Response to Quocirca report “Why application Security is crucial”

A new report published today by European technology analysis group, Quocirca, based on a survey of 250 C Level executives in UK, Germany and the UK suggests that 90% of organisations are outsourcing more than 40% of their code.  Other findings in the survey are:

•   78% of organisations state that software development is business critical for them yet
•   at the same time 60% of companies that outsource the coding of their critical applications do not demand that security is built into their applications.

Matt Moynahan, CEO of Veracode, responds to this survey by highlighting the need for application security testing of code to become mandatory:

“With almost £100 billion in custom code being developed in locations such as India, China, Eastern Europe and South America, many businesses have rushed to take advantage of cost savings and flexibility in their striving for competitive advantage….At the same time attacks on applications – the weakest links in the corporate security chain – have grown exponentially.  Organisations relying on outsourcing application development need to demand independent verification of applications as part of their formal software acceptance criteria.  Users are in a position to call the shots.   As application security becomes the most pressing issue on the security agenda, users should veto service providers who cannot demonstrate that a full independent security audit has been conducted on their final deliverable to ensure proper security quality has been achieved, ” said Matt Moynahan, CEO at Veracode. 

According to Gartner, 75% of new attacks target the application layer directly while software vulnerabilities have reached an all time high with over 7,000 new software vulnerabilities disclosed over the last year according to the National Vulnerability Database.

The conventional approach at attempting to solve this issue has been to either conduct costly and time-consuming manual penetration testing or to use source code testing tools. Testing at the source code level not only is unpractical as offshore code often is unavailable to the enterprise but also insufficient. Offshore development is a multi-tier process with many parties involved where growing types of threats – such as those coming from backdoors – are impossible to spot with traditional tools. Additionally tools are typically run by the very same developers who are building the code, potentially implementing backdoors. Research from the US Department of Homeland Security points to a significant risk from backdoors and 23% of software packages used by US government employees have backdoors built into them.

Technology now exists – from organisations such as Veracode – that allows enterprises to conduct proper security audits by a trusted entity on the final application code as part of an organisation’s formal software acceptance, without the need for source or costly on-site consultants. Veracode inspects application code at the same level at which it is attacked – the binaries. By assessing the final application code, Veracode ensures that all threats, including vulnerabilities and malicious code are detected, thereby providing the most complete security audit across internally developed applications, third-party commercial off-the-shelf software and offshore code. Additionally Veracode delivers its offerings on a software-as-a-service basis, ensuring that application code can be independently verified and validated, irrespective of their source.