Last week I indulged in a little live tweeting of a webinar my firm, Veracode, did with Chanxi Wang of Forrester, following up on our recent announcement of an independent survey in which 62% of the respondents reported being breached through at least one application vulnerability in 2008.
I’ve reposted the substance of my tweets below, followed by my $0.02 on the survey:
- (1) #Veracode & Forrester app risk mgmt survey: in 2008 62% of respondents were breached thru app vulns but don’t know their app risk.
- (2) As Kaspersky breach shows, 3rd party code is a big blind spot for most orgs.
- (3) open source, outsourced and off the shelf code used frequently but 59% don’t do anything to secure OSS.
- (4) only 32% require security at all stages of sdlc.
- (5) top training method in 37% of respondents is to learn on the job from experienced devs… who can’t be hired.
- (6) False sense of security pervasive. 94% think they know security of app portfolio but 40% dont know COTS risk
- (7) ease of use plus secure plus time saving is driving factor for third party assessments.
- (8) if you outsource code, consider outsourcing security assessments too.
Bottom line: the survey results suggest that application vulnerabilities lead to real risk for a lot of companies, but most companies don’t have secure practices that cover their development or training adequately, to say nothing of the risk from third party code.