SOFT

WA

RE

FO

R S

AL

EAPPLICATION SECURITY

Why an AppSec Program is Necessary for the Software You Sell

VERACODE GBOOK

WHY AN APPSEC PROGRAM IS NECESSARY FOR THE SOFTWARE YOU SELL 2

Our world is rapidly becoming one that is powered by software.

Our cars are now more computer than

mechanics, we walk around with miniature

computers in our pockets, and we even

control our thermostats through software.

And just like individuals, businesses are

powered by software as well. Software is

now the source of innovation for business

of all kinds.

Even GE, one of the world’s largest man-ufacturers, bills itself as a digital business claiming that on its “current trajectory, it is on track to be a top 10 software company.” LEARN MORE

Despite the growing dependence on software, and the access to critical information it often has, few companies properly secure this software.

50%

<1%

Approximately 50 percent of all cyberattacks are on the application layer.

Yet less than 1 percent of security spending is on application security.

According to the Verizon Data Breach Investigations Report

According to the Verizon Data Breach Investigations Report

3WHY AN APPSEC PROGRAM IS NECESSARY FOR THE SOFTWARE YOU SELLO

F A

LL A

TTACKS TARGET THE A

PP

LIC

AT

ION

LAYER

OF

SPE

ND

ING

FO

CUSES ON APPLICATION

SE

CU

RIT

Y

4WHY AN APPSEC PROGRAM IS NECESSARY FOR THE SOFTWARE YOU SELL

These are the three Cs of why businesses that produce software to sell must implement an AppSec program:

Customers Competition Compliance

1

2

3

THE DISREGARD FOR APPLICATION SECURITY at companies producing software for their

own internal use is somewhat understandable.

These are not software companies and may not

understand the nuances of application security.

However, it is assumed that companies that

produce software to sell to other businesses

understand the importance of application

security. Software is their business, and securing

software is their responsibility — or at least their

customers would assume.

However, this expectation of security can be a

burden for a company producing software for

use by other companies. In addition to custom-

ers asking for proof of security, regulations may

require steps are taken to ensure the software

is free from vulnerabilities or components with

known vulnerabilities, and competitors may

question the security posture of your software

to gain an advantage.

5WHY AN APPSEC PROGRAM IS NECESSARY FOR THE SOFTWARE YOU SELL

In an effort to keep up with the rapid innovation that requires the proliferation of software, companies are increasingly augmenting their own development efforts by purchasing more software.

According to an IDG Study, more than two-thirds of the software used by an enterprise comes from third-party providers.

LEARN MORE

Customers Are Asking

66%OF SOFTWARE FROM

THIRD-PARTY PROVIDERS

6WHY AN APPSEC PROGRAM IS NECESSARY FOR THE SOFTWARE YOU SELL

As reports about large companies being breached through third-party applications become more prevalent, your customers will start to ask questions about the security of the software they are buying.

Some large enterprises are even starting to work with

application security vendors to ask their vendors for security attestation, making security attestations a step

in the procurement process. Once a security attestation

becomes part of the procurement processes, software

providers that do not already possess proof of security

will see the process slow to a halt. These software

vendors will find themselves fielding one-off requests

for proof of security, and complying with each request

takes people, time and money. Especially if each

request requires a different form of proof, or varying

levels of security.

7WHY AN APPSEC PROGRAM IS NECESSARY FOR THE SOFTWARE YOU SELL

How are your customers thinking about the security of the software they buy?

How a Global 2000 Financial Services Firm Reduces Third-Party Software Risk

Learn how a leading financial

services firm implemented

FS-ISAC’s three critical controls

to secure their software

supply chain.

LEARN MORE

Software vendors that have a process for assessing the security of their software will be better equipped to handle these requests.

Rather than having to demonstrate the security of

individual applications, companies with an advanced

application security program can demonstrate their

security assessment process for all their products, and

can provide documentation around the vulnerabilities

that were found and remediated in specific applications

during this process. In doing so, these companies avoid

the halt in the procurement process since their customers

feel confident they are purchasing from a company that

understands their security concerns.

8WHY AN APPSEC PROGRAM IS NECESSARY FOR THE SOFTWARE YOU SELL

The software providers that are prepared for these questions

will have a distinct competitive advantage over those that have to

scramble to provide security information. In fact, chances are, the

software providers that do not have an application security program

in place are more likely to have security issues pop-up once they

perform an attestation, as they are likely one of the 30 percent

of companies that never scan for vulnerabilities during code

development. Surprise findings like these, require hot-fixes, which

are more costly than finding and then fixing a vulnerability during

the development process rather than post release.

AS MORE ENTERPRISES become aware of the fact that 90 percent of security incidents result from exploits against defects in software, and that three out of four applications produced by software vendors fail to meet OWASP Top 10 standards when initially assessed for security, software providers are going to start fielding more questions about the security of the software they sell.

Competitive Advantage

3 OUT OF 4 APPLICATIONS FAIL TO MEET OWASP TOP 10 STANDARDS

LEARN MORE

90%

OF SECURITY INCIDENTS ARE DUE TO SOFTWARE EXPLOITS

LEARN MORE

9WHY AN APPSEC PROGRAM IS NECESSARY FOR THE SOFTWARE YOU SELL

Rather than waiting for customers to ask about

security, software companies that have taken

the time to implement an advanced application

security program that is part of the software

development lifecycle can proactively market

this fact to their potential customers. By using

security as a selling point, these companies are

pointing out the security deficiencies in their

competitors’ software, and thus shortening the

list of potential alternatives for their prospects.

In today’s competitive software landscape,

where enterprises can turn to open source

or attempt to develop their own applications,

software providers need to demonstrate

to customers that choosing to purchase

software is both less costly and less risky

than developing their own.

Having a strong process in place for assessing the security of software throughout the development lifecycle demonstrates just that.

SOFTWARE SECURITY ASSESSMENT PROCESS

Having an advanced application security program in place, rather than conducting one-off tests of individual versions of software, provides an opportunity to be proactive about this advantage.

10WHY AN APPSEC PROGRAM IS NECESSARY FOR THE SOFTWARE YOU SELL

Compliance is ComingSTANDARD #1

STANDARD #2

STANDARD #3

CURRENTLY, THERE IS NO SINGLE SET OF STANDARDS governing the security requirements for software. However, given the rapid proliferation of software, and its importance to everything from critical infrastructure, to healthcare facilities, to financial services, it may not be long before we see industry-wide standards for software providers.

In the absence of a set of standards for the security of software that is sold to businesses, there are generally accepted criteria all software, whether developed for use in-house or by a third-party, should comply to. One example is the OWASP Top 10. In addition, regulatory bodies such as the OCC and organizations such as NIST and the PCI Security Standards Council offer guidance and standards.

11WHY AN APPSEC PROGRAM IS NECESSARY FOR THE SOFTWARE YOU SELL

Industry groups like the FS-ISAC (financial services) have created standards they recommend their members follow when purchasing software.

When it comes to the security of the software they purchase, the OCC advises financial services companies to:

Assess the third party’s information security program. Determine whether the third party has sufficient experience in identifying, assessing, and mitigating known and emerging threats and vulnerabilities. When technology is necessary to support service delivery, assess the third party’s infrastructure and application security programs, including the software development lifecycle and results of vulnerability and penetration tests. Evaluate the third party’s ability to implement effective and sustainable corrective actions to address deficiencies discovered during testing.

Other industry groups such as the NH-ISAC (National Health) and

R-ISAC (retail ISAC) are expected to follow suit in the near future.

Software producing organizations such as SAFECode are also creating

similar guidance looking to the examples set forth by buying organiza-

tions. So, although there are no standards governing the production

of software, there are generally accepted guidelines for purchasing

applications that software vendors should pay attention to.

In a way, knowing what industry groups are requiring in terms of

security is a positive, as software providers can build their application

security programs to comply with these requirements.

A company loses a potential customer to a competitor because the solution couldn’t pass a security audit.

A company gains a new customer, only to lose it later because they cannot demonstrate that its software complies with a newly accepted standard.

Two worst-case scenarios:

2

1

TO AVOID THIS POTENTIAL PITFALL, software vendors should view these

standards as a harbinger of what is

to come in terms of regulation, and

strive to comply now — before they

are forced to do so.

The ability to quickly document the

security of specific software versions,

as well as demonstrate the overall

security posture of the software

development lifecycle, creates an

opportunity for software vendors

to be more competitive before

customers and compliance force

all software companies to adhere

to a set of standards.

Beyond Customers, Competition and Compliance

12WHY AN APPSEC PROGRAM IS NECESSARY FOR THE SOFTWARE YOU SELL

READ “HOW SOFTWARE VENDORS CAN MEET GROWING NEED FOR APPSEC WITHOUT SACRIFICING DELIVERY”

Get all the latest news, tips and articles delivered right to your inbox

13WHY AN APPSEC PROGRAM IS NECESSARY FOR THE SOFTWARE YOU SELL

WHILE THE THREE CS ARE DRIVING FACTORS in why software providers should create application security programs, another reason that is far more basic is reputation. If a large enterprise suffers a breach because of a vulnerability in the software it purchased, that vendor is sure to suffer reputational damage. In the fast-paced software world, reputation damage can mean the differ-ence between gaining customers and achieving business and suffering financial losses.

Creating secure development processes at a software vendor is often seen as a daunting task. However, creating an advanced application security program doesn’t have to be, if the software vendor knows where to start.

For more information on how to start an application security program at your software company, read “How software vendors can meet growing need for AppSec without sacrificing delivery” or subscribe to the Veracode blog for tips and information on starting an application security program and working with groups within your organization to make your application security efforts a success.

Subscribe Here