+
EDITOR’S QUESTION
/////////////////
/////////////
PAUL FARRINGTON,
EMEA CTO AT
VERACODE
A
s a society, our digital lives are dependent on code, whether
it’s managing our banking, controlling our vehicles and
critical infrastructure or operating our medical devices.
Meanwhile, every business now relies on software as a source of
strategic differentiation, competitive advantage and top-line revenue
generation. Cyberattackers have taken note of this increasing attack
surface, compromising systems at an alarming rate and breaches are
hurting companies.
According to Verizon’s 2019 Data Breach Investigations
Report, 62% of breaches and 39% of incidents occur at the
web application layer. While it is unclear exactly how the web
applications were compromised in some
cases, we can assume that attackers are
scanning for specific web app vulnerabilities,
exploiting them to gain access, inserting
some kind of malware and harvesting
payment card data to create a profit.
Meanwhile, analysis from Veracode’s most
recent State of Software Security report
shows that the number of vulnerable apps
remains staggeringly high and open source
components continue to present significant
risks to businesses. More than 85% of all
applications contain at least one vulnerability
following the first scan and more than 13%
of applications contain at least one very high
severity flaw. In addition, organisations’
latest scan results indicate that one in three
applications were vulnerable to attack
through high or very high severity flaws.
Vendors must closely manage the security
of their software, whether that’s software
they buy, use or sell, in order to help
prevent breaches and to retain trust of their
customers. It is easy to forget that third party
applications can be just as vulnerable as the
applications companies build for themselves.
www.intelligentcio.com
Leading organisations such as OWASP, the PCI Council, FS-ISAC and
NIST are raising awareness about the need to better understand and
reduce the security risks associated with the use of third-party software.
“
Why is this critical for maintaining strong vendor and end-user
partnerships? Because when you install
applications or software components from
a third party, you also take ownership of all
the vulnerabilities in their software.
VENDORS MUST
CLOSELY MANAGE
THE SECURITY OF
THEIR SOFTWARE,
WHETHER THAT’S
SOFTWARE THEY
BUY, USE OR SELL,
IN ORDER TO
HELP PREVENT
BREACHES
AND TO RETAIN
TRUST OF THEIR
CUSTOMERS.
Since we now rely on software for everything
– health, safety and well-being – a policy of
‘just trust me’ to handle the security of our
software puts us all at risk.
It is no longer acceptable to fail to
demonstrate that you actually are producing
secure software. There’s too much at stake
and customers are aware of the risks created
by their software supply chain. They want
assurances and independent validation that
the software they procure from their software
providers is compliant with their corporate
security policies.
After all, many other industries such as
transportation, food and pharmaceuticals
require independent audits and assessments
related to product safety. This is a common
practice of checks and balances aimed
at addressing product issues that would
otherwise harm consumers. Why should
software be any different? n
INTELLIGENTCIO
33