Formal software testing programs are lacking at many enterprises, but the trend is moving in the right direction, according to application security vendor Veracode, which conducted an analysis of software submitted to its code scanning platform.
The enterprise has to put policy in place to outline the criticality of defects that are required to be fixed and a certain time frame to get them fixed.
Chris Wysopal, CTO, Veracode
The volume of vendor supplied software security assessments is growing and Veracode said the increase is being fueled by customer demands from enterprise clients.
A decade ago many enterprises had teams of developers to build custom software, but today many companies rely on third party firms for application development, said Chris Wysopal a noted software security expert and CTO of Veracode Inc. Enterprise CISOs are learning that they need to gain visibility and some level of control of the development process, he said. "Today companies either buy software from a specialized vendor or outsource the development of custom software," Wysopal said. "It's almost always the case that the customer is forcing the review process to happen."
Burlington, Mass.-based Veracode reviewed 939 application builds submitted to its software security testing platform during an 18 month period from January 2011 to June 2012. The number of requests for a code review of vendor supplied software remains relatively low. Less than one in five enterprises have requested a code-level security test from at least one vendor. However, the volume of vendor-supplied software or application assessments continues to grow with a 49% increase from the first quarter of 2011 to the second quarter of 2012.
The analysis found that 38% of vendor supplied applications complied with enterprise-defined policies. Many common coding errors exist in the software with some of the most prevalent vulnerabilities in vendor applications appear on industry lists of the most dangerous flaws, Veracode said.
Veracode detected many common coding errors from cross-site scripting (XSS) flaws to SQL injection errors. Four of the top five flaw categories for Web applications are also among the OWASP Top 10 most dangerous flaws, Veracode said. Of the 939 application builds submitted, 78% contained information leakage, 71% had XSS errors and 67% had cryptographic errors.
Wysopal said enterprises that develop a formal code review process for custom built or third-party software are going to be able to assess a greater number of applications. The result are applications that are less vulnerable to attacks. The study found that 62% of applications fail to reach compliance on first submission. Wysopal advocates for a mixture of static and dynamic code analysis. A manual review is even better, but very costly because it is time intensive, he said.
"The whole thing is driven by enterprise policy," Wysopal said. "The enterprise has to put policy in place to outline the criticality of defects that are required to be fixed and a certain time frame to get them fixed."
The only drawback with a cloud-based application code scanning service is that the findings and vulnerabilities are in a third-party's systems, said Phil Cox, director of security and compliance at Santa Barbara, Calif.-based cloud management vendor RightScale Inc. "You've extended your trust boundary," Cox said.
Nick Selby, CEO of Southlake, Texas-based StreetCred Software Inc. said customer demands have driven the need for his firm to get its hardware appliance thoroughly tested through an application code review and pen testers. The firm's appliance taps into various law enforcement systems collecting sensitive data that needs extra layers of protection, according to Selby.
The software and pen testing reports help reassure customers that the company takes security seriously, said Selby, an information security consultant and Texas police officer. "We wouldn't have done it any other way," Selby said. "This is about establishing trust with our clients."