outsourcing the problem of software security

7/31/2019 Outsourcing the problem of software security

1/14

Copyright Quocirca 2012

Bob Tarzey

Quocirca Ltd

Tel : +44 7900 275517

Email: [email protected]

Clive Longbottom

Quocirca Ltd

Tel: +44 771 1719 505

Email: [email protected]

utourcing te roblem o otare ecurity

The benefits of using on-demand services to ensure security throughout

the application life cycle

February 2012

Software applications are an integral part of 21st

century business processes. The

majority of software is still installed in-house, either as specially developedbespoke applications or commercially acquired packages. However, the proportion

of software procured as a service is on the rise, as is the use of mobile apps and

open source components. In addition, more and more in-house applications are

being web-enabled and exposed to the outside world.

Regardless of its origin, the vast majority of software will contain flaws which can

constitute a security risk, especially for those applications that are web-enabled.

The cost of fixing a flaw increases the later that they are found in the

development, acquisition and deployment life-cycle. There are a number of

measures that can be taken to mitigate the problem and reduce the overall cost ofmanaging software whilst ensuring better security. Increasingly, businesses are

recognising the benefits of outsourcing at least some of the effort through the use

of on-demand software testing services.

This report looks at how businesses are deploying software and what measures are

in place for checking the security of applications. The report draws on new

research conducted amongst US and UK enterprises from a range of industries and

assesses the scale of the software security problem, the ways in which it can be

mitigated, the extent to which this is being achieved, the costs involved and how

these can be minimised.


2/14

Outsourcing the problem of software security

Quocirca 2012 - 2 -

utourcing te roblem o otare ecurity

The benefits of using on-demand services to ensure security throughout the application life cycleThe need to ensure the security of software has become paramount with the rapid increase in the number of applications used in

any given organisation and the fact that more and more are being web-enabled. The measures taken to ensure software security

need to be scalable, affordable and pervasive. To this end, the research presented is this report shows that the use of on-demand

testing services has become widespread.

Software security

has never been

more critical to

businesses

IT, and the software that drives it, underpin most 21st

century business processes. Maintaining

software is essential to ensure those business processes remain functional and that the data they

rely on is not compromised. There has always been a need to make checks on the quality and

security of internally installed software. However, as the use of software as a service and mobile

apps has increased and more and more in-house applications are web-enabled and exposed to

the internet, the need to scrutinise software for security flaws has intensified.

Hundreds of

applications aretracked by the

average business

Financial services organisations typically track around 800 mission-critical applications, those in

other industries track around 400. These are the applications that are explicitly inventoried in an

asset tracking system or recognised as a security risk; there will be many others. Over 80% oforganisations still develop software in house, but the number deploying commercially acquired

packages is not far behind and these applications constitute a higher proportion of the overall

software portfolio of the average business.

Software security

can, and should be,

measured against

established

benchmarks

The flaws that commonly occur in different types of software are measured and reported by

industry bodies. Their listings provide benchmarks, against which software suppliers, their

customers and auditors can assess how the security of a given application measures up against

others. By definition, such lists cannot be comprehensive because new ways of exploiting flaws

will always be found. Pervasive measures are needed to ensure overall software security as well

as using recognised industry standards to show that acceptable base levels are in place.

Testing throughout

the application

lifecycle reduces the

long term

management costs

Checking in-house developed code at all stages of development, testing and deployment

minimises the number of flaws. Commercially acquired binary code can also be scanned prior to

deployment and at run-time. On-demand code testing services have the benefit of scale; theirproviders scan software from hundreds of customers a day and are cognisant of all the common

flaws as well as rarely seen ones. The new research presented in this report shows that, for

commercially acquired software, the use of code testing services is now about as common as the

use of on-premise tools. The number using services for in-house code is increasing too.

Pen-testing and web

application firewalls

should be used

selectively

Using third parties to penetration test (pen-test) applications is relatively expensive and code

scanning services achieve many of the same objectives. For this reason, many organisations see

pen-testing as a secondary approach targeted at the most mission-critical applications. Web

application firewalls (WAF) do nothing to address primary software security flaws. Again, their

use can be targeted at the most vulnerable applications where a multi-layered approach to

security is deemed necessary.

The overall aim is to

ensure better longterm software and

security at a

controlled cost

In many cases software security is not a choice. In the USA, approaching 50% of organisations say

that their customers make it mandatory that certain levels of practice are demonstrated, when it

comes to software security, as part of the procurement of any product or service. In the UK thefigure is about 20%. However, where customers are not demanding guarantees, regulators often

do and failure to comply can incur fines. Ensuring good practice at all stages of the application

development, procurement and deployment life cycle means more secure software in the long

term.

Conclusions

For todays businesses the use of software is not a choice; however the methods chosen to improve software security and, in turn,

the costs involved and the benefits achieved are. Using the right mix of approaches at all stages of the software development,

procurement and deployment life cycle will improve the efficiency, reliability, security, compliance and competitiveness of business

processes.


3/14


Quocirca 2012 - 3 -

Introduction the need for better software deployment

practices

It's scary to think that the infrastructure of the industrialised world is increasingly based on software like this 1

,commented an analyst in 1992 on a computer aided design package. Since then, nearly all businesses have gone

online and applications that were once only used internally may be shared far and wide over the internet. Software

is the lifeblood of IT systems and, as it underpins the operations of most businesses, it is critical to almost every

contemporary business process. Has the quality of software improved since 1992?

The truth is that it has, because it has had to. In 1992,

software security was less of an issue because the

threat surface for any given application was far

smaller. The widespread adoption of the internet has

changed all that. Software security has become

perhaps the most high profile issue and the need to

address it at every stage of the applicationdevelopment, procurement and deployment life cycles

is paramount.

As the number of applications used in any given

organisation has increased and more and more of

them have been exposed to the internet, software

developers and the businesses they serve have had to

address software quality issues to improve security.

One of the ways to achieve this is to move away from

an in-house DIY approach and to make use of

knowledge and resources pooled across multiple

businesses through working with specialist outsourcerswho provide on-demand software testing services.

This report looks at the way both in-house developed

and commercially acquired software is deployed and

how well businesses are putting in place the measures

for checking the security of the applications that their

business processes depend on. The report draws on

new Quocirca research conducted amongst US and UK

enterprises from a range of industries and accesses the

scale of the software security problem, the ways in

which it can be mitigated, the extent to which this is

being achieved, the benefits of various approaches, the

costs involved and how these can be minimised.

Software everywhere

Figure 1 shows the average number of critical applications actually tracked by businesses for the industries covered

in this report. There will many others that are not tracked. Software comes from many sources. The majority of

enterprises still develop bespoke software either internally or through working with outsourcers (Figure 2). They

also make widespread use of commercially acquired software packages; in fact overall, these constitute the largest

proportion of enterprise software in use (Figure 3), if in-house developed and outsourced bespoke software are


4/14


Quocirca 2012 - 4 -

considered separate categories. There is also increasingly widespread use of open source software and software for

mobile devices as well as on-demand applications (software-as-a-service/SaaS).

By definition, on-demand applications are exposed to

the internet and therefore invite probing by

unauthorised users. However, businesses haveincreasingly been web-enabling their in-house

developed and commercially acquired applications for

use by remote employees, partners and customers. The

extent to which this web-enablement was underway

was examined in a 2007 Quocirca report, Web-enabled

applications and the internet2.

The distinction between non-web and web-enabled

applications is important from a risk perspective. The

former are afforded protection by other IT security

measures such as network firewalls and intrusion

prevention systems, whilst the latter are deliberately

exposed to the outside world and remote users are

invited in.

This is significant; the risks that flaws introduce are more likely to be exploited by hackers and malware writers for

web-enabled applications than internal ones. Their greater threat surface leaves them more vulnerable to common

exploits such as cross site scripting, CRLF (carriage return/line feed) injection, information leakage, SQL injection and

other common vulnerabilities.

easuring software security

How common such vulnerabilities are is wellunderstood as there are bodies out there that

measure this. For web-enabled applications there is

the Open Web Application Security Project (OWASP).

It publishes a list of the most common flaws and one

way to measure the security of software code is by

looking for how often the top 10 flaws in a given

application (OWASP Top 10) occur. In the USA around

50% of respondents in the current research said their

organisation did this, although less did so in the UK

(Figure 4).

A broader list, the CWE/SANS Top 25 most dangeroussoftware errors (CWE = Common Weakness

Enumeration), covers the errors found in all software

applications, including those not intended for

exposure to the web. It is published by a collaboration between the SANS Institute, ITRE, and many top software

security experts in the US and Europe. The list is used by a similar number of respondents as the OWASP Top 10

(Figure 5). Some organisations used both lists, whilst others rely on just one depending on the type of software

involved. 32% of respondents to the current survey used neither for any type of application.

easuring software against these lists provides a way of measuring and comparing software security. There are, of

course, many more flaws that can occur and some will be far more serious from a security perspective than the

common ones. Organisations like OWASP and CWE/SANS cannot be aware of every flaw that will ever occur and


5/14


Quocirca 2012 - 5 -

security measures must be ready to identify and/or

defend against anything, including a previously

unseen way of exploiting a flaw.

Veracode, a vendor that provides cloud-based

application security testing services (and is thesponsor of this Quocirca report), publishes a report

showing the degree to which the software it scans

measures up against the OWASP Top 10 and

CWE/SANS Top 25. The latest version of the report,

State of Software Security V43, shows that the

majority of applications submitted to Veracodes

service have flaws that are in one or other of these

lists and fail on their first scan (customers set their

own level against which they consider an application

to have failed using a policy manager).

As Figures 4 and 5 show, these lists are not just used

to measure the security of internally developed

software but also commercially acquired software

packages and mobile apps. Although the majority of

organisations expect a level of verification of security

for commercially acquired software packages from

their suppliers (Figure 6), many also seek independent

checks against the lists of common flaws. 35% did not

seek supplier verification at all, always seeking

independent scrutiny instead; 26% sought both.

There are some issues specific to commercially

acquired software. It is more likely to be written in C

or C++, which the State of Software Security report

shows to be a more vulnerable language (that said,

far and away, whatever the software category, Java is

now the most popular language scanned by Veracode). However, more importantly, commercially acquired

software is far more likely to have been web-enabled by someone somewhere, so even if one organisation does not

expose the application, someone else may have done. Hackers will also be more familiar with particular

commercially acquired applications. In-house applications tend to be one-off, so hackers will usually be probing

something that is new to them.

All that said, as software development is a core competence, a vendor of commercial packages will tend to have

large numbers of dedicated developers and should be ensuring that these developers are kept up to speed with the

latest threats and best practices. They will also have a large user base feeding back issues to them. Each vendor will

vary, hence the need for a way to compare during the procurement process.

So, the greater vulnerability of commercially acquired software should be offset by the efforts that independent

software vendors (ISV) put into to security. This has turned into an arms race; as hackers have hunted down

vulnerabilities, ISVs have become better at detecting them in advance. The more prevalent the use of a given

application is the more likely it is to have been targeted. icrosoft has been bedevilled by this problem over the

years but, to this end, has improved its software development life cycle hugely with the introduction of its

trustworthy computing initiative in 2003.

As was pointed out earlier, increasingly, commercial software packages are not installed on the premises of the user

but invoked as on-demand services over the internet. One would expect that SaaS suppliers, whose applications are


6/14


Quocirca 2012 - 6 -

web-enabled by definition, would apply rigorous due diligence when it comes to software security. However, many

buyers still seek assurances and benchmarks against OWASP Top 10 and CWE/SANS Top 25.

There are specific issues with regard to other software categories too. The provenance of open source software

code can be uncertain and there will be little control unless the software is acquired from a commercial distributor,

who will give guaranteed support levels and will have done a level of security checking in advance. Such distributorsthen charge for their packages, undermining one of the initial attractions of open source software, its low cost. In

effect they are turning open source software in to quasi-commercial packages.

obile applications are also a growing concern. At one level, the problem is way beyond the scope of normal

software code security measures; the biggest threat from mobile apps is what the users may choose to download

themselves from app stores (it is estimated there will be 30 billion instances of downloads in 20124, involving

countless different apps from multiple sources). This requires a focus on end-point security, which is beyond the

scope of this report. However, businesses are becoming increasingly reliant on mobile platforms and applications to

support their own business processes and hackers are aware of this and see them as an easy way in. Figure 4 shows

that the OWASP Top 10 is widely used as a benchmark for measuring the security of mobile applications, which, like

SaaS applications, are exposed to the internet by definition.

In particular, the State of Software Securityreport shows how the threat is growing on the Google Android operating

system, which is both open and popular. Business that roll out mobile applications need to apply the same rigour to

them as they would to any other type of application.

Reassuring customers and

auditors

Businesses do not just need to worry about the

security of software for their own benefit. Customers

are increasingly likely to seek guarantees about thesoftware applications that underpin their suppliers

business processes. For example, before transacting

via a payment processing service, guarantees are

needed that the service provider is compliant with the

Payment Card Industrys Data Security Standard (PCI

DSS).

In the USA, nearly all organisations get at least some

level of enquiry about software security from

customers. Almost 50% say it is a requirement (Figure

7). UK customers are somewhat less demanding but,

as software security becomes an increasingly high

profile issue, this is likely to change.

The State of Software Security report records which

industries are the most rigorous when it comes to

seeking reassurances about commercially acquired

software. The finance and software industries are the

most demanding with aerospace and defence close

behind.

If there are still complacent customers, there are few

complacent auditors (Figure 8). Whilst an organisation


7/14


Quocirca 2012 - 7 -

can make its own decisions about its appetite for risk and how much it is prepared to spend mitigating it, if changes

to software are demanded by auditors there is little choice. It is best to make sure software is compliant upfront

before the auditors turn up and demand expensive changes and, perhaps, impose hefty fines for the failure to

comply in the first place.

That said, proving security and/or compliance is a challenge in its own right. What customers, auditors and, indeed,internal functions require is something close to cast iron guarantees about software security and, to that end, the

measures taken to secure applications must be clear, consistent, transparent, shareable and repeatable.

Approaches to software application security

There are a number of approaches that can be taken to address software security from code scanning, through

penetration testing (pen-testing) to web application firewalls (WAF). The various approaches are discussed in this

section. The costs and benefits of each vary and the risk in any one area can be reduced by due diligence in another.

Fixing errors in deployed code is resource intensive. The National Institute of Standards and Technology (NIST)5

estimates that fixing a flaw in a production application costs 25 times as much as it would if the flaw was preventedby better design during the requirements phase and 6 times as much if it were found during the coding phase. uch

of this cost will be down to the manual effort required to make the modifications by IT staff and roll out patches to

all installed instances of that software. Avoiding that effort reduces costs and leaves staff free for more productive

activities. If programming staff are well trained, they are less likely to make errors in the first place, so the first

action towards producing more secure code any organisation should take is a review of its staff training programme.

Training developersHaving good programmers means fewer coding errors. An element of that is down to recruitment and certain

companies find it easier to attract talent for all sorts of reasons; pay, location, glamour, etc. Beyond that, improving

the quality of a programmers day-to-day work is down to training. Quocirca research shows that US organisations

spend more on this than UK-based ones; to some extent that will be dependent on the relative cost of training

courses. However, in many cases, contractors are used to write code and less is invested in them and, wheredevelopment is outsourced, the level of training will be down to the 3

rdparty selected.

What is clear is that training developers seems to have an impact. The State of Software Securityreport assesses the

knowledge of programmers through what it calls an application security fundamentals assessment; a test for

programmers. It shows there is a link between high test scores and better software security. Organisations should

consider using such an assessment for recruitment of employees and contractors, outsourcer selection and the on-

going monitoring of programmer knowledge. However, to err is to be human; training alone will never eliminate

enough software flaws so other steps are needed.

Static code analysisThe best way to find programming errors early in the software development life cycle is static analysis of code or

binary images.

Static code scanning involves taking the source code, in whatever language it is written, and scanning every line

seeking potential coding flaws. Such analysis is also thorough; it looks at everything, even areas of code that, when

an application is deployed, are rarely invoked. Because it is holistic, static code scanning is not dependent on

viewing an application from the point of view of a certain type of user. In fact, one common criticism of static code

analysis is that it finds too many flaws; part of the skill is to know where to set the thresholds.

Static analysis can also be carried out on compiled binary code. This is important because it performs security

verification of components to which there is no source available (e.g. third-party libraries). It is also often the most

acceptable way to check commercially acquired software. Cursory binary scans can be carried out without vendor

cooperation. However, creditable vendors should agree to co-operate with in-depth scans when requested as static


8/14


Quocirca 2012 - 8 -

binary scanning does not require access to source code and there should be no concerns that IP will be infringed.

Some vendors may offer their own certifications, provided by recognised providers of code scanning services.

Static analysis of any code or binary image can either be carried out using such services or via tools that are acquired

and installed on-premise. The advantage of using a service is it provides instant access to the wisdom of crowds. A

particular problem may have been observed in another organisations code that the service has learnt about andcan then check new code for.

Service providers will also have more information

about where to best set thresholds; because of the

scale of their operations, they are constantly checking

all sorts of code against lists of known errors such as

OWASP Top 10 and CWE/SANS Top 25. As Quocirca

pointed out in its 2010 report, Cloud computing

taking IT to task6, there is a lot to be said for

outsourcing what are essentially utility tasks to

external providers with domain expertise. Leaving the

task of finding security issues to specialists leaves the

developers of code free to focus on fixing issues and

should also reduce the overall cost of ensuring

software security.

Code testing services are generally paid for on a per-

application basis with unlimited scanning rights

regardless of the number of programmers. The infrastructure and staffing overheads are incurred by the service

provider and therefore shared between many customers. Any analysis of the relative costs of on-premise tools and

on-demand services must take this into account. On-premise code analysis tools are typically charged for by the

developer seat and, as with any such tools, the additional costs, including the hardware to run them on, on-going

maintenance and the cost of employing and training staff, are incurred by each individual customer. Quocirca has

looked at the relative benefits of on on-premise software versus on-demand services many times in the past; for

example in its 2007 report aimed at independent software vendors, On-premise to on-demand7.

The current research shows that, for commercially acquired software, on-demand static code analysis services have

already caught up with on-premise tools as a primary approach for code testing. On-premise static code analysis

tools are more likely to be used for in-house code, although the use of on-demand services is catching up fast

(Figure 9) and should be considered by organizations for the reasons outlined above.

Dynamic code analysisCode that has been complied and deployed can be tested using dynamic analysis in a test or run-time environment.

Here, the scanning is of how the binary code executes set the application running and watch. As with static

analysis, dynamic analysis is available either as on-demand services or as tools installed on-premise and the same

arguments regarding benefits apply as outlined above for static analysis.

All an on-demand dynamic scanning service requires is to be pointed at a web address that provides access to the

application, making it especially suitable for checking on-demand software services. Dynamic analysis is also good

for checking hybrid applications; it is increasingly common for in-house developed applications to make calls out to

on-demand services via application programming interfaces (APIs).

Dynamic scanning will never be as thorough as static scanning as it can only look at executable roots through an

application, as opposed to every line of code. For this reason, it is also necessary to scan an application from the

viewpoint of different users.


9/14


Quocirca 2012 - 9 -

It can also seek out other run time issues, such as uncontrolled growth in memory usage and subroutine shutdowns,

as well as examining the effect of real time variables such as dates and times. Dynamic analysis finds fewer faults

than static analysis, but it is more likely that the faults found will be demonstrably exploitable.

Dynamic analysis can be run time and time again, regularly checking deployed applications against emerging threats

that may not have been known about during development. As outlined with static analysis, typically, on-demandscanning services will be charged on a per-application basis with unlimited scans whilst on-premise tools will be

charged per developer seat.

Keeping software up to dateScanning deployed software is all well and good, but it

does not replace the need to keep software up to

date. The average organisation spends 6.7 hours per

week deploying patches to in-production software

purely to remediate security issues. For obvious

reasons the figure is higher the more applications a

given organisation is tracking (Figure 10).

Some of this effort could be avoided. Code scanning

can identify issues with in-house and outsourced

developed code before deployment. Due diligence in

the purchasing process can mean selecting commercial

software applications from vendors that have fewer

flaws in the first place due to better software

development processes; ensuring that will involve

requesting scans of their code as part of the evaluation

process.

Penetration testing (pen-testing)

Dynamic analysis is one way to check the security ofdeployed web-enabled applications; another way is

pen-testing.

Pen-testing involves engaging a specialist third party

that uses human testers who will deliberately probe

web-enabled applications to try and gain entry. It is

done on an application-by-application basis and, as

with dynamic scanning, the areas of code accessed will

depend on the user view taken and the functions

performed. ost organisations rely on pen-testing to

some extent but often as a secondary technique

(Figure 11).

Pen-testing is also relatively expensive as it relies on skilled, often scarce, human resources. The more complex an

application is, the more effort it takes, as the aim is to investigate all the routes that various users could go down.

This means that pen-testing cannot be scaled up to cover the hundreds of applications that most businesses are

now tracking. Furthermore, as it is only practical to carry out pen-tests periodically, say once a year, it does not keep

up with the fast-evolving nature of security threats. Pen-testing should be seen as a final targeted test of the most

likely ways into the most mission-critical applications.

For suppliers of commercial software packages, pen-testing has less to offer. One of the benefits of pen-testing is

that it tests deployed software and also probes the deployment environment (operating systems, databases,

network security etc.) This will vary for every customer; suppliers can pen-test against certain recommended


10/14


Quocirca 2012 - 10 -

software stacks in advance but, in reality, there will always be deviations from the recommendations that cannot be

anticipated. For this, static code and/or binary image scanning are more suitable.

Web application firewallsAnother approach to securing web-enabled applications, once deployed, is to put in place web application firewalls

(WAF). The aim is to detect and block application-specific threats in real time.

A single WAF can protect a number of applications, providing it can scale accordingly. Entry-level costs of deploying

WAFs is higher than standard firewalls and will only support so much web application traffic before needing to be

scaled up, incurring more costs. For this reason, as with pen-testing, it only makes sense to use WAF for the most

mission-critical applications with large numbers of users that justify the expense.

USA organisations are more likely to use WAFs to

protect commercially acquired software and over 50%

see them as the primary approach to application

security. UK organisations are less likely to use them

and, when they do, they consider them more of a

secondary approach (Figure 12). Respondents to thecurrent research were slightly less likely to use WAFs

for in-house developed applications.

WAFs do nothing to improve the security of code; they

protect applications that are exposed to the web

regardless of their security flaws. In that sense,

wherever they are deployed, they constitute an

additional layer of application security. One might

expect that those setting standards for the security of

web-facing applications might mandate multiple levels

of security, but this is not always the case. The PCI DSS V2 sees code scanning and WAFs as alternatives. It states in

section 6.6:

For public-facing web applications, address new threats and vulnerabilities on an on-going basis and ensure these

applications are protected against known attacks by either of the following methods:

Reviewing public-facing web applications via manual or automated application vulnerability securityassessment tools or methods, at least annually and after any changes

Installing a web-application firewall in front of public-facing web applicationsThe PCI, at least, believes code scanning can eliminate enough software flaws to deem WAFs unnecessary. Certain

respondents to the current survey were not so sure. 43% saw both code scanning and WAFs as main approaches

to security for at least some, albeit not always the same, of their applications.

The reticence to rely on WAFs alone is understandable; applications and the environment in which they run change

over time. The rules coded into security devices, such as WAFs, get out of date and a once-mitigated vulnerability

may suddenly be exposed. Fixing flaws in the first place is ultimately the most effective solution.

aximising software security through multiple approaches

There is no such thing as a 100% secure application and using multiple approaches makes sense to ensure as many

security vulnerabilities as possible are eliminated but, for most, using all approaches to the full is too expensive.

Historically, depending on the type of software, different approaches have been adopted as primary approaches

(Figure 13) and when it comes to code testing this has seen many organisations deploy in-house tools. However, the


11/14



growing complexity of software itself and, in particular, the threat landscape, has seen increasing use of on-demand

testing services because of the benefits outlined earlier in this report. For commercially acquired software, such

services are already as widely-used a primary approach as on-premise tools for static code analysis.

As has been pointed out in this report, the use of on-demand services should not only be more cost effective, but

they should be far more comprehensive in identifying flaws and preventing vulnerabilities because of the scale ofthe operations of the providers of such services. Quocirca recommends that those organisations that are already

using code-scanning services for commercial code should consider extending their use to in-house code. Those that

are not using services at all should evaluate them.

In summary:

1. Training developers is money well spent; it avoidsdown-the-line costs of fixing software flaws.

2. aximise the use of scanning services early in thelife cycle to further minimise the costs of securing

applications and fixing problems later on.

3. Services should be considered for bothcommercially acquired code and in-house

developed software. In both cases they should be

more effective and comprehensive than on-

premise tools.

4. Reserve relatively expensive pen-testing fortargeted testing of the most mission-critical and

widely used applications, especially those that

are web-enabled; it will not be affordable for all

of them.

5. WAFs should be considered as a secondary way of protecting applications. They do nothing to eliminate flawsbut will be deemed necessary for some as the final line of defence for the most sensitive of applications.

6. Some costs, like software patching and updating, are on-going and unavoidable but can be reduced by duediligence early in the software development, procurement and deployment process.

For todays businesses the use of software is not a choice; however the security of the software in use is. Address

these issues at all stages of the software development, procurement and deployment life cycle and save long-term

costs whilst improving the efficiency, reliability, security, compliance and competitiveness of business processes.

Refs

1 Stephen Wolfe quoted on page 11 of the August 1992 CAD report referring

2 Web-enabled applications and the internet Quocirca, Oct 2007 http://www.quocirca.com/reports/144/web-

enabled-applications-and-the-internet

3 State of Software Security Report, Volume 4 Veracode, Dec 2011 http://info.veracode.com/state-of-software-security-report-volume4.html

4 Beyond the PC, The Economist, Oct 2011 http://www.economist.com/node/21530920

5 The National Institute of Standards and Technology (NIST) data published by icrosoft

http://www.microsoft.com/security/sdl/learn/costeffective.aspx

6 Cloud computing taking IT to task http://www.quocirca.com/reports/498/cloud-computing--taking-it-to-task

7 On-premise to on-demand, http://www.quocirca.com/reports/163/on-premise-to-on-demand


12/14



Demographics

The following graphs show how the 100 organisations interviewed for the current research were distributed by

country, size and business sector.


13/14

About Veracode

Veracode is the only independent provider of cloud-based application intelligence and security verification services.

The Veracode platform provides the fastest, most comprehensive solution to improve the security of internally

developed, purchased or outsourced software applications and third-party components. By combining patented

static, dynamic and manual testing, extensive eLearning capabilities, and advanced application analytics, Veracodeenables scalable, policy-driven application risk management programs that help identify and eradicate numerous

vulnerabilities by leveraging best-in-class technologies from vulnerability scanning to penetration testing and static

code analysis.

Veracode delivers unbiased proof of application security to stakeholders across the software supply chain while

supporting independent audit and compliance requirements for all applications no matter how they are deployed,

via the web, mobile or in the cloud. Veracode works with global organizations across multiple vertical industries

including Barclays PLC, California Public Employees Retirement System (CalPERS), Computershare and the Federal

Aviation Administration (FAA). For more information, visit www.veracode.com, follow on Twitter: @Veracode or

read the Veracode Blog.

US & International: Europe:

Veracode Inc Veracode Ltd

4 Van Der Graaf Drive 288 Bishopsgate

Burlington, A London

01803 EC2 4QP

USA United Kingdom

+1 781 4256040 +44 (0)20 3427 6025

[email protected] [email protected]


14/14


About Quocirca

Quocirca is a primary research and analysis company specialising in the

business impact of information technology and communications (ITC).

With world-wide, native language reach, Quocirca provides in-depth

insights into the views of buyers and influencers in large, mid-sized and

small organisations. Its analyst team is made up of real-world

practitioners with first-hand experience of ITC delivery who continuously

research and track the industry and its real usage in the markets.

Through researching perceptions, Quocirca uncovers the real hurdles to

technology adoption the personal and political aspects of an

organisations environment and the pressures of the need for

demonstrable business value in any implementation. This capability to

uncover and report back on the end-user perceptions in the market

enables Quocirca to provide advice on the realities of technology

adoption, not the promises.

Quocirca research is always pragmatic, business orientated and

conducted in the context of the bigger picture. ITC has the ability to

transform businesses and the processes that drive them, but often fails to

do so. Quocircas mission is to help organisations improve their success

rate in process enablement through better levels of understanding and

the adoption of the correct technologies at the correct time.

Quocirca has a pro-active primary research programme, regularly

surveying users, purchasers and resellers of ITC products and services on

emerging, evolving and maturing technologies. Over time, Quocirca hasbuilt a picture of long term investment trends, providing invaluable

information for the whole of the ITC community.

Quocirca works with global and local providers of ITC products and

services to help them deliver on the promise that ITC holds for business.

Quocircas clients include Oracle, icrosoft, IB, O2, T-obile, HP,

Xerox, EC, Symantec and Cisco, along with other large and medium-

sized vendors, service providers and more specialist firms.

Details of Quocircas work and the services it offers can be found at

http://www.quocirca.com

REPORT NOTE:This report has been writtenindependently by Quocirca Ltd

to provide an overview of theissues facing organisationsseeking to maximise theeffectiveness of todaysdynamic workforce.

The report draws on Quocircasextensive knowledge of thetechnology and businessarenas, and provides advice onthe approach that organisationsshould take to create a moreeffective and efficientenvironment for future growth.

outsourcing the problem of software security

Documents