03:29 PM
Connect Directly

Enterprises Pressure Software Vendors To Clean Up Their Apps

New Veracode software security report, BSIMM4 findings show enterprises driving third-party software vendors to write more secure code

More businesses are flexing their procurement muscles to pressure software vendors into supplying them with more secure code as their own in-house secure development programs mature.

New data gathered from software security testing-as-a-service vendor Veracode found that software vendors actually do a better job following their customers' application security policies than those of the industry: While 38 percent of vendor-supplied applications comply with their enterprise customers' policies for secure software, only 10 percent of software vendors' products tested by Veracode comply with OWASP's Top 10, and just 30 percent with the CWE/SANS Top 25. The enterprises covered in the report make more than $500 million in revenues.

"The realization that's happening now is that the supply chain is a big part of application security problems," says Chris Wysopal, CTO and co-founder of Veracode, which based its report on data from 939 application builds submitted to the company between January 2011 and June 2012. "Attackers are going more after the application tier, [including elements] that were not built by [the enterprise], but by someone else."

[Vulnerable technology supply chains have become a concern of security professionals and politicians alike, but a few steps could help minimize the possibility of attacks. See Preventing Infrastructure From Becoming An Insider Attack.]

The number of vendors getting their applications security-tested by Veracode grew nearly 50 percent during that 18-month period, much of which was prompted by prospective or existing customers requiring their vendors do so. The financial services, software/IT services, and technology industries are leading the way, according to Veracode's findings, accounting for more than half of the software assessment projects.

This trend jives with the latest findings of the Building Security In Maturity Model (BSIMM) study, BSIMM4, which was released in September by Cigital. Large enterprises, especially in the financial, pharmaceutical, and energy industries, for example, are driving the testing of third-party software, says Sammy Migues, a principal at Cigital who works on BSIMM. BSIMM is basically a case study of real-world software security initiatives, based on in-depth measurement of major enterprises.

"Firms are saying, 'I know you, software producer, don't have security compliance requirements, but I have compliance requirements out the wazoo, and you can no longer sell me software that makes it difficult for me to achieve compliance. That's unacceptable,'" Migues says.

Migues says some BSIMM participants are concerned about bugs popping up in external code they are deploying. "They are seeing more bugs in other people's code," but, of course, BSIMM participants are enterprises that are employing secure software development practices, he says. Some of these organizations then must have binary analysis performed on the external code or perform static analysis on the external code integrated into their apps, he says.

Some 22 of the 51 enterprises participating in the BSIMM4 report say they now include software security responsibilities in their service-level agreements with vendors, Migues says. "The next level of maturity for activity is creating an SLA boilerplate with legal and slapping it into the majority of outsourcing projects. Twenty-one of the 51 firms, about 40 percent, are doing that," he says.

Conventional wisdom used to be that if you don't ask for security requirements in software, you won't get them, and if you do, you're probably not going to get them, either, says Mano Paul, software assurance adviser for the ISC2. But that's now changing, he says.

"There has been awareness and recognition that, in fact, we are losing control of the software development process. But that cannot continue because losing control of security aspects are relevant when we outsource and procure software," Paul says.

The best bet is not to accept on face value that software vendors have cleaned up their code, but rather, verify it, he says.

"In the early days, security was always an afterthought. Now security is being asked for and mandated by regulations and other driving forces that make it become part of the product itself to integrated it or make it part of the SDL [secure development lifecycle]," he says. "The trend is [going] in the right direction ... but fully secure software is not going to happen."

It's more about making it harder for attackers to exploit software, he says, by adopting best practices and writing more secure and clean code.

Veracode, meanwhile, also found that most of its enterprise customers are still in the early phase of formal vendor software-testing programs: Less than one in five of its enterprise customers asked for a code-level test from at least one vendor. The SaaS vendor split enterprises into two categories: those with a formal or an informal method for choosing apps for testing. Those with a formal protocol had buy-in from security, business, and procurement teams, and strongly mandate vendor application testing. Others use more of a case-by-case, informal approach.

Some 45 percent of vendor applications became compliant within a week under the more formal enterprise programs, and 28 percent in the ad-hoc ones, according to Veracode's data. A tough security policy wasn't necessarily successful, however. "Setting a less rigorous compliance policy that vendors perceive as achievable encourages higher vendor participation," the report says.

Next Page: Vendor Fail Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
11/14/2012 | 1:57:26 AM
re: Enterprises Pressure Software Vendors To Clean Up Their Apps
Readers, do you think software developers should be required to get some sort of security certification?- (Posted by Tim Wilson, editor)
8 Ways Hackers Monetize Stolen Data
Steve Zurier, Freelance Writer,  4/17/2018
7 Non-Financial Data Types to Secure
Curtis Franklin Jr., Senior Editor at Dark Reading,  4/14/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.