Click here to close now.

Welcome!

Virtualization Authors: Pat Romanski, Leo Reiter, John M. Hawkins, Clinton Wolfe, Mike Kavis

News Feed Item

Veracode State of Software Security Report Finds That Despite Increasing Global Security Risks From Third Party Applications, Most Enterprises Still Lack Formal Programs To Secure Them

Veracode, Inc., the leader in cloud-based application security testing, today released the second feature supplement of its annual State of Software Security Report (SoSS), for the first time analyzing third-party software security testing metrics. The data indicates that despite increasing security risks from third-party and externally developed software, few enterprises currently have formal testing programs in place. However, there are signs that more organizations are beginning to recognize and address the security risks associated with externally developed applications.

“The widespread adoption of third-party apps and use of external developers in enterprises brings increased risk,” said Chris Eng, vice president of research, Veracode. “In fact, a typical enterprise has an average of 600 mission-critical applications, about 65 percent of which are developed externally, leaving companies increasingly vulnerable to the security risks found in these apps. We are beginning to see signs that enterprises are recognizing and addressing these risks. However, organizations still assume too much risk when trusting their third-party software suppliers to develop applications that meet industry and organizational standards. There is still much more work to be done to adequately secure the software supply chain.”

The supplement found that some of the most dangerous security flaws in existence, such as SQL injection and Cross-Site Scripting, are among the most prevalent vulnerabilities in third-party vendor applications. The report also showed that while a programmatic approach to software security testing can greatly help enterprises and their vendors mitigate these flaws, few organizations have formal programs in place to manage and secure the software supply chain.

Key findings of the report include:

  • Currently few enterprises have vendor application security testing programs in place, but the volume of assessments within organizations is growing
    • Less than one in five enterprises have requested a code-level security test from at least one vendor
    • However, the volume of vendor-supplied software or application assessments continues to grow with a 49 percent increase from the first quarter of 2011 to the second quarter of 2012
  • There is a Gap Between Enterprise Standard and Industry Standard Compliance
    • 38 percent of vendor-supplied applications complied with enterprise-defined policies vs. 10 percent with the OWASP Top Ten and 30 percent with CWE/SANS Top 25 industry-defined standards.
  • Some of the most dangerous vulnerabilities in vendor applications are also the most prevalent
    • Four of the top five flaw categories for web applications are also among the OWASP Top 10 most dangerous flaws and five of the top six flaw categories for non-web applications appear on the CWE/SANS Top 25 list of most dangerous flaws.
    • SQL injection and cross-site scripting affect 40 percent and 71 percent of vendor-supplied web application versions, respectively.
    • Only 10 percent of applications tested complied with the OWASP Top Ten list and 30 percent with the CWE/SANS Top 25 industry standards
  • With 62 percent of applications failing to reach compliance on first submission, procedures for managing non-compliant applications are an important aspect of an enterprise’s security policy
    • 11 percent of vendors resubmitted new versions of applications for testing but are still out of compliance with enterprise policies
  • Structured Testing Programs Promote Higher Participation
    • Enterprises that relied on an ad-hoc approach when requesting application security testing averaged four participating vendors, whereas enterprises with a structured approach had much higher levels of success, averaging participation from 38 vendors.
    • Enterprises with structured programs enabled more vendors to achieve compliance quickly, with 45 percent of vendor applications becoming compliant within one week.
    • By contrast, enterprises with an ad hoc program only saw 28 percent of third-party applications achieve compliance within one week

“Today, every organization is an extended enterprise, with third-party software a fundamental layer in the software supply chain,” said Wendy Nather, research director, 451 Research. “It’s critical that organizations develop security policies when purchasing software from outside vendors because of the risks inherent in using third-party applications, yet few are actually demanding security compliance of their suppliers.”

Report Methodology

This Study of Enterprise Testing of the Software Supply Chain captures data collected from 939 application versions (across 564 distinct applications) submitted to the Veracode Platform during an 18 month time period from January 201 to June 2012. The data comes from actual security analysis of web and non-web applications across industry verticals, languages and platforms, and represents multiple security testing methodologies on a wide range of application types and programming languages.

The focus of this report is to assess the security of software purchased from vendors, as well as participating in vendor application security testing programs, and how different programs impact vendor compliance with application security policies.

Download the Report

Veracode’s report, Enterprise Testing the Software Supply Chain, examines additional software security topics in the context of application security trends, including details on the industries that most commonly employ assessment programs, more information on the factors involved in time to compliance, and additional facts about the types of security programs that enterprises implement. For complete report findings, download a copy of the report by visiting: https://info.veracode.com/vast-soss.html.

About Veracode

Veracode is the only independent provider of cloud-based application intelligence and security verification services. The Veracode platform provides the fastest, most comprehensive solution to improve the security of internally developed, purchased or outsourced software applications and third-party components. By combining patented static, dynamic and manual testing, extensive eLearning capabilities, and advanced application analytics, Veracode enables scalable, policy-driven application risk management programs that help identify and eradicate numerous vulnerabilities by leveraging best-in-class technologies from vulnerability scanning to penetration testing and static code analysis. Veracode delivers unbiased proof of application security to stakeholders across the software supply chain while supporting independent audit and compliance requirements for all applications no matter how they are deployed, via the web, mobile or in the cloud. Veracode works with customers in more than 80 countries worldwide representing Global 2000 brands. For more information, visit www.veracode.com, follow on Twitter: @Veracode or read the Veracode Blog.

More Stories By Business Wire

Copyright © 2009 Business Wire. All rights reserved. Republication or redistribution of Business Wire content is expressly prohibited without the prior written consent of Business Wire. Business Wire shall not be liable for any errors or delays in the content, or for any actions taken in reliance thereon.

@ThingsExpo Stories
Analytics is the foundation of smart data and now, with the ability to run Hadoop directly on smart storage systems like Cloudian HyperStore, enterprises will gain huge business advantages in terms of scalability, efficiency and cost savings as they move closer to realizing the potential of the Internet of Things. In his session at 16th Cloud Expo, Paul Turner, technology evangelist and CMO at Cloudian, Inc., will discuss the revolutionary notion that the storage world is transitioning from mere Big Data to smart data. He will argue that today’s hybrid cloud storage solutions, with commodity...
Every innovation or invention was originally a daydream. You like to imagine a “what-if” scenario. And with all the attention being paid to the so-called Internet of Things (IoT) you don’t have to stretch the imagination too much to see how this may impact commercial and homeowners insurance. We’re beyond the point of accepting this as a leap of faith. The groundwork is laid. Now it’s just a matter of time. We can thank the inventors of smart thermostats for developing a practical business application that everyone can relate to. Gone are the salad days of smart home apps, the early chalkb...
Cloud data governance was previously an avoided function when cloud deployments were relatively small. With the rapid adoption in public cloud – both rogue and sanctioned, it’s not uncommon to find regulated data dumped into public cloud and unprotected. This is why enterprises and cloud providers alike need to embrace a cloud data governance function and map policies, processes and technology controls accordingly. In her session at 15th Cloud Expo, Evelyn de Souza, Data Privacy and Compliance Strategy Leader at Cisco Systems, will focus on how to set up a cloud data governance program and s...
Roberto Medrano, Executive Vice President at SOA Software, had reached 30,000 page views on his home page - http://RobertoMedrano.SYS-CON.com/ - on the SYS-CON family of online magazines, which includes Cloud Computing Journal, Internet of Things Journal, Big Data Journal, and SOA World Magazine. He is a recognized executive in the information technology fields of SOA, internet security, governance, and compliance. He has extensive experience with both start-ups and large companies, having been involved at the beginning of four IT industries: EDA, Open Systems, Computer Security and now SOA.
The industrial software market has treated data with the mentality of “collect everything now, worry about how to use it later.” We now find ourselves buried in data, with the pervasive connectivity of the (Industrial) Internet of Things only piling on more numbers. There’s too much data and not enough information. In his session at @ThingsExpo, Bob Gates, Global Marketing Director, GE’s Intelligent Platforms business, to discuss how realizing the power of IoT, software developers are now focused on understanding how industrial data can create intelligence for industrial operations. Imagine ...
We certainly live in interesting technological times. And no more interesting than the current competing IoT standards for connectivity. Various standards bodies, approaches, and ecosystems are vying for mindshare and positioning for a competitive edge. It is clear that when the dust settles, we will have new protocols, evolved protocols, that will change the way we interact with devices and infrastructure. We will also have evolved web protocols, like HTTP/2, that will be changing the very core of our infrastructures. At the same time, we have old approaches made new again like micro-services...
Operational Hadoop and the Lambda Architecture for Streaming Data Apache Hadoop is emerging as a distributed platform for handling large and fast incoming streams of data. Predictive maintenance, supply chain optimization, and Internet-of-Things analysis are examples where Hadoop provides the scalable storage, processing, and analytics platform to gain meaningful insights from granular data that is typically only valuable from a large-scale, aggregate view. One architecture useful for capturing and analyzing streaming data is the Lambda Architecture, representing a model of how to analyze rea...
SYS-CON Events announced today that Vitria Technology, Inc. will exhibit at SYS-CON’s @ThingsExpo, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Vitria will showcase the company’s new IoT Analytics Platform through live demonstrations at booth #330. Vitria’s IoT Analytics Platform, fully integrated and powered by an operational intelligence engine, enables customers to rapidly build and operationalize advanced analytics to deliver timely business outcomes for use cases across the industrial, enterprise, and consumer segments.
Today’s enterprise is being driven by disruptive competitive and human capital requirements to provide enterprise application access through not only desktops, but also mobile devices. To retrofit existing programs across all these devices using traditional programming methods is very costly and time consuming – often prohibitively so. In his session at @ThingsExpo, Jesse Shiah, CEO, President, and Co-Founder of AgilePoint Inc., discussed how you can create applications that run on all mobile devices as well as laptops and desktops using a visual drag-and-drop application – and eForms-buildi...
Containers and microservices have become topics of intense interest throughout the cloud developer and enterprise IT communities. Accordingly, attendees at the upcoming 16th Cloud Expo at the Javits Center in New York June 9-11 will find fresh new content in a new track called PaaS | Containers & Microservices Containers are not being considered for the first time by the cloud community, but a current era of re-consideration has pushed them to the top of the cloud agenda. With the launch of Docker's initial release in March of 2013, interest was revved up several notches. Then late last...
SYS-CON Events announced today that Dyn, the worldwide leader in Internet Performance, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Dyn is a cloud-based Internet Performance company. Dyn helps companies monitor, control, and optimize online infrastructure for an exceptional end-user experience. Through a world-class network and unrivaled, objective intelligence into Internet conditions, Dyn ensures traffic gets delivered faster, safer, and more reliably than ever.
CommVault has announced that top industry technology visionaries have joined its leadership team. The addition of leaders from companies such as Oracle, SAP, Microsoft, Cisco, PwC and EMC signals the continuation of CommVault Next, the company's business transformation for sales, go-to-market strategies, pricing and packaging and technology innovation. The company also announced that it had realigned its structure to create business units to more directly match how customers evaluate, deploy, operate, and purchase technology.
In their session at @ThingsExpo, Shyam Varan Nath, Principal Architect at GE, and Ibrahim Gokcen, who leads GE's advanced IoT analytics, focused on the Internet of Things / Industrial Internet and how to make it operational for business end-users. Learn about the challenges posed by machine and sensor data and how to marry it with enterprise data. They also discussed the tips and tricks to provide the Industrial Internet as an end-user consumable service using Big Data Analytics and Industrial Cloud.
The explosion of connected devices / sensors is creating an ever-expanding set of new and valuable data. In parallel the emerging capability of Big Data technologies to store, access, analyze, and react to this data is producing changes in business models under the umbrella of the Internet of Things (IoT). In particular within the Insurance industry, IoT appears positioned to enable deep changes by altering relationships between insurers, distributors, and the insured. In his session at @ThingsExpo, Michael Sick, a Senior Manager and Big Data Architect within Ernst and Young's Financial Servi...
Performance is the intersection of power, agility, control, and choice. If you value performance, and more specifically consistent performance, you need to look beyond simple virtualized compute. Many factors need to be considered to create a truly performant environment. In his General Session at 15th Cloud Expo, Harold Hannon, Sr. Software Architect at SoftLayer, discussed how to take advantage of a multitude of compute options and platform features to make cloud the cornerstone of your online presence.
Almost everyone sees the potential of Internet of Things but how can businesses truly unlock that potential. The key will be in the ability to discover business insight in the midst of an ocean of Big Data generated from billions of embedded devices via Systems of Discover. Businesses will also need to ensure that they can sustain that insight by leveraging the cloud for global reach, scale and elasticity.
IoT is still a vague buzzword for many people. In his session at @ThingsExpo, Mike Kavis, Vice President & Principal Cloud Architect at Cloud Technology Partners, discussed the business value of IoT that goes far beyond the general public's perception that IoT is all about wearables and home consumer services. He also discussed how IoT is perceived by investors and how venture capitalist access this space. Other topics discussed were barriers to success, what is new, what is old, and what the future may hold. Mike Kavis is Vice President & Principal Cloud Architect at Cloud Technology Pa...
Even as cloud and managed services grow increasingly central to business strategy and performance, challenges remain. The biggest sticking point for companies seeking to capitalize on the cloud is data security. Keeping data safe is an issue in any computing environment, and it has been a focus since the earliest days of the cloud revolution. Understandably so: a lot can go wrong when you allow valuable information to live outside the firewall. Recent revelations about government snooping, along with a steady stream of well-publicized data breaches, only add to the uncertainty
The explosion of connected devices / sensors is creating an ever-expanding set of new and valuable data. In parallel the emerging capability of Big Data technologies to store, access, analyze, and react to this data is producing changes in business models under the umbrella of the Internet of Things (IoT). In particular within the Insurance industry, IoT appears positioned to enable deep changes by altering relationships between insurers, distributors, and the insured. In his session at @ThingsExpo, Michael Sick, a Senior Manager and Big Data Architect within Ernst and Young's Financial Servi...
PubNub on Monday has announced that it is partnering with IBM to bring its sophisticated real-time data streaming and messaging capabilities to Bluemix, IBM’s cloud development platform. “Today’s app and connected devices require an always-on connection, but building a secure, scalable solution from the ground up is time consuming, resource intensive, and error-prone,” said Todd Greene, CEO of PubNub. “PubNub enables web, mobile and IoT developers building apps on IBM Bluemix to quickly add scalable realtime functionality with minimal effort and cost.”