Veracode State of Software Security Report Shows Suppliers of Cloud/Web-Based Applications Face Greatest Scrutiny by CXOs

With More Than Half of All Software Not Meeting Acceptable Security Levels and Eight Out of 10 Web Applications at Risk of Failing a PCI Audit, Greater Software Industry Accountability Is Critical 

LONDON – Gartner Security & Risk Management Summit 2010 – 22 September, 2010 – In the past six months alone there have been multiple new zero-day vulnerabilities reported in Microsoft Windows and widely covered uneasiness about the security of mobile apps, cloud service providers and SCADA systems that reinforce concerns about unknown weaknesses lurking in everyday software.  To address those concerns, Veracode, Inc. analyzed more than 2,900 applications to publish the “State of Software Security Report: Volume 2.”  Similar to the first report, findings show that overall quality of applications remains poor, with 57 percent failing to meet acceptable levels of security.  New results demonstrate that cloud/web-based applications are the most commonly scrutinized, and with good reason: 80 percent of web applications would not pass a PCI audit.

The goal of the report is to create greater enterprise security intelligence among the C-suite, security managers and developers regarding their application portfolio.  The data empowers informed decision-making around IT infrastructure choices including selecting the best mobile platform, policies about the use of Open Source software and how to best structure third-party software procurement contracts.  Findings are based on analysis of Internally Developed, Open Source, Outsourced and Commercial applications that have been submitted to Veracode for testing using its cloud-based platform over the past 18 months.  Veracode reports a nearly 200 percent increase in the number of applications submitted for review during the past six months, indicating greater industry awareness about software security.  Following is a summary of key findings:

- More than half of all software failed to meet an acceptable level of security – 57 percent of all applications were found to have unacceptable application security quality on first submission to Veracode’s testing service, even when standards were lowered for those considered less business critical.

- Third-party code is the culprit behind Operation Aurora, Siemens Stuxnet and others - Third-party code is an essential and rapidly growing part of an enterprise’s software portfolio, making up nearly 30 percent of all applications submitted to Veracode for review, with third-party components comprising between 30-70 percent of internally developed applications.  Of particular note, third-party suppliers failed to achieve acceptable security standards 81 percent of the time. 

- Cloud /web applications were the most requested third-party assessments – Suppliers of cloud/web applications made up nearly 60 percent of all third-party assessments requested of Veracode.  Similar to the results of testing other types of third-party software, cloud/web applications show low levels of acceptable security.

- Eight out of 10 web applications would fail a PCI audit – Based on automated analysis, Veracode found that eight out of 10 web applications failed to comply with the OWASP Top 10 industry standard for security quality, and therefore would not pass a PCI audit. 

- Security flaws are being repaired quicker than ever before – Indicating the positive impact of greater developer education and training, more mature tools and increasing enterprise pressure, Veracode found that the time it took organizations to repair flaws to achieve acceptable levels of security decreased from between 36-82 days, to 16 days on average. 

- 56 percent of finance-related applications failed upon first submission to Veracode’s testing service.  Analysis shows that software quality of applications from banking, insurance and financial services industries is not commensurate with the security requirements expected for business critical applications, though the financial services industry performed better than banking and insurance overall. 

- Cross-site scripting remains prevalent, accounting for 51 percent of all vulnerabilities uncovered in the testing process; .NET applications exhibited abnormally high cross-site scripting vulnerabilities.  Additionally, “potential backdoors” broke into the top 10 most common vulnerabilities.

Unlike surveys or other industry reports that perform post-mortem analysis on reported breaches and disclosed vulnerabilities, Veracode’s State of Software Security Report examines unknown vulnerabilities by analyzing the DNA of applications – prior to a breach (and often prior to deployment) – to identify what the applications are comprised of and where potential weaknesses exist. 

“The traditional disjointed approach to enterprise security needs to give way to a comprehensive approach that enables advanced security, improved analytics and optimal decision making,” said Joseph Feiman, vice president and Gartner fellow, Gartner.  “We are calling this new approach “ESI” [Enterprise Security Intelligence], and we believe that both technology providers and their enterprise customers must begin laying the groundwork for its development, adoption and implementation.  The concept of “intelligence” is crucial, because it makes it clear that vulnerability scanning, monitoring and reporting are no longer adequate.”

Rise of a New Market for Third-Party Assessments
Of interest to CIOs and CISOs is the rise of a new market sector for third-party risk assessments.  Veracode noted a significant increase in the number of applications it has been asked to review at the request of a buyer of software or software development services since its last report.  Third-party assessments (similar to having a pre-purchase home inspection) are among the fastest growing types of assessments requested of Veracode – a sign that organizations are taking increased responsibility for managing risk within their software supply chain and the growing use of independent, cloud-based application risk management services.

“Veracode has already begun laying the groundwork for greater enterprise security intelligence for applications, with Volume 2 of our State of Software Security Report providing an accurate reflection of what is happening in the larger software industry and offering real data that enterprises can use for better IT infrastructure decision-making,” said Matt Moynahan, CEO, Veracode, Inc.  “Only Veracode’s cloud-based platform makes this sort of application intelligence possible; it’s the insight gained from the data that empowers organizations to protect their software infrastructure.  That’s why the State of Software Security is required reading for anyone responsible for enterprise risk management.”

Additional Resources
Following are additional resources related to the State of Software Security Report:

Veracode will host a webinar on October 13, 2010 at 4pm UK time/11 a.m. ET to discuss Volume 2 findings in more detail. To register for the event, go to: http://www.veracode.com/events/index.html.

Veracode CEO Matt Moynahan posted a blog with his perspectives on the findings, available at http://www.veracode.com/ceo-blog, along with a brief video interview.   

To download the complete State of Software Security Report: Volume 2, go to: http://www.veracode.com/reports/index.html

Report Methodology
The State of Software Security draws on continuously updated information in Veracode’s cloud-based application risk management services platform.  New in Volume 2 is data from third-party assessments, the first inclusion of PHP and ColdFusion applications, a comparison of static binary, dynamic and manual testing effectiveness, and additional depth on financial industry applications.  The data comes from actual code-level analysis of billions of lines of code and thousands of applications.  The resulting security intelligence cannot be found anywhere else.  It represents multiple testing methodologies (static binary, dynamic and manual) on the full spectrum of application types (components, shared libraries, web and non-web applications) and programming languages (including Java, C/C++, .NET, ColdFusion and PHP) from every part of the software supply chain (Internally Developed, Open Source, Outsourced, Commercial).