Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Outsourced application code requires stringent security testing.

Veracode : 09 April, 2008  (New Product)
Application security testing becomes more crucial in light of report by Quocirca which shows high levels of application code outsourcing.
A new report published by European technology analysis group, Quocirca, based on a survey of 250 C Level executives in the UK and Germany suggests that 90% of organisations are outsourcing more than 40% of their code. Other findings in the survey are:.

* 78% of organisations state that software development is business critical for them yet.
* At the same time 60% of companies that outsource the coding of their critical applications do not demand that security is built into their applications.

Matt Moynahan, CEO of Veracode, responds to this survey by highlighting the need for application security testing of code to become mandatory:

'With almost £100 billion in custom code being developed in locations such as India, China, Eastern Europe and South America, many businesses have rushed to take advantage of cost savings and flexibility in their striving for competitive advantage....At the same time attacks on applications - the weakest links in the corporate security chain - have grown exponentially. Organisations relying on outsourcing application development need to demand independent verification of applications as part of their formal software acceptance criteria. Users are in a position to call the shots. As application security becomes the most pressing issue on the security agenda, users should veto service providers who cannot demonstrate that a full independent security audit has been conducted on their final deliverable to ensure proper security quality has been achieved, ' said Matt Moynahan, CEO at Veracode.

According to Gartner, 75% of new attacks target the application layer directly while software vulnerabilities have reached an all time high with over 7,000 new software vulnerabilities disclosed over the last year according to the National Vulnerability Database.

The conventional approach at attempting to solve this issue has been to either conduct costly and time-consuming manual penetration testing or to use source code testing tools. Testing at the source code level not only is unpractical as offshore code often is unavailable to the enterprise but also insufficient. Offshore development is a multi-tier process with many parties involved where growing types of threats - such as those coming from backdoors - are impossible to spot with traditional tools. Additionally tools are typically run by the very same developers who are building the code, potentially implementing backdoors. Research from the US Department of Homeland Security points to a significant risk from backdoors and 23% of software packages used by US government employees have backdoors built into them.

Technology now exists - from organisations such as Veracode - that allows enterprises to conduct proper security audits by a trusted entity on the final application code as part of an organisation's formal software acceptance, without the need for source or costly on-site consultants. Veracode inspects application code at the same level at which it is attacked - the binaries. By assessing the final application code, Veracode ensures that all threats, including vulnerabilities and malicious code are detected, thereby providing the most complete security audit across internally developed applications, third-party commercial off-the-shelf software and offshore code. Additionally Veracode delivers its offerings on a software-as-a-service basis, ensuring that application code can be independently verified and validated, irrespective of their source.
Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo