Connect with us

Hi, what are you looking for?



Enterprises Lack Formal Programs To Secure Third-Party Applications, Survey Says

Scanning Applications for Security

Study Finds That While Application Security Testing Is Expanding to New Industries, The Software Supply Chain Is Still Vulnerable

Scanning Applications for Security

Study Finds That While Application Security Testing Is Expanding to New Industries, The Software Supply Chain Is Still Vulnerable

While few enterprises have vendor application security testing programs in place, organizations are increasingly recognizing the risks associated with using applications developed by third-party providers, Veracode found in its latest analysis.

Of the 939 applications submitted to Veracode for vulnerability assessment between January 2011 and June 2012, SQL injection and cross-site scripting remained the most prevalent security flaws in third-party software, Veracode said Tuesday. In its annual State of Software Security Report, Veracode examined all the applications submitted to Veracode over the past 18 months, including those that were resubmitted after failing assessment on the first attempt, Chris Eng, vice-president of research at Veracode, told SecurityWeek.

Veracode LogoOrganizations rely heavily on third-party applications and external developers. A “typical enterprise” averages 600 mission-critical applications, of which almost two-thirds were developed externally, Eng said. Companies may be vulnerable to data theft, malware infection, and financial fraud if the security flaws in third-party software are not addressed, and there are signs organizations are beginning to thinking about securing the software supply chain, Eng said.

“The widespread adoption of third-party apps and use of external developers in enterprises brings increased risk,” Eng said, before noting that there were signs enterprises were recognizing and addressing the risks.

The volume of vendor-supplied software and application assessments within the organization is growing, increasing 49 percent between the first quarter of 2011 and the second quarter of 2012, Veracode said. Previously, the financial services, software/IT services, and technology sectors dominated vulnerability assessments. Now, half of the companies regularly requesting assessments come from industry sectors other than those three, Veracode found. While it’s growing, code assessment is still in the “early stages” considering that less than one in five enterprises have requested a code-level security audit from at least one vendor, Eng said.

Nearly 62 percent of applications failed the security test on the first submission, which means organizations need procedures in place to manage non-compliant applications as part of its comprehensive enterprise security policy, Veracode said.

There is a gap between what the organization requires to pass the assessment and what the industry sets for compliance, and vendors are better at complying with enterprise standards, Veracode found. A little over a third, or 38 percent, of vendor-supplied applications complied with the less rigorous enterprise-defined policies, compared to the mere 10 percent complying with the recommendations outlined in the OWASP Top 10 list. About 30 percent of vendor-supplied applications were compliant with CWE/SANS Top 25 industry list.

Advertisement. Scroll to continue reading.

Vendors were more likely to achieve compliance on the first try against the enterprise policy, Veracode found. “Obtaining initial visibility into the state of vendor software security was more important for these enterprises than demanding compliance with a tough security policy,” the report said.

A programmatic approach to software security testing can help enterprises and vendors mitigate flaws, Veracode found. Organizations who take on a more ad-hoc approach, selecting and testing applications on a case-by-case basis had fewer applications and vendors participating in an assessment. Enterprises with programmatic approaches were also much faster at fixing flaws after a failed assessment to become compliant. In organizations with a programmatic approach for vulnerability testing, 45 percent of vendor applications were compliant within one week, compared to 28 percent in organizations with ad-hoc testing.

The most prevalent vulnerabilities found during vendor application assessments are also highlighted as being dangerous flaws on various industry lists, Eng said. Four of the top five flaw categories for Web applications appear on the OWASP Top 10 most dangerous flaws, Veracode found. Five of the top six flaw categories for non-Web applications (software) are listed on the CWE/SANS Top 25 list of the most dangerous flaws.

SQL injection and cross-site scripting continue to pop up quite frequently in applications, with SQL injection flaws found in 40 percent of Web application software and cross-site-scripting affecting 71 percent, Veracode said.

“Organizations still assume too much risk when trusting their third-party software suppliers to develop applications that meet industry and organizational standards,” Eng said.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.