Research shows greater customer and auditor expectations drive need for improved software assurance
Veracode, Inc., a leader in cloud-based application security testing, has revealed the availability of a whitepaper, ‘Outsourcing the problem of software security’, produced by primary research and analysis company, Quocirca.
This whitepaper is based on original research, commissioned by Veracode, and examines how UK and US businesses are deploying in-house developed and commercially acquired software and the measures in place for ensuring the security quality of these applications.
Quocirca interviewed 100 organisations with more than 1,000 employees, distributed equally in the US and the UK in the financial services, manufacturing, retail, distribution, transport and other commercial sectors.
Hundreds of applications are tracked by the average business
One key finding from the report is that companies are now tracking more critical applications than ever (the average for a financial services company is approximately 800 separate applications) and that the use of software-as-a-service (SaaS) applications and the use of mobile apps is now widespread.
While the breadth of available applications has productivity benefits for businesses and their employees, it also increases security issues, especially as more and more applications are web-enabled. The research found that many customers and auditors seek assurances from suppliers with regards to the security of applications that underpin business processes. In the US, 50 percent of the organisations interviewed said that customers demand guarantees about software security, in the UK it was 20 percent. However, auditors are more focused on software security in the UK than in the US, with 50 percent of UK auditors seeking guarantees, as opposed to 40 percent in the US.
Measuring software security against established benchmarks
Both commercial software developers and end-users developing applications in-house face challenges in ensuring the software they develop and deploy meets key security criteria, often defined by external standards, including the Open Web Application Security Project (OWASP), Payment Card Industry Data Security Standard (PCI DSS) and the CWE/SANS Top 25 most dangerous software errors. The National Institute of Standards and Technology (NIST) estimates that fixing a flaw in a production application can cost up to 25 times as much as it would if the flaw was prevented during the coding phase.
The report also reviews the different approaches to establishing an application security program, from developer education, (static and dynamic), through penetration testing (pen-testing), static and dynamic code and binary analysis to web application firewalls (WAFs).
The benefits of on-demand vs on-premise software testing
The report concludes that techniques such as maximising the use of software testing early in the application development life cycle is key to keeping costs down and improving productivity for end-users and application developers. This can be done through on-demand software testing services or in-house tools. Out of these two approaches the report concludes that on-demand services have the benefit of scale; their providers scan software from hundreds of customers a day and are cognisant of all the common flaws as well as rarely seen ones.
Software testing services are also generally paid for on a per- application basis with unlimited scanning rights regardless of the number of programmers. The infrastructure and staffing overheads are incurred by the service provider and therefore shared between many customers. Any analysis of the relative costs of on-premise tools and on-demand services must take this into account.
“Outsourcing the software security testing process has benefits for both commercial software developers and companies developing applications in-house.” said Bob Tarzey, Director at Quocirca. ”The use of on-demand services should not only be more cost effective, but they should be far more comprehensive in identifying flaws and preventing vulnerabilities because of the scale of the operations of the providers of such services.”
“Testing just your mission-critical applications is no longer an option. Organizations have to find a way to test all applications (both the ones they build or buy) quickly to truly manage risk from this exposed layer of their infrastructure. Leveraging automation to achieve scale and applying multiple testing techniques is the key to success,” said Sam King, SVP, Product Marketing, Veracode.
To download the whitepaper, please visit:
To register for a webinar with Quocirca & Veracode discussing the issues raised by this report, please visit:
Veracode is the only independent provider of cloud-based application intelligence and security verification services. The Veracode platform provides the fastest, most comprehensive solution to improve the security of internally developed, purchased or outsourced software applications and third-party components. By combining patented static, dynamic and manual testing, extensive eLearning capabilities, and advanced application analytics, Veracode enables scalable, policy-driven application risk management programs that help identify and eradicate numerous vulnerabilities by leveraging best-in-class technologies from vulnerability scanning to penetration testing and static code analysis. Veracode delivers unbiased proof of application security to stakeholders across the software supply chain while supporting independent audit and compliance requirements for all applications no matter how they are deployed, via the web, mobile or in the cloud. Veracode works with customers in more than 80 countries worldwide including Global 2000 brands such as Barclays PLC and Computershare as well as the California Public Employees’ Retirement System (CalPERS) and the Federal Aviation Administration (FAA). For more information, visit www.veracode.com, follow on Twitter: @Veracode or read the Veracode Blog.
Quocirca is a research and analysis company with a primary focus on the European market. Quocirca produces free to market content aimed at IT decision makers and those that influence them in business of all sizes and public sector organisations. Much of the content Quocirca produces is based on its own primary research.
For this primary research, Quocirca has native language telephone interviewing capabilities across Europe and is also able to cover North America and the Asia Pacific region. Research is conducted one-to-one with individuals in target job roles to ensure the right questions are being asked of the right people. Comparative results are reported by geography, industry, size of business, job role and other parameters as required.
The research is sponsored by a broad spectrum of IT vendors, service providers and channel organisations. However, all Quocirca content is written from an independent standpoint and addresses the issues with regard to the use of IT within the context of an organisation, rather than specific products. Therefore, Quocirca’s advice is free from vendor bias and is based purely on the insight gained through research, combined with the broad knowledge and analytical capabilities of Quocirca’s analysts who focus on the “big picture”.
Quocirca is widely regarded as one of the most influential analyst companies in Europe. Through its close relationships with the media, Quocirca articles and reports reach millions of influencers and decision makers. Quocirca reports are made available through many media and portal partners. www.quocirca.com