Veracode’s 2015 State of Software Security Report benchmarks risk profile for 34 industries across seven vertical markets
Veracode, a leader in protecting enterprises from today’s pervasive web and mobile application threats, released the 2015 State of Software Security report that reveals concerning benchmark analytics from its cloud-based platform. The reports shows that web and mobile applications produced or used by government organisations are more likely than those in other industries to fail standard security policies like the OWASP Top 10 when initially assessed for risk.
Veracode’s analytics also show that government organisations only remediate 27 percent of application vulnerabilities once detected – last among the seven vertical markets analysed. Moreover, government applications have the highest prevalence of SQL Injection vulnerabilities – commonly used to steal sensitive data from databases – upon initial assessment. In contrast, financial services and manufacturing ranked best across most categories, with healthcare, retail and hospitality near the bottom.
As organisations increasingly rely on software to drive their businesses, the threat surface available to cyberattackers has dramatically expanded. As a result, one of the leading causes of data breaches over the past two years has been vulnerable applications, according to Verizon’s 2015 Data Breach Investigations Report. Yet, analytics collected from more than 200,000 application risk assessments over the last 18 months found a wide disparity in how the problem is addressed across industries.
Organised into seven vertical markets for simplified benchmarking – government, financial services, retail and hospitality, technology, manufacturing, healthcare and other – Veracode’s 2015 State of Software Security Report reveals that:
- Reliance on outdated programming languages has hamstrung government security. The government ranks last among vertical markets, with three out of four government applications failing the OWASP Top 10 when initially assessed for risk. Part of the reason for this is that many government agencies still use older programming languages such as ColdFusion which are known to produce more vulnerabilities.
- The financial services and manufacturing industries’ attention to software security pays off. In contrast to the government sector, organisations in financial services and manufacturing more proactively remediate the majority of their vulnerabilities (65 and 81 percent respectively). These results appear to indicate a higher institutional awareness of application security risk and a stronger emphasis on enforcing enterprise-wide policies, monitoring key performance indicators (KPIs) and instituting continuous improvement processes.
- Healthcare organisations fare poorly. Given the large amount of sensitive data collected by healthcare organisations, it’s concerning that 80 percent of healthcare applications exhibit cryptographic issues such as weak algorithms upon initial assessment. In addition, healthcare fares near the bottom of the pack when it comes to addressing remediation, with only 43 percent of known vulnerabilities being remediated.
- Significant risk is introduced by the software supply chain. Nearly three out of four applications produced by third-party software vendors and SaaS suppliers fail the OWASP Top 10 when initially assessed.
Significant Impact of Remediation Coaching Services
The data also shows that remediation coaching services have a big impact on reducing application-layer risk. Development organisations that leverage Veracode’s remediation coaching services improve the security of their code by a factor of two and a half times compared to those that choose to do it on their own. Delivered by world-class security and development experts, these on-demand services help developers understand secure coding practices and remediate vulnerabilities more quickly and efficiently.
“Every industry faces the challenge of securing web and mobile applications – which are continuously growing in both volume and complexity – across disparate and geographically-distributed development teams,” said Chris Wysopal, Veracode CISO and CTO. “In 2014, we helped our customers identify and remediate 4.7 million vulnerabilities, significantly reducing enterprise risk. This report clearly shows that industries that ‘get it’ have been able to achieve substantial success while others still struggle to manage the problem at scale.”
Enhanced Analytics for Improved Risk Visibility
To help customers address the challenge of benchmarking disparate development teams and drive continuous improvement across both in-house and externally-sourced code, Veracode has recently enhanced its built-in security analytics capabilities with a new business intelligence (BI) engine. The new analytics engine – integrated with Veracode’s central cloud-based platform – gives customers an instant view of their risk posture and the current status of their global application security programmes.
In particular, the self-service data mart can be queried to provide customisable views of key metrics such as scanning volume, compliance with corporate policies, and remediation status, simplifying the creation of management-level dashboards. Built-in comparison charts allow benchmarking by business unit or development team; by severity of vulnerabilities and business criticality of applications; and by third-party software vendor.
The new analytics capability also makes it easier for multiple stakeholders across the organisation – including management, security, development and internal audit professionals – to collaborate and share information using consistent policies and metrics, to drive towards better software security.
The full State of Software Security report can be found HERE
Methodology
The State of Software Security draws on continuously-updated information from Veracode’s cloud-based platform. Unlike a survey, the data comes from actual code-level analysis of billions of lines of code uploaded to the platform by our customers, across a range of industries and geographies.
This report captures data collected over the past 18 months from 208,670 application scans performed via our cloud-based platform. It summarises information about applications produced by organisations from 34 different industries that we have organised into seven vertical markets.
[su_box title=”About Veracode” style=”noise” box_color=”#336588″]
Veracode is a leader in securing web, mobile and third-party applications for the world’s largest global enterprises. By enabling organizations to rapidly identify and remediate application-layer threats before cyberattackers can exploit them, Veracode helps enterprises speed their innovations to market – without compromising security.Veracode’s powerful cloud-based platform, deep security expertise and systematic, policy-based approach provide enterprises with a simpler and more scalable way to reduce application-layer risk across their global software infrastructures.Veracode serves hundreds of customers across a wide range of industries, including nearly one-third of the Fortune 100, three of the top four U.S. commercial banks and more than 20 of Forbes’ 100 Most Valuable Brands.[/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.