Business must demand security proof before buying software

Instances of multiple recent zero-day vulnerabilities in Microsoft, Adobe and Siemens software prove that third-party applications have become a major security threat.

Instances of multiple recent zero-day vulnerabilities in Microsoft, Adobe and Siemens software prove that third-party applications have become a major security threat.

Exploits of these vulnerabilities show that identifying security flaws in third-party applications is now a well-established attack vector, and constitutes a major threat to business information security, says security firm NGS Secure of the NCC Group.

More than half the software commonly used by businesses fails to meet acceptable levels of security, a study of 2,900 applications has revealed.

"For corporate users, it underlines the need to have tight controls over all software products running across business networks," says Vlissidis.

This is especially important, he says, for software that has access to the internet either directly, or via plug-ins supporting browsers and e-mail attachments.

Third-party risk

Third-party applications have the lowest security quality, the study by code-analysis firm Veracode found, with suppliers failing to achieve acceptable levels of security 81% of the time.

This should be a serious concern for businesses because the study found that third-party applications represent 20% to 37% of critical software, and between 30% and 70% of internally developed software contains third-party components.

The code analysis found that 80% of web applications exhibited the top-10 application security risks defined by the Open Web Application Security Project (OWASP), which means most web applications in use by enterprises would fail a payment card industry data security standard (PCI DSS) audit.

Greater software industry accountability is therefore critical, but what can businesses, that have always borne the patching and other costs associated with security flaws in software used to run their operations, do to bring about a market shift?


The solution to the problem is simple, according to Matt Moynahan, chief executive of Veracode.

Barclays, Fidelity, Hong Kong and Shaghai Bank and other organisations with low tolerance for risk are putting in place policies that require third-party software suppliers to prove that their code is secure, which could be game-changing, he says.

These organisations are leading the way for a shift in the power-balance in the software market by requiring software suppliers to prove that their products meet market standards.

With up to 75% of all software already running in major corporations at risk from attack, businesses are starting to refuse to allow software into their organisations that is not proven to be free of the top security vulnerabilities identified by organisations such as OWASP and the SANS Institute, says Moynahan.

The way to force a change, he says, is to insist that applications achieve a particular rating against these standards, or at least conform to the requirements of the payment card industry's data protection standard (PCI DSS).

IBM and HP have begun offering businesses services for evaluating code as part of the code development process, but Moynahan claims Veracode is able to go a step further by providing independent analysis of third-party applications.

"No software supplier is going to give up their source code for analysis because it represents their intellectual property, but Vercode is able to analyse the binary code of the final commercial products to assess," he says.

Code-level security analysis, then, potentially provides the key for business organisations to enforce minimum security requirements around the procurement of new software, as well as assess software they are already running before zero-day vulnerabilities are exploited.

The Veracode study shows that once businesses are able to identify specific vulnerabilities in software they are running, it takes IT teams only five to 16 days to fix it and bring the software up to an acceptable standard of security.

Read more on IT risk management