Partnering with a certified secure vendor helps ensure code is free of security-related defects―and shows you’ve made security a priority.
Lost revenue, legal liabilities, diminished market share, disgruntled customers they’re all the repercussions of a security breach. No wonder an increasing number of consumers and businesses are demanding that the applications they access are safe from attack.
In fact, an IDG/Veracode Application Security report reveals that 78% of U.S. respondents, and 92% of European respondents, consider it critical that the vendors and partners they do business with can provide evidence of their capabilities for application security testing.
However, not all companies have the in-house resources and skills required to provide full-fledged security validation of an application. Indeed, nearly all organizations (99%) run into roadblocks when trying to assess the security status of applications and software that they haven’t developed in-house, according to the survey.
Partner up for securityIn response, many organizations are opting to work with a certified secure vendor. This partnership offers a number of advantages. First, it provides certification that the software/application code is free of security-related defects. But it also emphasizes that the organization has made security a priority, and that the security program is backed by a trusted industry name.
That’s a shot of reassurance for breach-conscious customers: 94% of respondents report that their level of confidence in a potential vendor or partner would increase significantly if their security has been validated by an established independent security expert.
A maturity model for securityBut in an era of agile software development, fluctuating consumer demands, and ever-evolving market trends, security verification is never a one-time fix. Rather, organizations require a proven roadmap to design a mature application security program. These levels of maturity include:
Level 1: Cover the basics
Assess first-party code with static analysis Create a policy that prohibits Very High flaws in first-party code Create a policy that remediates lesser flaws in a respectable timeframe Provide developers with remediation guidanceLevel 2: Identify timelines and a security champion
Document that the application does not include Very High or High flaws, and that you have a 60-day remediation deadline Identify a security champion within the development team to ensure secure coding practices are used across the development lifecycle Provide training on secure coding for the identified security champion Assess open source components for vulnerabilitiesLevel 3: Make security continuous
Integrate security tools into development workflows Assess application with dynamic analysis Document that your application does not include any Very High, High, or Medium flaws, and that you have a biannual mitigation review and a 30-day remediation deadline Provide advanced training on secure coding for the security champion identified on the development team Provide the development team with training on secure codingRather than focus on a single point in time, this maturity model lets organizations implement secure development practices throughout the entire lifecycle of an application for always-secure status. Continuous testing also ensures that applications remain secure as developers apply hundreds of code changes a critical factor in an age of DevOps.
To map your journey to a mature application security program and stay one step ahead of your customers’ security concerns, check out CA Veracode’s Verified program.
Visit CA Veracode today to learn more about maturing your application security program.