Around two-thirds of mission-critical applications are developed externally and are not compliant with industry standards.
According to a study of 939 applications across 564 distinct applications submitted to Veracode between January 2011 and June 2012, SQL injection (40 per cent) and cross-sites scripting (71 per cent) remain among the most prevalent vulnerabilities in third-party vendor applications, however few organisations have formal programs in place to manage and secure the software supply chain.
Veracode's annual State of Software Security Report found that 38 per cent of vendor-supplied applications complied with enterprise-defined policies, while 30 per cent complied with CWE/SANS Top 25 industry-defined standards and only ten per cent complied with the OWASP top ten.
The report also found that 62 per cent of applications fail to reach compliance on the first submission and few enterprises have application security testing programs in place, yet the volume of assessments within organisations is growing.
Chris Eng, vice president of research at Veracode, said: “The widespread adoption of third-party apps and use of external developers in enterprises brings increased risk.
“We are beginning to see signs that enterprises are recognising and addressing these risks. However, organisations still assume too much risk when trusting their third-party software suppliers to develop applications that meet industry and organisational standards. There is still much more work to be done to adequately secure the software supply chain.”
Wendy Nather, research director at 451 Research, said: “Today, every organisation is an extended enterprise, with third-party software a fundamental layer in the software supply chain.
“It's critical that organisations develop security policies when purchasing software from outside vendors because of the risks inherent in using third-party applications, yet few are actually demanding security compliance of their suppliers.”