Global Enterprises Serve Up Risky S.O.U.P.

GLOBAL ENTERPRISES SERVE UP RISKY S.O.U.P. (SOFTWARE OF UNKNOWN PEDIGREE) Seftware Today's Special OF UNKNOWN PEDIGREE 2 2.2 SOUP, 75 WEB CLOUD SERVICES TM open source OUTSOURCED MOBILE The use of vendor supplied software is growing EXPONENTIALLY... and UNCHECKED SOUP Ingredients Serving Size: 1 Global Enterprise Percentage of Enterprises Testing Vendor-Supplied Software Amount Per Serving % of Software Procured From 84% Outsourced Development. Off the Shelf Vendors (COTS) On-Demand (SaaS) Providers. Open Source Code Mobile Apps Development. . .28% 44% 16% 15% 15% 7% Quocirca Outsourcing the Problem of Software Security Report Tested at least one vendor supplied application Tested no vendor supplied applications YOU ARE WHAT YOU EAT! Why it's important to inspect SOUP of Enterprise 82%) Auditors are asking if vendor supplied software is secure Quocirca Outsourcing the Problem of Software Security Report AUDITOR ..and some ingredients in SOUP may be harmful to the Enterprise Percentage of Software Applications Failing Security Tests Upon First Submission TYPE OF VENDOR-SUPPLIED SOFTWARE INSPECTION FAILURE RATE* POSSIBLE ENTERPRISE SIDE EFFECTS Customer Support Applications (80% Customer data loss Security Applications (76% Gaps in enterprise security defenses against attackers Business & IT Operations 72% Corporate IP theft or malicious process manipulation Financial Applications Increased fraud or financial (59% data loss *Inspection Failure Rate: Percentage of purchased and externally developed software that fails to comply with enterprise security policies upon first submission to an application security test by Veracode. SOUP Puts Enterprises and Their Customer Data at Risk Percent of data breaches analyzed by TrustWave resulting from a third-party which introduced the security deficiencies that were ultimately exploited: 76%. - Trustwave 2012 Global Security Report NO SOUP FOR YOU! Enterprises from many industries are saying no to SOUP and inspecting vendor supplied applications DISTRIBUTION OF ENTERPRISES REQUESTING VENDOR ASSESSMENTS BY INDUSTRY SEGMENT. NOT ALL INDUSTRIES SHOWN, THEREFORE TOTAL DOES NOT ADD UP TO 100%. Financial Services 21% 14% 14% Software and IT Services Technology Telecommunications 6% Healthcare 3% 3% Business Services Entertainment and Media SOUP ingredients being tested by Enterprises BY LANGUAGE AND PLATFORMS BY BUSINESS CRITICALITY 40% Java iOS Very High 21% 25% 23% 7% C/C++ Android 1% 56% High .NET Cold Fusion <1% 19% 4° Medium PHP J2ME 1% Low Very Low RECIPE CARD FOR A PROGRAMMATIC APPROACH TO VENDOR SOFTWARE SECURITY TESTING Prep Time: Inguedients: 3 months 100 Ibs vendor software Test Time: 1 lb corporate goals 1 lb corporate mandate 1-4 weeks* (use a Saas provider to compress testing time) 2 cups escalation process 1 cup acceptance criteria 1 cup exception criteria 1 cup contract language ½ cup security policy Remediation Time: Weeks to months ½ cup test methodologies Serves: 4 cup corporate communication All vendor applications Instructions: 1. Determine the application security state of your current vendor management program and clarify the corporate mandate and goals for your new program. 2. Define your security policy including acceptance criteria, exception criteria, escalation process, non-acceptable flaw types, testing methodologies, etc. 3. Set realistic timelines for vendors to meet your new policy. 4. Communicate your new policy to your vendors and be prepared to address common vendor concerns. 5. Empower your security analysis team to proactively work with your vendors. Source: Veracode Ten Tips for Building a Successful Vendor Application Security Program BENEFITS OF THE PROGRAMMATIC APPROACH TO VENDOR SOFTWARE SECURITY TESTING VENDOR-SUPPLIED SOFTWARE TESTING APPROACHES NO FORMAL PROGRAM A PROGRAMMATIC APPROACH Average number of vendors participating 38 Average number of applications assessed 71 Percent of applications achieving compliance 34% 52% Percent of applications achieving compliance within one week 28% 45% Percent of non-compliant applications that are out of compliance for more than six months 39% 20% 10 TIMES MORE approximately LOWER IS BETTER GLOSSARY ウィ SOUP S.O.U.P stands for Software of Unknown (or Uncertain) Pedigree (or Provenance), and is a term often used in the context of safety-critical and safety-involved systems. SOUP is software that has not been developed to known security standards. И Source: Wikipedia DOWNLOAD VERACODE SOSS FEATURE SUPPLEMENT VERACODE Veracode.com | 1-888-ZER-ODAY (937-0329) © 2012 Veracode, Inc. All rights reserved. All other brand names, product names, or trademarks belong to their respective holders. XX %24