LONDON April 24, 2012 Veracode, Inc.
Non-web applications such as backend operational systems and desktop commercial applications in use at public companies also showed a poor performance with a 63 percent failure rate when measured against the CWE/SANS Top 25 – an industry standard list of critical non-web application vulnerabilities.
Unlike previous Veracode State of Software Security reports, this feature supplement hones in particularly on the vulnerabilities in the software applications of publicly traded companies, following new SEC guidance issued in the US last year relating to disclosure of cybersecurity risks in company filings.
"Companies can put all of the other cybersecurity controls in place but if there are application weaknesses, hackers have the will and time to find and exploit them. The issue simply can not be neglected anymore. Over the last year some of the most prominent breaches that were carried out against the most preeminent names in business took advantage of weaknesses in software applications to infiltrate traditional perimeter defence security controls. This should be a wake up call. Particularly in public company disclosures, the issue needs to be discussed in much more detail."
Public companies fare no better than companies at large on software security or developer knowledge:
Reliance on third-party applications is widespread, but formal risk assessments are not:
Flat prevalence rates since 2012:
Many companies defining custom policy chose to measure applications against PCI:
One of the goals of the State of Software Security Report is to create greater awareness and security intelligence about the risks of unknown vulnerabilities lurking in everyday applications. The results are aimed at creating a greater sense of urgency around the problem of insecure software, while also giving organisations the information they need to quickly take action. Veracode also emphasises the ease with which organisations can incorporate software testing into current development cycles.
Download the Report
Copyright © 2012 Veracode, Inc. All Rights Reserved. All other brand names, product names, or trademarks belong to their respective holders.
SOURCE Veracode, Inc.