Veracode released a “State of Software Security” report detailing vulnerabilities found in software that large organizations rely on for business critical processes, which finds that more than half of the nearly 1,600 internally developed, open source, outsourced, and commercial applications analyzed when first submitted contained vulnerabilities similar to those exploited in the recent cyber attacks on Google, the U.S. Department of Defense, and others.
Highlights include the following key findings:
- 58 percent of software susceptible to large-scale attacks – more than half of the software deployed in enterprises today is potentially susceptible to an application layer attack similar to that used in last year’s Heartland Payment Systems breach, or this year’s Google and U.S. Department of Defense security breaches. Depending on the standard applied (based on application criticality), between 58 percent and 88 percent of all applications submitted for verification did not achieve an acceptable security score upon first submission for testing
- Open source myth dispelled – open source software has comparable security, faster remediation times, and fewer potential backdoors than commercial or outsourced software
- Third-parties are the “Achilles heel” in the software supply chain – 40 percent of all applications submitted at the request of large enterprises were from third-parties, and more than 30 percent of all internally developed applications also included identifiable commercial, open source, and outsource code. Yet software-related industries recorded the lowest security scores on first submission. In addition, the prevalence of C/C++ in both commercial and open source suppliers exposes system-compromising vulnerabilities to attackers
- Finance, government sectors score better – More than half of applications in the financial-related industries and government sectors were deemed acceptable at first submission. This placed them at the top of the more than 15 industries represented in the data set.
To read the report, go here.