Burlington, Mass. – June 1, 2010 – A U.K. court recently found a technology vendor liable for business failures caused by flawed hotel management software. Could this latest ruling signal gaining momentum for holding independent software vendors (ISVs) accountable for application quality and reliability? In response, cloud-based application risk management company Veracode, Inc.says ISVs must dramatically change their approach to assessing and proving software quality, or risk serious business consequences.
“This ruling sets an important precedent, demonstrating that ISVs are no longer protected by standard agreements that limit damages to the cost of the software itself. The damages caused by poorly developed applications and lax standards for third-party software are now being quantified in terms of negative business impact – potentially ambiguous but expensive territory,” said Veracode CEO Matt Moynahan.
To help reduce the chances for business loss and expensive liability claims, Veracode suggests ISVs invest in security testing solutions that can quickly, accurately and cost effectively identify potential software vulnerabilities- before deploying the software at a customer site. At the same time, enterprises should be empowered to request that ISVs produce documentation, or third-party proof, that their software has been evaluated, potential risks remediated, and that the application is secure and reliable, with limited risks for exploitation.
“Rising concerns about liability and organizational responsibility for software quality have been increasingly prevalent in discussions we are having with ISVs, many of whom are understandably shaken by this U.K. ruling that could easily carry over to other geographies,” continued Moynahan. “Accountability is quickly becoming a new watch word invoked by enterprises that are compelled to take more aggressive steps to protect themselves from ISVs that misrepresent their software or don’t take necessary steps to ensure its quality.”
To assist both suppliers and buyers of software, Veracode provides software vendors with a simple, affordable and accurate way to comply with industry security standards such as OWASP Top 10 and CWE/SANS Top 25. Based on breakthrough static binary analysis and dynamic web testing that enable the most complete, automated security testing available, Veracode’s cloud-based service independently verifies the security posture of most applications within 24 hours without requiring any additional hardware, software or personnel. Once an application has been assessed, it can qualify for the VerAfied Security Mark and be included in the VerAfied Software Directory, visible indicators for ISV customers and auditors of application security due diligence and compliance.
For additional perspectives from Veracode on software vendor liability limits, read the most recent blog post from Veracode CEO Matt Moynahan, http://www.veracode.com/ceo-blog.
Veracode is the world’s leader in cloud-based application risk management. With patented binary code analysis, dynamic Web assessments and developer e-learning, Veracode SecurityReview® is the most accurate and cost-effective way to independently verify application security in both internally developed applications and third-party software without requiring source code or expensive tools. Veracode provides the most simple, complete way to implement security best practices, reduce operational cost and comply with internal security policies or external standards such as OWASP Top 10, CWE/SANS Top 25 and PCI. Veracode works with global organizations across multiple vertical industries including Barclays PLC, California Public Employees’ Retirement System (CalPERS), Computershare and the Federal Aviation Administration (FAA). For more information, visit www.veracode.com, follow on Twitter @Veracode or read the ZeroDay Labs blog.
Copyright © 2010 Veracode, Inc. All Rights Reserved. All other brand names, product names, or trademarks belong to their respective holders.
Liz Campbell
fama PR
phone: +1 617-758-4178
email:
veracode@famapr.com