Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/24/2012
10:21 AM
50%
50%

Veracode Study Of Software Related Cybersecurity Risks In Public Companies Finds Majority Of Applications Are A Risk

Report hones in on the vulnerabilities in the software applications of publicly traded companies

LONDON, April 24, 2012 /PRNewswire/ -- Veracode, Inc., the leader in cloud-based application security testing, today released a feature supplement of its annual "State of Software Security Report" which showed that 84 percent of web applications from public companies were deemed unacceptable when measured against the OWASP Top 10, a widely used industry standard list of critical and most frequently exploited web application vulnerabilities.

Non-web applications such as backend operational systems and desktop commercial applications in use at public companies also showed a poor performance with a 63 percent failure rate when measured against the CWE/SANS Top 25 - an industry standard list of critical non-web application vulnerabilities.

Unlike previous Veracode State of Software Security reports, this feature supplement hones in particularly on the vulnerabilities in the software applications of publicly traded companies, following new SEC guidance issued in the US last year relating to disclosure of cybersecurity risks in company filings.

"Companies - particularly public ones - are beginning to be measured by regulators and investors on the strength of their cybersecurity solution and ability to protect intellectual property and customer data. This is a fundamental shift," said Chris Wysopal, founder, CISO and CTO, Veracode.

"Companies can put all of the other cybersecurity controls in place but if there are application weaknesses, hackers have the will and time to find and exploit them. The issue simply can not be neglected anymore. Over the last year some of the most prominent breaches that were carried out against the most preeminent names in business took advantage of weaknesses in software applications to infiltrate traditional perimeter defence security controls. This should be a wake up call. Particularly in public company disclosures, the issue needs to be discussed in much more detail."

Public companies fare no better than companies at large on software security or developer knowledge: Despite public companies having greater compliance requirements and usually more funding, only 16 percent of public company web applications passed initial testing compared to 14 percent for all companies at large - as measured by compliance against the OWASP Top 10 industry standard. The performance for non-web applications is worse for public companies, with 38 percent passing against the CWE/SANS industry standard opposed to 42 percent from all companies.

Reliance on third-party applications is widespread, but formal risk assessments are not: With many applications being bought as commercial-off-the-shelf applications, custom developed outsourced projects or software-as-a-service, managing the risks inherited from third parties is an important factor. However, only one in five public companies has performed a formal verification on a third-party application, suggesting they are operating under a false sense of security or making an assumption that software procured from third-parties is secure upon entry.

Flat prevalence rates since 2012: With the two most frequently exploited vulnerability types - XSS and SQL injections - showing a statistically flat incidence rate from the first quarter of 2010 to the fourth quarter of 2011, the results suggest that new vulnerabilities are being introduced at the same rate as known vulnerabilities are being remediated.

Many companies defining custom policy chose to measure applications against PCI: Over 40 percent of public companies who defined a custom policy chose to measure their application against PCI or the OWASP Top 10 standard which underpins PCI. The main focus is on vulnerabilities that are most frequently exploited such as SQL Injection and Cross-site scripting.

Report Methodology

This Study of Software Related Cybersecurity Risks in Public Companies captures data collected from 126 public companies over the past 18 months from applications that were submitted to Veracode's cloud-based application security testing platform. These applications include both internally developed and those procured from third-party vendors.

One of the goals of the State of Software Security Report is to create greater awareness and security intelligence about the risks of unknown vulnerabilities lurking in everyday applications. The results are aimed at creating a greater sense of urgency around the problem of insecure software, while also giving organisations the information they need to quickly take action. Veracode also emphasises the ease with which organisations can incorporate software testing into current development cycles.

Download the Report

Veracode's Study of Software Related Cybersecurity Risks in Public Companies examines additional software security topics in context of application threat space trends, including details on the most commonly exploited vulnerabilities, risks associated with public company software applications, as well as factors driving application security policies in public companies. For complete report findings, download a copy of the report by visiting: http://www.veracode.com/soss

About Veracode

Veracode is the only independent provider of cloud-based application intelligence and security verification services. The Veracode platform provides the fastest, most comprehensive solution to improve the security of internally developed, purchased or outsourced software applications and third-party components. By combining patented static, dynamic and manual testing, extensive eLearning capabilities, and advanced application analytics, Veracode enables scalable, policy-driven application risk management programs that help identify and eradicate numerous vulnerabilities by leveraging best-in-class technologies from vulnerability scanning to penetration testing and static code analysis. Veracode delivers unbiased proof of application security to stakeholders across the software supply chain while supporting independent audit and compliance requirements for all applications no matter how they are deployed, via the web, mobile or in the cloud. Veracode works with customers in more than 80 countries worldwide representing Global 2000 brands. For more information, visit www.veracode.com, follow on Twitter: @Veracode or read the Veracode Blog.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31618
PUBLISHED: 2021-06-15
Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status code indicating why...
CVE-2021-20027
PUBLISHED: 2021-06-14
A buffer overflow vulnerability in SonicOS allows a remote attacker to cause a Denial of Service (DoS) by sending a specially crafted request. This vulnerability affects SonicOS Gen5, Gen6, Gen7 platforms, and SonicOSv virtual firewalls.
CVE-2021-32684
PUBLISHED: 2021-06-14
magento-scripts contains scripts and configuration used by Create Magento App, a zero-configuration tool-chain which allows one to deploy Magento 2. In versions 1.5.1 and 1.5.2, after changing the function from synchronous to asynchronous there wasn't implemented handler in the start, stop, exec, an...
CVE-2021-34693
PUBLISHED: 2021-06-14
net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.
CVE-2021-27887
PUBLISHED: 2021-06-14
Cross-site Scripting (XSS) vulnerability in the main dashboard of Ellipse APM versions allows an authenticated user or integrated application to inject malicious data into the application that can then be executed in a victim’s browser. This issue affects: Hitachi ABB Power Grids ...