weeks to Months
  4. Serves all Vendor Applications

 

 

Instructions

  1. Determine the application security state of your current vendor management program and clarify the corporate mandate and goals for you new programs
  2. Define your security policy including acceptance criteria, exception criteria, escalation process, non-acceptable flaw types, testing methodologies, ect.
  3. Set realistic timelines for vendors to meet our new policy
  4. Communicate your new policy to your vendors and be prepared to address common vendor concerns
  5. Empower your security analysis team to proactively work with your vendors

 

 

Benefits of the Programmatic Approach

  No Formal Program A Programmatic Approach
Average Number of Vendors Participating 4 38 (appx 10% more)
Average Number of Applications Assessed 7 71
Percent of Applications Achieving Compliance 34% 52%
Percent of Applications Achieving Compliance 28% 45%
Percent of Non Compliant Applications that are Out of Compliance for More than Six Months 39% 20%

 

Neil is a Marketing Technologist working on the Content and Corporate teams at Veracode. He currently focuses on Developer Awareness through strategic content creation. In his spare time you'll find him doting over his lovely wife and daughter. He is a Co-Owner of CrossFit Amoskeag in Bedford NH, his favorite topic is artificial intelligence, and his favorite food is pepperoni pizza.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.

 


 

 

contact menu