As hackers wreak havoc on corporations such as Macy’s, Delta, Orbitz, and Chipotle, consumer interest in application security is growing exponentially. These days, web and mobile applications account for more than a third of data breaches, and attacks at the application layer are growing by more than 25% annually.
From a consumer perspective, these breaches are a precursor to identity theft and fraud, as stolen data can be used to gain authorized access to financial accounts. For organizations, they’re a source of legal liabilities, high remediation costs, and a loss of consumer trust. In fact, according to a study by KPMG, 19% of consumers would completely stop shopping at a retailer after a breach, and 33% would take a break from shopping there for an extended period.
Yet many organizations fail to recognize the vulnerabilities lurking in their application code. Based on scans of thousands of applications and billions of lines of code, Veracode discovered that three in every four applications had at least one vulnerability on initial scan, and 12% of applications had a high or very high severity vulnerability on initial scan.
Security as a competitive edgeThe problem is many organizations fail to thoroughly monitor their applications for vulnerabilities; others poorly communicate their efforts. In fact, an IDG/Veracode Application Security survey identified several factors preventing a thorough evaluation of the security status of personal applications and software. Chief among these are difficulty understanding the information (42%), the time required to review security status (39%), and difficulty finding the information (38%).
Addressing these security concerns is more than an IT responsibility it’s a competitive advantage. Ninety-four percent of European respondents, and 83% of those in the U.S., believe it’s important to assess the application security capabilities of the vendors whose applications they purchase. Approximately 66% of all respondents are more likely to consider doing business with a vendor whose software has been independently verified as secure versus one whose security status is undetermined. And 96% are more likely to consider using an application on their personal device that has been independently verified as secure. As a result, the ability to demonstrate the use of secure testing practices can greatly enhance an organization’s competitive edge.
The downside of in-house supportBy listening to consumer security concerns, organizations have a unique opportunity to gain a competitive edge. However, many lack the skills and resources required to conduct security scans in-house. Manual penetration testing, bug hunting programs, and scanning tools can help reduce risks, but they often fall short of offering comprehensive coverage. And variables such as third-party code and complex production environments can complicate the use of scanning solutions.
Even developers, with their in-depth knowledge of coding, can struggle with security verification. Under unprecedented pressure to write code and release products quickly, many simply don’t have the time to search for coding errors. Complicating matters is the fact that many developers believe that increasing security measures can slow down development cycles and negatively impact productivity. As a result, they’re often reluctant to embrace new security controls and policies.
Partnering for successFortunately, the right third-party partnership can demonstrate an organization’s commitment to application security by providing the following components:
A platform that offers a holistic, scalable way to manage security risks across an entire application portfolio A wide range of security testing and threat mitigation technologies The expertise of security program managers to help define policies and success criteria for a strategic, repeatable way to tackle application security risks One-on-one coaching and a variety of training modules to educate developers so that they can effectively fix existing flaws and code securely moving forwardThe result is a partnership that helps find and fix security-related defects at all points in the software development lifecycle before they can be exploited by hackers. In fact, teaming up with a third-party security provider not only reduces the risk of data breaches, it accelerates secure software delivery, improves compliance, and boosts customer confidence.
Battling breaches with strategyApplication security is about more than technology. Without an AppSec program in place, and a strong knowledge base, a return on investment is unlikely. For this reason, one of the most critical contributions a third-party provider can make to an organization is the design and implementation of an application security strategy.
First, organizations must assess the current status of their applications, and where there are security gaps. This involves creating an inventory of all web applications, as well as running a discovery scan of the web perimeter to quickly gain an inventory of external web applications.
The next step entails moving beyond simple testing to prioritizing and remediating vulnerabilities based on risk. This can be accomplished by working with a third-party provider to develop a systematic application security program with standardized procedures. For example, a procedure could ensure the frequent testing of applications. That’s especially critical in a DevOps environment where developers work at record speed, creating new iterations of an application and constantly applying code changes. The more frequently organizations test their applications, the more likely they are to find and fix flaws.
In addition to giving developers the tools they need to fill security holes, a third-party partnership can offer reassurance. Customers know that the applications they’re buying or selling are backed by proven processes that not only test applications for flaws, but also continuously monitor them throughout the entire application development process. That’s a key competitive advantage given that the vast majority of IDG/Veracode Application Security survey respondents believe it’s critical or highly important that software security is validated by an independent security expert.
Applications evermoreSoftware will continue to power the world as organizations turn to web and mobile applications for operating efficiencies, cost savings, and innovation. In return, customers are demanding that these applications be free of security vulnerabilities. To meet these needs, savvy organizations are teaming up with vendors that can provide a powerful platform and a key set of policies to minimize security risks. The result is a partnership that not only reduces the likelihood of security breaches but also boosts consumer confidence.
Listen to your customers, and learn how to speak to their security needs, quickly and accurately, with CA Veracode’s Verified program.
Learn more about how security can be your competitive advantage in this recent market survey report.