Businesses are increasingly implementing new technologies to grow and innovate; in turn, making their consumers more reliant on software than ever before as it underpins every aspect of daily life, from controlling our devices, to managing e-commerce systems.
This dependency has led to an unprecedented level of cyber-attacks against public organisations, global corporations and most recently critical national infrastructure such as nuclear, energy and industrial firms. Almost half (46 percent) of all UK businesses suffered a cyber-security breach between April 2016 and April 2017. The exploitation of vulnerable software and applications is a key attack vector used by cyber-criminals, yet few enterprises have vendor application security testing programmes in place.
Despite the high prevalence of known vulnerabilities, many organisations never do static or dynamic testing – although exactly how many applications remain untested in a mystery. But, we do know that 83 percent of organisations have released code before testing or resolving security issues.
The vulnerabilities that can be introduced by open source components, in particular, can present significant risks to an organisation. An aspect of modern software development, is the incorporation of third-party libraries – which in turn can lead to a broad dissemination of vulnerabilities in wide-ranging applications across any number of industries. This year, for example, CA Veracode found that 91 percent of Java applications contained at least one vulnerable component that could exploited by cyber-criminals.
Developers play a huge role in ensuring that enterprise applications are secure. There is a challenge however. As it stands there is a critical deficit in developer security training and how they may manage effectively, the risk of vulnerable components. The research found that developers aren't choosing to ignore security issues, but rather they don't have the skills or resources needed to create secure code.
With new vulnerabilities constantly being discovered, it is essential for organisations to get a handle on their software security. Even for those organisations with an AppSec programme in place, flaws can take a long time to patch, with only 22 percent of very high severity flaws being patched within 30 days.
Testing applications early and often can avoid a long, drawn out fixing process. Both effective and critical, research demonstrates the need for systematic software security testing. Now is the time for business to understand the state of their software, as well as the implications it can have. There's too much riding on it, if they don't.
Contributed by Paul Farrington, Manager, EMEA Solution Architects at CA Veracode.