Veracode State of Software Security Report Shows Suppliers of Cloud/Web-Based Applications Face Greatest Scrutiny by CXOs

Special to TAG-IT News Agency

LONDON - In the past six months alone there have been multiple new zero-day vulnerabilities reported in Microsoft Windows and widely covered uneasiness about the security of mobile apps, cloud service providers and SCADA systems that reinforce concerns about unknown weaknesses lurking in everyday software. To address those concerns, Veracode Inc., the world's leader in cloud-based application risk management, analyzed more than 2,900 applications to publish the State of Software Security Report: Volume 2.

Similar to the first report, findings show that overall quality of applications remains poor, with 57 percent failing to meet acceptable levels of security. New results demonstrate that cloud/web-based applications are the most commonly scrutinized, and with good reason: 80 percent of web applications would not pass a PCI audit.

The goal of the report is to create greater enterprise security intelligence among the C-suite, security managers and developers regarding their application portfolio. The data empowers informed decision-making around IT infrastructure choices including selecting the best mobile platform, policies about the use of Open Source software and how to best structure third-party software procurement contracts.  Findings are based on analysis of Internally Developed, Open Source, Outsourced and Commercial applications that have been submitted to Veracode for testing using its cloud-based platform over the past 18 months.  Veracode reports a nearly 200 percent increase in the number of applications submitted for review during the past six months, indicating greater industry awareness about software security.  Following is a summary of key findings:

More than half of all software failed to meet an acceptable level of
security 57 percent of all applications were found to have unacceptable application security quality on first submission to Veracode's testing service, even when standards were lowered for those considered less business critical.

Third-party code is the culprit behind Operation Aurora, Siemens
Stuxnet and others - Third-party code is an essential and rapidly growing part of an enterprise's software portfolio, making up nearly 30 percent of all applications submitted to Veracode for review, with third-party components comprising between 30-70 percent of internally developed applications.  Of particular note, third-party suppliers failed to achieve acceptable security standards 81 percent of the time. 

Cloud /web applications were the most requested third-party assessments
Suppliers of cloud/web applications made up nearly 60 percent of all third-party assessments requested of Veracode.  Similar to the results of testing other types of third-party software, cloud/web applications show low levels of acceptable security.

Eight out of 10 web applications would fail a PCI audit Based on
automated analysis, Veracode found that eight out of 10 web applications failed to comply with the OWASP Top 10 industry standard for security quality, and therefore would not pass a PCI audit.
 
Security flaws are being repaired quicker than ever before
Indicating the positive impact of greater developer education and training, more mature tools and increasing enterprise pressure, Veracode found that the time it took organizations to repair flaws to achieve acceptable levels of security decreased from between 36-82 days, to 16 days on average. 

56 percent of finance-related applications failed upon first submission
to Veracode's testing service.  Analysis shows that software quality of applications from banking, insurance and financial services industries is not commensurate with the security requirements expected for business critical applications, though the financial services industry performed better than banking and insurance overall. 

Cross-site scripting remains prevalent, accounting for 51 percent of
all vulnerabilities uncovered in the testing process; .NET applications exhibited abnormally high cross-site scripting vulnerabilities.
Additionally, potential backdoors broke into the top 10 most common vulnerabilities.

Unlike surveys or other industry reports that perform post-mortem analysis on reported breaches and disclosed vulnerabilities, Veracode's State of Software Security Report examines unknown vulnerabilities by analyzing the DNA of applications prior to a breach (and often prior to deployment) to identify what the applications are comprised of and where potential weaknesses exist. 

The traditional disjointed approach to enterprise security needs to give way to a comprehensive approach that enables advanced security, improved analytics and optimal decision making, said Joseph Feiman, vice president and Gartner fellow, Gartner.  We are calling this new approach ESI
[Enterprise Security Intelligence], and we believe that both technology providers and their enterprise customers must begin laying the groundwork for its development, adoption and implementation.  The concept of intelligence is crucial, because it makes it clear that vulnerability scanning, monitoring and reporting are no longer adequate.

Rise of a New Market for Third-Party Assessments

Of interest to CIOs and CISOs is the rise of a new market sector for third-party risk assessments.  Veracode noted a significant increase in the number of applications it has been asked to review at the request of a buyer of software or software development services since its last report.

Third-party assessments (similar to having a pre-purchase home inspection) are among the fastest growing types of assessments requested of Veracode a sign that organizations are taking increased responsibility for managing risk within their software supply chain and the growing use of independent, cloud-based application risk management services.

Veracode has already begun laying the groundwork for greater enterprise security intelligence for applications, with Volume 2 of our State of Software Security Report providing an accurate reflection of what is happening in the larger software industry and offering real data that enterprises can use for better IT infrastructure decision-making, said Matt Moynahan, CEO, Veracode Inc.  Only Veracode's cloud-based platform makes this sort of application intelligence possible; it's the insight gained from the data that empowers organizations to protect their software infrastructure.  That's why the State of Software Security is required reading for anyone responsible for enterprise risk management.