SAN FRANCISCO – RSA Conference 2010 – booth #729 – March 1, 2010 – In the largest and most comprehensive code-level security analysis to date, Veracode, the leader in cloud-based application risk management, today released a new report detailing vulnerabilities found in software that large organizations rely on for business critical processes. The Veracode “State of Software Security” report finds that more than half of the nearly 1,600 Internally Developed, Open Source, Outsourced, and Commercial applications analyzed when first submitted to Veracode contained vulnerabilities similar to those exploited in the recent cyber attacks on Google, the U.S. Department of Defense, and others.
Veracode’s State of Software Security is the first report of its kind to provide security intelligence derived from multiple testing methodologies (static, dynamic and manual) on the full spectrum of application types (components, shared libraries, web and non-web applications) and programming languages (including Java, C/C++ and .NET) from every part of the software supply chain on which organizations depend. It represents intelligence gleaned from analyzing billions of lines of code submitted to Veracode for independent verification of software security from more than 15 industries. To access the full report, visit http://www.veracode.com/reports/index.html
“This is invaluable information for CISOs,” said Donna Durkin, CISO of Computershare. “Understanding vulnerabilities across internal and third-party players by language and application type will help us make informed decisions about mitigating risks in our global application portfolio.”
Highlights of the first State of Software Security report include the following key findings:
“Gartner advises its clients to conduct their own inspection of all application code they procure from third-parties. However, if they lack their own resources or expertise, we recommend that they outsource third-party code testing to trusted service providers,” said Joseph Feiman, Vice President and Gartner Fellow, Gartner, Inc.
“Because of the depth and breadth of the data in our platform, we have expansive knowledge about risk from all types of applications and across the software supply chain,” said Matt Moynahan, CEO of Veracode. “The report not only analyzes the state of security more comprehensively than any others in this market, but it offers specific recommendations for each type of potential threat. It’s essential reading for security professionals and executives accountable for the software supply chain and its impact on the business.”
Report Methodology
The report is the first in a semi-annual series. It analyzes data provided by Veracode’s customers (application portfolio information such as assurance level, industry, application origin) and information that was calculated or derived in the course of Veracode’s analysis (application size, application compiler and platform, types of flaws, origin of components, Veracode rating). It draws on the continuously updated information resident in Veracode’s cloud-based application risk management services platform. The data is growing at an accelerated pace as more providers independently verify the state of their software using one or more of Veracode’s patented binary static analysis, enhanced dynamic assessments, and manual penetration testing.
For more information, visit http://www.veracode.com/reports/index.html
About Veracode
Veracode provides the world’s leading Application Risk Management Services Platform. Veracode SecurityReview’s patented and proven cloud-based capabilities allow customers to govern and mitigate software security risk across a single application or an enterprise portfolio with unmatched simplicity. Customers include the world’s largest and most security aware organizations in every industry. Recognized as a Gartner “Cool Vendor,” The Wall Street Journal’s “Technology Innovation Award,” The Banker’s “Information Security Project of the Year” with Barclays, SC Magazine’s “Best Vulnerability Assessment Solution,” Information Security “Readers’ Choice Award,” and AlwaysOn Northeast’s “Top 100 Private Company,” Veracode is Software Security Simplified™. For more information, visit http://www.veracode.com/.
Linsey Krauss
Lois Paul & Partners
512-638-5316
Linsey_Krauss@lpp.com