It doesn’t matter which threat report you consult, the fact remains that the application layer is the most targeted and most vulnerable point of entry into an enterprise. The smart enterprises are taking security into their own hands by forcing their software suppliers to prove that they are taking appropriate measures to secure the software accessing the enterprise’s critical systems and data.
AppSec addresses software security by evangelizing the trifecta of secure development training, software testing throughout the development process and quick reaction to zero day vulnerabilities through software updates and software patches.
However, until all software developers live and breathe this message, preaching secure software development remains an uphill battle.
One of the bigger challenges in AppSec these days is that the average enterprise doesn’t just use its own internally developed software – reinventing Microsoft Word at every enterprise would be ridiculous. The reality is that enterprises purchase a majority of the software they use (65% according to the British Analyst Firm Quocirca). This includes commercial off the shelf software (COTS), open source software, and outsourced software where a third party develops the application to the specifications of the enterprise.
Securing this software is hard. Enterprise security teams don’t have access to the source code to put the software through a standard security test. Many enterprises resort either to performing expensive penetration tests on only those apps which handle the most critical data, or requesting a difficult to confirm security assessment – a questionnaire– from the software provider in order to document the secure development practices the software provide is or is not implementing. Both these options leave a lot to be desired. When weighing the choice between two evils, most enterprises take the third route: do nothing. By turning a blind eye, enterprises believe they can pin the security of their company on the vague hope that if a breach occurs, they can claim it was not their fault.
However, the current status quo is shifting: we at Veracode are starting to see a trend in which large enterprises are requiring more than a toothless paper questionnaire from their software providers – they are requiring an independent summary report from the testing service the software vendors uses, be it Veracode, a pen test report, or another application security solution.
The early adopters to this trend are seeing a first mover advantage; enterprises with a mature security organization are starting to make buying decisions based on vendor security practices. As leaders in enterprise security make this standard practice, other enterprises will fall in line. Just as cameras were added to cell phones and seat belts added to cars, baking security into software is quickly becoming common place.
This trend comes not a moment too soon. Data breaches are becoming routine, affecting even the most sophisticated companies like Apple and Facebook. The security of the IT supply chain is becoming a hot topic not just because of Die Hard 4, but because the threats to all enterprises – especially critical infrastructure - are real and have a reasonable chance of being carried out.
With proof of security baked-in to software, enterprises can more easily make intelligent buying decisions. Those software providers that make enterprises jump through hoops to get proof of software security will quickly find themselves being replaced.
To learn more about this growing trend in application security, catch tomorrow’s webinar, “Under Pressure: When clients demand proof of security” or meet with Veracode at Black Hat and learn how Veracode helps enterprises secure their IT supply chain.