Burlington, Mass. – January 14, 2010 – The cyber attacks against Google and others currently being reported were a direct result of the exploitation of a zero-day vulnerability in a highly valued software application that was broadly adopted by both consumers and enterprises alike.
The attack is indicative of the changing risk posed by the integrity of software used to access or perform anything important – be it financial transactions, critical infrastructure or healthcare. Threats attacking end-user software vulnerabilities where there is no available patch, such as those surfacing today, are unable to be prevented by perimeter security defenses and virus checking technologies. Trusted applications and components of applications that are widely re-used are being infiltrated to launch these attacks from inside networks and PCs that are otherwise considered “secure.” These insidious threats can come from anywhere and anyone and take advantage of a global supply chain and inconsistent patch and upgrade cycles across consumers as well as enterprises.
“The only way to stop zero-day attacks is to not run vulnerable software in the first place,” said Matt Moynahan, Veracode CEO. “Organizations must begin implementing a security policy of not running software that lacks appropriate inspection for vulnerabilities by a third party. In a world of exploding devices, content and globally distributed content creators such as developers for mobile applications, it is no longer good enough to hope that their software suppliers have security built in. The time is now for independent verification and validation that appropriate due care has been taken.”
Veracode believes that complacency is criminal in this matter and urges both an awakening and action. Organizations who supply and buy software must recognize that widespread use and re-use of software exists, that the origin of every component is often unknown or unknowable and that its integrity cannot be presumed.
“Veracode is first and foremost a software security company,” said Chris Wysopal, Chief Technology and Quality Officer at Veracode. “These successful attacks on some of the most sophisticated IT companies in the world demonstrate that the days when an organization could be secure by patching quickly and using signature based detection on its desktops are over. Latent software risk needs to be quantified before software is deployed and the risk de facto accepted. A third party software security assessment is the best way for organizations to protect themselves from unbounded and unknown software risk.”
Veracode provides the world’s leading Application Risk Management Services Platform. Veracode SecurityReview‘s patented and proven cloud-based capabilities allow customers to govern and mitigate software security risk across a single application or an enterprise portfolio with unmatched simplicity. Customers include the world’s largest and most security aware organizations in every industry. Recognized as a Gartner “Cool Vendor,” The Wall Street Journal’s “Technology Innovation Award,” The Banker’s “Information Security Project of the Year” with Barclays, SC Magazine’s “Best Vulnerability Assessment Solution,” Information Security “Readers’ Choice Award,” and AlwaysOn Northeast’s “Top 100 Private Company,” Veracode is Software Security Simplified™. For more information, visit www.veracode.com.
Linsey Krauss
Lois Paul & Partners
512-638-5316
Linsey_Krauss@lpp.com