outsourcing the problem of software security
TRANSCRIPT
-
7/31/2019 Outsourcing the problem of software security
1/14
Copyright Quocirca 2012
Bob Tarzey
Quocirca Ltd
Tel : +44 7900 275517
Email: [email protected]
Clive Longbottom
Quocirca Ltd
Tel: +44 771 1719 505
Email: [email protected]
utourcing te roblem o otare ecurity
The benefits of using on-demand services to ensure security throughout
the application life cycle
February 2012
Software applications are an integral part of 21st
century business processes. The
majority of software is still installed in-house, either as specially developedbespoke applications or commercially acquired packages. However, the proportion
of software procured as a service is on the rise, as is the use of mobile apps and
open source components. In addition, more and more in-house applications are
being web-enabled and exposed to the outside world.
Regardless of its origin, the vast majority of software will contain flaws which can
constitute a security risk, especially for those applications that are web-enabled.
The cost of fixing a flaw increases the later that they are found in the
development, acquisition and deployment life-cycle. There are a number of
measures that can be taken to mitigate the problem and reduce the overall cost ofmanaging software whilst ensuring better security. Increasingly, businesses are
recognising the benefits of outsourcing at least some of the effort through the use
of on-demand software testing services.
This report looks at how businesses are deploying software and what measures are
in place for checking the security of applications. The report draws on new
research conducted amongst US and UK enterprises from a range of industries and
assesses the scale of the software security problem, the ways in which it can be
mitigated, the extent to which this is being achieved, the costs involved and how
these can be minimised.
-
7/31/2019 Outsourcing the problem of software security
2/14
Outsourcing the problem of software security
Quocirca 2012 - 2 -
utourcing te roblem o otare ecurity
The benefits of using on-demand services to ensure security throughout the application life cycleThe need to ensure the security of software has become paramount with the rapid increase in the number of applications used in
any given organisation and the fact that more and more are being web-enabled. The measures taken to ensure software security
need to be scalable, affordable and pervasive. To this end, the research presented is this report shows that the use of on-demand
testing services has become widespread.
Software security
has never been
more critical to
businesses
IT, and the software that drives it, underpin most 21st
century business processes. Maintaining
software is essential to ensure those business processes remain functional and that the data they
rely on is not compromised. There has always been a need to make checks on the quality and
security of internally installed software. However, as the use of software as a service and mobile
apps has increased and more and more in-house applications are web-enabled and exposed to
the internet, the need to scrutinise software for security flaws has intensified.
Hundreds of
applications aretracked by the
average business
Financial services organisations typically track around 800 mission-critical applications, those in
other industries track around 400. These are the applications that are explicitly inventoried in an
asset tracking system or recognised as a security risk; there will be many others. Over 80% oforganisations still develop software in house, but the number deploying commercially acquired
packages is not far behind and these applications constitute a higher proportion of the overall
software portfolio of the average business.
Software security
can, and should be,
measured against
established
benchmarks
The flaws that commonly occur in different types of software are measured and reported by
industry bodies. Their listings provide benchmarks, against which software suppliers, their
customers and auditors can assess how the security of a given application measures up against
others. By definition, such lists cannot be comprehensive because new ways of exploiting flaws
will always be found. Pervasive measures are needed to ensure overall software security as well
as using recognised industry standards to show that acceptable base levels are in place.
Testing throughout
the application
lifecycle reduces the
long term
management costs
Checking in-house developed code at all stages of development, testing and deployment
minimises the number of flaws. Commercially acquired binary code can also be scanned prior to
deployment and at run-time. On-demand code testing services have the benefit of scale; theirproviders scan software from hundreds of customers a day and are cognisant of all the common
flaws as well as rarely seen ones. The new research presented in this report shows that, for
commercially acquired software, the use of code testing services is now about as common as the
use of on-premise tools. The number using services for in-house code is increasing too.
Pen-testing and web
application firewalls
should be used
selectively
Using third parties to penetration test (pen-test) applications is relatively expensive and code
scanning services achieve many of the same objectives. For this reason, many organisations see
pen-testing as a secondary approach targeted at the most mission-critical applications. Web
application firewalls (WAF) do nothing to address primary software security flaws. Again, their
use can be targeted at the most vulnerable applications where a multi-layered approach to
security is deemed necessary.
The overall aim is to
ensure better longterm software and
security at a
controlled cost
In many cases software security is not a choice. In the USA, approaching 50% of organisations say
that their customers make it mandatory that certain levels of practice are demonstrated, when it
comes to software security, as part of the procurement of any product or service. In the UK thefigure is about 20%. However, where customers are not demanding guarantees, regulators often
do and failure to comply can incur fines. Ensuring good practice at all stages of the application
development, procurement and deployment life cycle means more secure software in the long
term.
Conclusions
For todays businesses the use of software is not a choice; however the methods chosen to improve software security and, in turn,
the costs involved and the benefits achieved are. Using the right mix of approaches at all stages of the software development,
procurement and deployment life cycle will improve the efficiency, reliability, security, compliance and competitiveness of business
processes.
-
7/31/2019 Outsourcing the problem of software security
3/14
Outsourcing the problem of software security
Quocirca 2012 - 3 -
Introduction the need for better software deployment
practices
It's scary to think that the infrastructure of the industrialised world is increasingly based on software like this 1
,commented an analyst in 1992 on a computer aided design package. Since then, nearly all businesses have gone
online and applications that were once only used internally may be shared far and wide over the internet. Software
is the lifeblood of IT systems and, as it underpins the operations of most businesses, it is critical to almost every
contemporary business process. Has the quality of software improved since 1992?
The truth is that it has, because it has had to. In 1992,
software security was less of an issue because the
threat surface for any given application was far
smaller. The widespread adoption of the internet has
changed all that. Software security has become
perhaps the most high profile issue and the need to
address it at every stage of the applicationdevelopment, procurement and deployment life cycles
is paramount.
As the number of applications used in any given
organisation has increased and more and more of
them have been exposed to the internet, software
developers and the businesses they serve have had to
address software quality issues to improve security.
One of the ways to achieve this is to move away from
an in-house DIY approach and to make use of
knowledge and resources pooled across multiple
businesses through working with specialist outsourcerswho provide on-demand software testing services.
This report looks at the way both in-house developed
and commercially acquired software is deployed and
how well businesses are putting in place the measures
for checking the security of the applications that their
business processes depend on. The report draws on
new Quocirca research conducted amongst US and UK
enterprises from a range of industries and accesses the
scale of the software security problem, the ways in
which it can be mitigated, the extent to which this is
being achieved, the benefits of various approaches, the
costs involved and how these can be minimised.
Software everywhere
Figure 1 shows the average number of critical applications actually tracked by businesses for the industries covered
in this report. There will many others that are not tracked. Software comes from many sources. The majority of
enterprises still develop bespoke software either internally or through working with outsourcers (Figure 2). They
also make widespread use of commercially acquired software packages; in fact overall, these constitute the largest
proportion of enterprise software in use (Figure 3), if in-house developed and outsourced bespoke software are
-
7/31/2019 Outsourcing the problem of software security
4/14
Outsourcing the problem of software security
Quocirca 2012 - 4 -
considered separate categories. There is also increasingly widespread use of open source software and software for
mobile devices as well as on-demand applications (software-as-a-service/SaaS).
By definition, on-demand applications are exposed to
the internet and therefore invite probing by
unauthorised users. However, businesses haveincreasingly been web-enabling their in-house
developed and commercially acquired applications for
use by remote employees, partners and customers. The
extent to which this web-enablement was underway
was examined in a 2007 Quocirca report, Web-enabled
applications and the internet2.
The distinction between non-web and web-enabled
applications is important from a risk perspective. The
former are afforded protection by other IT security
measures such as network firewalls and intrusion
prevention systems, whilst the latter are deliberately
exposed to the outside world and remote users are
invited in.
This is significant; the risks that flaws introduce are more likely to be exploited by hackers and malware writers for
web-enabled applications than internal ones. Their greater threat surface leaves them more vulnerable to common
exploits such as cross site scripting, CRLF (carriage return/line feed) injection, information leakage, SQL injection and
other common vulnerabilities.
easuring software security
How common such vulnerabilities are is wellunderstood as there are bodies out there that
measure this. For web-enabled applications there is
the Open Web Application Security Project (OWASP).
It publishes a list of the most common flaws and one
way to measure the security of software code is by
looking for how often the top 10 flaws in a given
application (OWASP Top 10) occur. In the USA around
50% of respondents in the current research said their
organisation did this, although less did so in the UK
(Figure 4).
A broader list, the CWE/SANS Top 25 most dangeroussoftware errors (CWE = Common Weakness
Enumeration), covers the errors found in all software
applications, including those not intended for
exposure to the web. It is published by a collaboration between the SANS Institute, ITRE, and many top software
security experts in the US and Europe. The list is used by a similar number of respondents as the OWASP Top 10
(Figure 5). Some organisations used both lists, whilst others rely on just one depending on the type of software
involved. 32% of respondents to the current survey used neither for any type of application.
easuring software against these lists provides a way of measuring and comparing software security. There are, of
course, many more flaws that can occur and some will be far more serious from a security perspective than the
common ones. Organisations like OWASP and CWE/SANS cannot be aware of every flaw that will ever occur and
-
7/31/2019 Outsourcing the problem of software security
5/14
Outsourcing the problem of software security
Quocirca 2012 - 5 -
security measures must be ready to identify and/or
defend against anything, including a previously
unseen way of exploiting a flaw.
Veracode, a vendor that provides cloud-based
application security testing services (and is thesponsor of this Quocirca report), publishes a report
showing the degree to which the software it scans
measures up against the OWASP Top 10 and
CWE/SANS Top 25. The latest version of the report,
State of Software Security V43, shows that the
majority of applications submitted to Veracodes
service have flaws that are in one or other of these
lists and fail on their first scan (customers set their
own level against which they consider an application
to have failed using a policy manager).
As Figures 4 and 5 show, these lists are not just used
to measure the security of internally developed
software but also commercially acquired software
packages and mobile apps. Although the majority of
organisations expect a level of verification of security
for commercially acquired software packages from
their suppliers (Figure 6), many also seek independent
checks against the lists of common flaws. 35% did not
seek supplier verification at all, always seeking
independent scrutiny instead; 26% sought both.
There are some issues specific to commercially
acquired software. It is more likely to be written in C
or C++, which the State of Software Security report
shows to be a more vulnerable language (that said,
far and away, whatever the software category, Java is
now the most popular language scanned by Veracode). However, more importantly, commercially acquired
software is far more likely to have been web-enabled by someone somewhere, so even if one organisation does not
expose the application, someone else may have done. Hackers will also be more familiar with particular
commercially acquired applications. In-house applications tend to be one-off, so hackers will usually be probing
something that is new to them.
All that said, as software development is a core competence, a vendor of commercial packages will tend to have
large numbers of dedicated developers and should be ensuring that these developers are kept up to speed with the
latest threats and best practices. They will also have a large user base feeding back issues to them. Each vendor will
vary, hence the need for a way to compare during the procurement process.
So, the greater vulnerability of commercially acquired software should be offset by the efforts that independent
software vendors (ISV) put into to security. This has turned into an arms race; as hackers have hunted down
vulnerabilities, ISVs have become better at detecting them in advance. The more prevalent the use of a given
application is the more likely it is to have been targeted. icrosoft has been bedevilled by this problem over the
years but, to this end, has improved its software development life cycle hugely with the introduction of its
trustworthy computing initiative in 2003.
As was pointed out earlier, increasingly, commercial software packages are not installed on the premises of the user
but invoked as on-demand services over the internet. One would expect that SaaS suppliers, whose applications are
-
7/31/2019 Outsourcing the problem of software security
6/14
Outsourcing the problem of software security
Quocirca 2012 - 6 -
web-enabled by definition, would apply rigorous due diligence when it comes to software security. However, many
buyers still seek assurances and benchmarks against OWASP Top 10 and CWE/SANS Top 25.
There are specific issues with regard to other software categories too. The provenance of open source software
code can be uncertain and there will be little control unless the software is acquired from a commercial distributor,
who will give guaranteed support levels and will have done a level of security checking in advance. Such distributorsthen charge for their packages, undermining one of the initial attractions of open source software, its low cost. In
effect they are turning open source software in to quasi-commercial packages.
obile applications are also a growing concern. At one level, the problem is way beyond the scope of normal
software code security measures; the biggest threat from mobile apps is what the users may choose to download
themselves from app stores (it is estimated there will be 30 billion instances of downloads in 20124, involving
countless different apps from multiple sources). This requires a focus on end-point security, which is beyond the
scope of this report. However, businesses are becoming increasingly reliant on mobile platforms and applications to
support their own business processes and hackers are aware of this and see them as an easy way in. Figure 4 shows
that the OWASP Top 10 is widely used as a benchmark for measuring the security of mobile applications, which, like
SaaS applications, are exposed to the internet by definition.
In particular, the State of Software Securityreport shows how the threat is growing on the Google Android operating
system, which is both open and popular. Business that roll out mobile applications need to apply the same rigour to
them as they would to any other type of application.
Reassuring customers and
auditors
Businesses do not just need to worry about the
security of software for their own benefit. Customers
are increasingly likely to seek guarantees about thesoftware applications that underpin their suppliers
business processes. For example, before transacting
via a payment processing service, guarantees are
needed that the service provider is compliant with the
Payment Card Industrys Data Security Standard (PCI
DSS).
In the USA, nearly all organisations get at least some
level of enquiry about software security from
customers. Almost 50% say it is a requirement (Figure
7). UK customers are somewhat less demanding but,
as software security becomes an increasingly high
profile issue, this is likely to change.
The State of Software Security report records which
industries are the most rigorous when it comes to
seeking reassurances about commercially acquired
software. The finance and software industries are the
most demanding with aerospace and defence close
behind.
If there are still complacent customers, there are few
complacent auditors (Figure 8). Whilst an organisation
-
7/31/2019 Outsourcing the problem of software security
7/14
Outsourcing the problem of software security
Quocirca 2012 - 7 -
can make its own decisions about its appetite for risk and how much it is prepared to spend mitigating it, if changes
to software are demanded by auditors there is little choice. It is best to make sure software is compliant upfront
before the auditors turn up and demand expensive changes and, perhaps, impose hefty fines for the failure to
comply in the first place.
That said, proving security and/or compliance is a challenge in its own right. What customers, auditors and, indeed,internal functions require is something close to cast iron guarantees about software security and, to that end, the
measures taken to secure applications must be clear, consistent, transparent, shareable and repeatable.
Approaches to software application security
There are a number of approaches that can be taken to address software security from code scanning, through
penetration testing (pen-testing) to web application firewalls (WAF). The various approaches are discussed in this
section. The costs and benefits of each vary and the risk in any one area can be reduced by due diligence in another.
Fixing errors in deployed code is resource intensive. The National Institute of Standards and Technology (NIST)5
estimates that fixing a flaw in a production application costs 25 times as much as it would if the flaw was preventedby better design during the requirements phase and 6 times as much if it were found during the coding phase. uch
of this cost will be down to the manual effort required to make the modifications by IT staff and roll out patches to
all installed instances of that software. Avoiding that effort reduces costs and leaves staff free for more productive
activities. If programming staff are well trained, they are less likely to make errors in the first place, so the first
action towards producing more secure code any organisation should take is a review of its staff training programme.
Training developersHaving good programmers means fewer coding errors. An element of that is down to recruitment and certain
companies find it easier to attract talent for all sorts of reasons; pay, location, glamour, etc. Beyond that, improving
the quality of a programmers day-to-day work is down to training. Quocirca research shows that US organisations
spend more on this than UK-based ones; to some extent that will be dependent on the relative cost of training
courses. However, in many cases, contractors are used to write code and less is invested in them and, wheredevelopment is outsourced, the level of training will be down to the 3
rdparty selected.
What is clear is that training developers seems to have an impact. The State of Software Securityreport assesses the
knowledge of programmers through what it calls an application security fundamentals assessment; a test for
programmers. It shows there is a link between high test scores and better software security. Organisations should
consider using such an assessment for recruitment of employees and contractors, outsourcer selection and the on-
going monitoring of programmer knowledge. However, to err is to be human; training alone will never eliminate
enough software flaws so other steps are needed.
Static code analysisThe best way to find programming errors early in the software development life cycle is static analysis of code or
binary images.
Static code scanning involves taking the source code, in whatever language it is written, and scanning every line
seeking potential coding flaws. Such analysis is also thorough; it looks at everything, even areas of code that, when
an application is deployed, are rarely invoked. Because it is holistic, static code scanning is not dependent on
viewing an application from the point of view of a certain type of user. In fact, one common criticism of static code
analysis is that it finds too many flaws; part of the skill is to know where to set the thresholds.
Static analysis can also be carried out on compiled binary code. This is important because it performs security
verification of components to which there is no source available (e.g. third-party libraries). It is also often the most
acceptable way to check commercially acquired software. Cursory binary scans can be carried out without vendor
cooperation. However, creditable vendors should agree to co-operate with in-depth scans when requested as static
-
7/31/2019 Outsourcing the problem of software security
8/14
Outsourcing the problem of software security
Quocirca 2012 - 8 -
binary scanning does not require access to source code and there should be no concerns that IP will be infringed.
Some vendors may offer their own certifications, provided by recognised providers of code scanning services.
Static analysis of any code or binary image can either be carried out using such services or via tools that are acquired
and installed on-premise. The advantage of using a service is it provides instant access to the wisdom of crowds. A
particular problem may have been observed in another organisations code that the service has learnt about andcan then check new code for.
Service providers will also have more information
about where to best set thresholds; because of the
scale of their operations, they are constantly checking
all sorts of code against lists of known errors such as
OWASP Top 10 and CWE/SANS Top 25. As Quocirca
pointed out in its 2010 report, Cloud computing
taking IT to task6, there is a lot to be said for
outsourcing what are essentially utility tasks to
external providers with domain expertise. Leaving the
task of finding security issues to specialists leaves the
developers of code free to focus on fixing issues and
should also reduce the overall cost of ensuring
software security.
Code testing services are generally paid for on a per-
application basis with unlimited scanning rights
regardless of the number of programmers. The infrastructure and staffing overheads are incurred by the service
provider and therefore shared between many customers. Any analysis of the relative costs of on-premise tools and
on-demand services must take this into account. On-premise code analysis tools are typically charged for by the
developer seat and, as with any such tools, the additional costs, including the hardware to run them on, on-going
maintenance and the cost of employing and training staff, are incurred by each individual customer. Quocirca has
looked at the relative benefits of on on-premise software versus on-demand services many times in the past; for
example in its 2007 report aimed at independent software vendors, On-premise to on-demand7.
The current research shows that, for commercially acquired software, on-demand static code analysis services have
already caught up with on-premise tools as a primary approach for code testing. On-premise static code analysis
tools are more likely to be used for in-house code, although the use of on-demand services is catching up fast
(Figure 9) and should be considered by organizations for the reasons outlined above.
Dynamic code analysisCode that has been complied and deployed can be tested using dynamic analysis in a test or run-time environment.
Here, the scanning is of how the binary code executes set the application running and watch. As with static
analysis, dynamic analysis is available either as on-demand services or as tools installed on-premise and the same
arguments regarding benefits apply as outlined above for static analysis.
All an on-demand dynamic scanning service requires is to be pointed at a web address that provides access to the
application, making it especially suitable for checking on-demand software services. Dynamic analysis is also good
for checking hybrid applications; it is increasingly common for in-house developed applications to make calls out to
on-demand services via application programming interfaces (APIs).
Dynamic scanning will never be as thorough as static scanning as it can only look at executable roots through an
application, as opposed to every line of code. For this reason, it is also necessary to scan an application from the
viewpoint of different users.
-
7/31/2019 Outsourcing the problem of software security
9/14
Outsourcing the problem of software security
Quocirca 2012 - 9 -
It can also seek out other run time issues, such as uncontrolled growth in memory usage and subroutine shutdowns,
as well as examining the effect of real time variables such as dates and times. Dynamic analysis finds fewer faults
than static analysis, but it is more likely that the faults found will be demonstrably exploitable.
Dynamic analysis can be run time and time again, regularly checking deployed applications against emerging threats
that may not have been known about during development. As outlined with static analysis, typically, on-demandscanning services will be charged on a per-application basis with unlimited scans whilst on-premise tools will be
charged per developer seat.
Keeping software up to dateScanning deployed software is all well and good, but it
does not replace the need to keep software up to
date. The average organisation spends 6.7 hours per
week deploying patches to in-production software
purely to remediate security issues. For obvious
reasons the figure is higher the more applications a
given organisation is tracking (Figure 10).
Some of this effort could be avoided. Code scanning
can identify issues with in-house and outsourced
developed code before deployment. Due diligence in
the purchasing process can mean selecting commercial
software applications from vendors that have fewer
flaws in the first place due to better software
development processes; ensuring that will involve
requesting scans of their code as part of the evaluation
process.
Penetration testing (pen-testing)
Dynamic analysis is one way to check the security ofdeployed web-enabled applications; another way is
pen-testing.
Pen-testing involves engaging a specialist third party
that uses human testers who will deliberately probe
web-enabled applications to try and gain entry. It is
done on an application-by-application basis and, as
with dynamic scanning, the areas of code accessed will
depend on the user view taken and the functions
performed. ost organisations rely on pen-testing to
some extent but often as a secondary technique
(Figure 11).
Pen-testing is also relatively expensive as it relies on skilled, often scarce, human resources. The more complex an
application is, the more effort it takes, as the aim is to investigate all the routes that various users could go down.
This means that pen-testing cannot be scaled up to cover the hundreds of applications that most businesses are
now tracking. Furthermore, as it is only practical to carry out pen-tests periodically, say once a year, it does not keep
up with the fast-evolving nature of security threats. Pen-testing should be seen as a final targeted test of the most
likely ways into the most mission-critical applications.
For suppliers of commercial software packages, pen-testing has less to offer. One of the benefits of pen-testing is
that it tests deployed software and also probes the deployment environment (operating systems, databases,
network security etc.) This will vary for every customer; suppliers can pen-test against certain recommended
-
7/31/2019 Outsourcing the problem of software security
10/14
Outsourcing the problem of software security
Quocirca 2012 - 10 -
software stacks in advance but, in reality, there will always be deviations from the recommendations that cannot be
anticipated. For this, static code and/or binary image scanning are more suitable.
Web application firewallsAnother approach to securing web-enabled applications, once deployed, is to put in place web application firewalls
(WAF). The aim is to detect and block application-specific threats in real time.
A single WAF can protect a number of applications, providing it can scale accordingly. Entry-level costs of deploying
WAFs is higher than standard firewalls and will only support so much web application traffic before needing to be
scaled up, incurring more costs. For this reason, as with pen-testing, it only makes sense to use WAF for the most
mission-critical applications with large numbers of users that justify the expense.
USA organisations are more likely to use WAFs to
protect commercially acquired software and over 50%
see them as the primary approach to application
security. UK organisations are less likely to use them
and, when they do, they consider them more of a
secondary approach (Figure 12). Respondents to thecurrent research were slightly less likely to use WAFs
for in-house developed applications.
WAFs do nothing to improve the security of code; they
protect applications that are exposed to the web
regardless of their security flaws. In that sense,
wherever they are deployed, they constitute an
additional layer of application security. One might
expect that those setting standards for the security of
web-facing applications might mandate multiple levels
of security, but this is not always the case. The PCI DSS V2 sees code scanning and WAFs as alternatives. It states in
section 6.6:
For public-facing web applications, address new threats and vulnerabilities on an on-going basis and ensure these
applications are protected against known attacks by either of the following methods:
Reviewing public-facing web applications via manual or automated application vulnerability securityassessment tools or methods, at least annually and after any changes
Installing a web-application firewall in front of public-facing web applicationsThe PCI, at least, believes code scanning can eliminate enough software flaws to deem WAFs unnecessary. Certain
respondents to the current survey were not so sure. 43% saw both code scanning and WAFs as main approaches
to security for at least some, albeit not always the same, of their applications.
The reticence to rely on WAFs alone is understandable; applications and the environment in which they run change
over time. The rules coded into security devices, such as WAFs, get out of date and a once-mitigated vulnerability
may suddenly be exposed. Fixing flaws in the first place is ultimately the most effective solution.
aximising software security through multiple approaches
There is no such thing as a 100% secure application and using multiple approaches makes sense to ensure as many
security vulnerabilities as possible are eliminated but, for most, using all approaches to the full is too expensive.
Historically, depending on the type of software, different approaches have been adopted as primary approaches
(Figure 13) and when it comes to code testing this has seen many organisations deploy in-house tools. However, the
-
7/31/2019 Outsourcing the problem of software security
11/14
Outsourcing the problem of software security
Quocirca 2012 - 11 -
growing complexity of software itself and, in particular, the threat landscape, has seen increasing use of on-demand
testing services because of the benefits outlined earlier in this report. For commercially acquired software, such
services are already as widely-used a primary approach as on-premise tools for static code analysis.
As has been pointed out in this report, the use of on-demand services should not only be more cost effective, but
they should be far more comprehensive in identifying flaws and preventing vulnerabilities because of the scale ofthe operations of the providers of such services. Quocirca recommends that those organisations that are already
using code-scanning services for commercial code should consider extending their use to in-house code. Those that
are not using services at all should evaluate them.
In summary:
1. Training developers is money well spent; it avoidsdown-the-line costs of fixing software flaws.
2. aximise the use of scanning services early in thelife cycle to further minimise the costs of securing
applications and fixing problems later on.
3. Services should be considered for bothcommercially acquired code and in-house
developed software. In both cases they should be
more effective and comprehensive than on-
premise tools.
4. Reserve relatively expensive pen-testing fortargeted testing of the most mission-critical and
widely used applications, especially those that
are web-enabled; it will not be affordable for all
of them.
5. WAFs should be considered as a secondary way of protecting applications. They do nothing to eliminate flawsbut will be deemed necessary for some as the final line of defence for the most sensitive of applications.
6. Some costs, like software patching and updating, are on-going and unavoidable but can be reduced by duediligence early in the software development, procurement and deployment process.
For todays businesses the use of software is not a choice; however the security of the software in use is. Address
these issues at all stages of the software development, procurement and deployment life cycle and save long-term
costs whilst improving the efficiency, reliability, security, compliance and competitiveness of business processes.
Refs
1 Stephen Wolfe quoted on page 11 of the August 1992 CAD report referring
2 Web-enabled applications and the internet Quocirca, Oct 2007 http://www.quocirca.com/reports/144/web-
enabled-applications-and-the-internet
3 State of Software Security Report, Volume 4 Veracode, Dec 2011 http://info.veracode.com/state-of-software-security-report-volume4.html
4 Beyond the PC, The Economist, Oct 2011 http://www.economist.com/node/21530920
5 The National Institute of Standards and Technology (NIST) data published by icrosoft
http://www.microsoft.com/security/sdl/learn/costeffective.aspx
6 Cloud computing taking IT to task http://www.quocirca.com/reports/498/cloud-computing--taking-it-to-task
7 On-premise to on-demand, http://www.quocirca.com/reports/163/on-premise-to-on-demand
-
7/31/2019 Outsourcing the problem of software security
12/14
Outsourcing the problem of software security
Quocirca 2012 - 12 -
Demographics
The following graphs show how the 100 organisations interviewed for the current research were distributed by
country, size and business sector.
-
7/31/2019 Outsourcing the problem of software security
13/14
About Veracode
Veracode is the only independent provider of cloud-based application intelligence and security verification services.
The Veracode platform provides the fastest, most comprehensive solution to improve the security of internally
developed, purchased or outsourced software applications and third-party components. By combining patented
static, dynamic and manual testing, extensive eLearning capabilities, and advanced application analytics, Veracodeenables scalable, policy-driven application risk management programs that help identify and eradicate numerous
vulnerabilities by leveraging best-in-class technologies from vulnerability scanning to penetration testing and static
code analysis.
Veracode delivers unbiased proof of application security to stakeholders across the software supply chain while
supporting independent audit and compliance requirements for all applications no matter how they are deployed,
via the web, mobile or in the cloud. Veracode works with global organizations across multiple vertical industries
including Barclays PLC, California Public Employees Retirement System (CalPERS), Computershare and the Federal
Aviation Administration (FAA). For more information, visit www.veracode.com, follow on Twitter: @Veracode or
read the Veracode Blog.
US & International: Europe:
Veracode Inc Veracode Ltd
4 Van Der Graaf Drive 288 Bishopsgate
Burlington, A London
01803 EC2 4QP
USA United Kingdom
+1 781 4256040 +44 (0)20 3427 6025
-
7/31/2019 Outsourcing the problem of software security
14/14
Outsourcing the problem of software security
About Quocirca
Quocirca is a primary research and analysis company specialising in the
business impact of information technology and communications (ITC).
With world-wide, native language reach, Quocirca provides in-depth
insights into the views of buyers and influencers in large, mid-sized and
small organisations. Its analyst team is made up of real-world
practitioners with first-hand experience of ITC delivery who continuously
research and track the industry and its real usage in the markets.
Through researching perceptions, Quocirca uncovers the real hurdles to
technology adoption the personal and political aspects of an
organisations environment and the pressures of the need for
demonstrable business value in any implementation. This capability to
uncover and report back on the end-user perceptions in the market
enables Quocirca to provide advice on the realities of technology
adoption, not the promises.
Quocirca research is always pragmatic, business orientated and
conducted in the context of the bigger picture. ITC has the ability to
transform businesses and the processes that drive them, but often fails to
do so. Quocircas mission is to help organisations improve their success
rate in process enablement through better levels of understanding and
the adoption of the correct technologies at the correct time.
Quocirca has a pro-active primary research programme, regularly
surveying users, purchasers and resellers of ITC products and services on
emerging, evolving and maturing technologies. Over time, Quocirca hasbuilt a picture of long term investment trends, providing invaluable
information for the whole of the ITC community.
Quocirca works with global and local providers of ITC products and
services to help them deliver on the promise that ITC holds for business.
Quocircas clients include Oracle, icrosoft, IB, O2, T-obile, HP,
Xerox, EC, Symantec and Cisco, along with other large and medium-
sized vendors, service providers and more specialist firms.
Details of Quocircas work and the services it offers can be found at
http://www.quocirca.com
REPORT NOTE:This report has been writtenindependently by Quocirca Ltd
to provide an overview of theissues facing organisationsseeking to maximise theeffectiveness of todaysdynamic workforce.
The report draws on Quocircasextensive knowledge of thetechnology and businessarenas, and provides advice onthe approach that organisationsshould take to create a moreeffective and efficientenvironment for future growth.