Growth in SaaS, Mobile Applications Increases Requirement for Software Security Testing at Scale

Veracode Inc. recently announced the availability of a whitepaper, ‘Outsourcing the problem of software security’, produced by primary research and analysis company, Quocirca.

This whitepaper is based on original research, commissioned by Veracode, and examines how UK and US businesses are deploying both in-house developed and commercially acquired software and the measures in place for ensuring the security quality of these applications.

Quocirca interviewed 100 medium to large organisations with greater than 1,000 employees, distributed equally in the US and the UK in the financial services, manufacturing, retail, distribution, transport and other commercial sectors.

Hundreds of applications are tracked by the average business

One key finding from the report is that companies are now tracking more critical applications than ever (the average for a financial services company is approximately 800 separate applications) and that the use of software-as-a-service (SaaS) applications and the use of mobile apps is now widespread.

While the breadth of available applications has productivity benefits for businesses and their employees, it also increases security issues, especially as more and more applications are web-enabled. The research found that many customers and auditors seek assurances from suppliers with regards to the security of applications that underpin business processes. In the US, 50 percent of the organisations interviewed said that customers demand guarantees about software security, in the UK it was 20 percent. However, auditors are more focused on software security in the UK than in the US, with 50 percent of UK auditors seeking guarantees, as opposed to 40 percent in the US.

Measuring software security against established benchmarks

Both commercial software developers and end-users developing applications in-house face challenges in ensuring the software they develop and deploy meets key security criteria, often defined by external standards, including the Open Web Application Security Project (OWASP), Payment Card Industry Data Security Standard (PCI DSS) and the CWE/SANS Top 25 most dangerous software errors. The National Institute of Standards and Technology (NIST) estimates that fixing a flaw in a production application can cost up to 25 times as much as it would if the flaw was prevented during the coding phase.

The report also reviews the different approaches to establishing an application security program, from developer education, (static and dynamic), through penetration testing (pen-testing), static and dynamic code and binary analysis to web application firewalls (WAFs).

The benefits of on-demand vs on-premise software testing

The report concludes that techniques such as maximising the use of software testing early in the application development life cycle is key to keeping costs down and improving productivity for end-users and application developers. This can be done through on-demand software testing services or in-house tools. Out of these two approaches the report concludes that on-demand services have the benefit of scale; their providers scan software from hundreds of customers a day and are cognisant of all the common flaws as well as rarely seen ones.

Software testing services are also generally paid for on a per- application basis with unlimited scanning rights regardless of the number of programmers. The infrastructure and staffing overheads are incurred by the service provider and therefore shared between many customers. Any analysis of the relative costs of on-premise tools and on-demand services must take this into account.

“Outsourcing the software security testing process has benefits for both commercial software developers and companies developing applications in-house,” said Bob Tarzey, Director at Quocirca. ”The use of on-demand services should not only be more cost effective, but they should be far more comprehensive in identifying flaws and preventing vulnerabilities because of the scale of the operations of the providers of such services.”

“Testing just your mission-critical applications is no longer an option. Organizations have to find a way to test all applications (both the ones they build or buy) quickly to truly manage risk from this exposed layer of their infrastructure. Leveraging automation to achieve scale and applying multiple testing techniques is the key to success,” said Sam King, SVP, Product Marketing, Veracode.

To download the whitepaper, please visit: http://info.veracode.com/Quocirca_Outsourcing_Software_security.html

Featured

  • New Report Reveals Top Security Risks for U.S. Retail Chains

    Interface Systems, a provider of security, actionable insights, and purpose-built networks for multi-location businesses, has released its 2024 State of Remote Video Monitoring in Retail Chains report. The detailed study analyzed over 2 million monitoring requests across 4,156 retail locations in the United States from September 2023 to August 2024. Read Now

  • Gaining a Competitive Edge

    Ask most companies about their future technology plans and the answers will most likely include AI. Then ask how they plan to deploy it, and that is where the responses may start to vary. Every company has unique surveillance requirements that are based on market focus, scale, scope, risk tolerance, geographic area and, of course, budget. Those factors all play a role in deciding how to configure a surveillance system, and how to effectively implement technologies like AI. Read Now

  • 6 Ways Security Awareness Training Empowers Human Risk Management

    Organizations are realizing that their greatest vulnerability often comes from within – their own people. Human error remains a significant factor in cybersecurity breaches, making it imperative for organizations to address human risk effectively. As a result, security awareness training (SAT) has emerged as a cornerstone in this endeavor because it offers a multifaceted approach to managing human risk. Read Now

  • The Stage is Set

    The security industry spans the entire globe, with manufacturers, developers and suppliers on every continent (well, almost—sorry, Antarctica). That means when regulations pop up in one area, they often have a ripple effect that impacts the entire supply chain. Recent data privacy regulations like GDPR in Europe and CPRA in California made waves when they first went into effect, forcing businesses to change the way they approach data collection and storage to continue operating in those markets. Even highly specific regulations like the U.S.’s National Defense Authorization Act (NDAA) can have international reverberations – and this growing volume of legislation has continued to affect global supply chains in a variety of different ways. Read Now

Featured Cybersecurity

Webinars

New Products

  • QCS7230 System-on-Chip (SoC)

    QCS7230 System-on-Chip (SoC)

    The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge. 3

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area. 3