Security Experts:

New Veracode Service Tests Third Party Software Applications

Veracode Launches Vendor Application Security Testing Program

Application security testing firm Veracode on Wednesday launched an automated program to help businesses evaluate security risks associated with third-party software.

VeracodeThe Vendor Application Security Testing (VAST) offering is an independent, automated, and fully outsourced program that ensures vendor-supplied software meets security and compliance requirements, Veracode said Wednesday. Since Veracode can analyze third-party software without needing access to the source code, VAST provides businesses insight into outsourced tools without compromising the vendor's intellectual property, the company said.

Businesses don't always have the time, budget, or internal resources to evaluate an application's security posture. Administrators also rarely have access to the source code to perform that level of analysis. As a result, enterprises are not aware of the kind of risks they are facing by using cloud-based and third-party applications.

“The vast majority of enterprise software is not designed or built with security in mind,” said Bob Brennan, CEO of Burlington, Mass-based Veracode. “Veracode can provide immediate insight into the security of the software that runs an organization’s business, and help its software providers remediate those flaws that subject it to being attacked.”

Veracode cited a recent security report from PricewaterhouseCoopers that found up to 80 percent of third-party software failed basic OWASP tests for security compliance. With VAST, enterprises can also ensure they are meeting security and compliance requirements even when using third-party tools.

“Application security testing of third party providers should be a critical element of any information security initiative,” said Joseph Feiman, a research vice president and Gartner fellow. Independent security verification of vendor-supplied software is necessary to "fully guarantee software supply chain integrity," Feiman said.

Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.