editor’s question
some kind of malware and
harvesting payment card
data to create a profit.
PAUL
FARRINGTON,
EMEA CTO AT
VERACODE
A
s a society, our
digital lives are
dependent on
code, whether
it’s managing
our banking,
controlling our
vehicles and critical infrastructure
or operating our medical devices.
Meanwhile, every business now relies
on software as a source of strategic
differentiation, competitive advantage
and top-line revenue generation.
Cyberattackers have taken note of this
increasing attack surface, compromising
systems at an alarming rate, and
breaches are hurting companies.
According to Verizon’s 2019 Data Breach
Investigations Report, 62% of breaches
and 39% of incidents occur at the web
application layer. While it is unclear
exactly how the web applications were
compromised in some cases, we can
assume that attackers are scanning
for specific web app vulnerabilities,
exploiting them to gain access, inserting
30
Meanwhile, analysis from
Veracode’s most recent State of
Software Security report shows that the
number of vulnerable apps remains
staggeringly high and open source
components continue to present
significant risks to businesses. More
than 85% of all applications contain at
least one vulnerability following the first
scan and more than 13% of applications
contain at least one very high severity
flaw. In addition, organisations’ latest
scan results indicate that one in three
applications were vulnerable to attack
through high or very high severity flaws.
Vendors must closely manage the
security of their software, whether that’s
Vendors must
closely manage the
security of their
software, whether
that’s software they
buy, use or sell,
in order to help
prevent breaches
and to retain trust of
their customers.
It is no longer
acceptable to fail
to demonstrate that
you actually are
producing secure
software.
software they buy, use or sell, in order
to help prevent breaches and to retain
trust of their customers. It is easy to
forget that third party applications can
be just as vulnerable as the applications
companies build for themselves.
Leading organisations such as OWASP,
the PCI Council, FS-ISAC and NIST
are raising awareness about the need
to better understand and reduce the
security risks associated with the use of
third-party software.
Why is this critical for maintaining strong
vendor and end-user partnerships?
Because when you install applications
or software components from a third
party, you also take ownership of all the
vulnerabilities in their software. Since
we now rely on software for everything
– health, safety and well-being – a
policy of ‘just trust me’ to handle the
security of our software puts us all at
risk. It is no longer acceptable to fail
to demonstrate that you actually are
producing secure software. There’s
too much at stake and customers are
aware of the risks created by their
software supply chain. They want
assurances and independent validation
that the software they procure from their
software providers is compliant with
their corporate security policies.
After all, many other industries such as
transportation, food and pharmaceuticals
require independent audits and
assessments related to product safety.
This is a common practice of checks
and balances aimed at addressing
product issues that would otherwise
harm consumers. Why should software
be any different? u
Issue 17
|
www.intelligentciso.com