Why an AppSec Program is Necessary for the Software You Sell
Click here to load reader
Transcript of Why an AppSec Program is Necessary for the Software You Sell
SOFT
WA
RE
FO
R S
AL
EAPPLICATION SECURITY
Why an AppSec Program is Necessary for the Software You Sell
VERACODE GBOOK
WHY AN APPSEC PROGRAM IS NECESSARY FOR THE SOFTWARE YOU SELL 2
Our world is rapidly becoming one that is powered by software.
Our cars are now more computer than
mechanics, we walk around with miniature
computers in our pockets, and we even
control our thermostats through software.
And just like individuals, businesses are
powered by software as well. Software is
now the source of innovation for business
of all kinds.
Even GE, one of the world’s largest man-ufacturers, bills itself as a digital business claiming that on its “current trajectory, it is on track to be a top 10 software company.” LEARN MORE
Despite the growing dependence on software, and the access to critical information it often has, few companies properly secure this software.
50%
<1%
Approximately 50 percent of all cyberattacks are on the application layer.
Yet less than 1 percent of security spending is on application security.
According to the Verizon Data Breach Investigations Report
According to the Verizon Data Breach Investigations Report
3WHY AN APPSEC PROGRAM IS NECESSARY FOR THE SOFTWARE YOU SELLO
F A
LL A
TTACKS TARGET THE A
PP
LIC
AT
ION
LAYER
OF
SPE
ND
ING
FO
CUSES ON APPLICATION
SE
CU
RIT
Y
4WHY AN APPSEC PROGRAM IS NECESSARY FOR THE SOFTWARE YOU SELL
These are the three Cs of why businesses that produce software to sell must implement an AppSec program:
Customers Competition Compliance
1
2
3
THE DISREGARD FOR APPLICATION SECURITY at companies producing software for their
own internal use is somewhat understandable.
These are not software companies and may not
understand the nuances of application security.
However, it is assumed that companies that
produce software to sell to other businesses
understand the importance of application
security. Software is their business, and securing
software is their responsibility — or at least their
customers would assume.
However, this expectation of security can be a
burden for a company producing software for
use by other companies. In addition to custom-
ers asking for proof of security, regulations may
require steps are taken to ensure the software
is free from vulnerabilities or components with
known vulnerabilities, and competitors may
question the security posture of your software
to gain an advantage.
5WHY AN APPSEC PROGRAM IS NECESSARY FOR THE SOFTWARE YOU SELL
In an effort to keep up with the rapid innovation that requires the proliferation of software, companies are increasingly augmenting their own development efforts by purchasing more software.
According to an IDG Study, more than two-thirds of the software used by an enterprise comes from third-party providers.
LEARN MORE
Customers Are Asking
66%OF SOFTWARE FROM
THIRD-PARTY PROVIDERS
6WHY AN APPSEC PROGRAM IS NECESSARY FOR THE SOFTWARE YOU SELL
As reports about large companies being breached through third-party applications become more prevalent, your customers will start to ask questions about the security of the software they are buying.
Some large enterprises are even starting to work with
application security vendors to ask their vendors for security attestation, making security attestations a step
in the procurement process. Once a security attestation
becomes part of the procurement processes, software
providers that do not already possess proof of security
will see the process slow to a halt. These software
vendors will find themselves fielding one-off requests
for proof of security, and complying with each request
takes people, time and money. Especially if each
request requires a different form of proof, or varying
levels of security.
7WHY AN APPSEC PROGRAM IS NECESSARY FOR THE SOFTWARE YOU SELL
How are your customers thinking about the security of the software they buy?
How a Global 2000 Financial Services Firm Reduces Third-Party Software Risk
Learn how a leading financial
services firm implemented
FS-ISAC’s three critical controls
to secure their software
supply chain.
LEARN MORE
Software vendors that have a process for assessing the security of their software will be better equipped to handle these requests.
Rather than having to demonstrate the security of
individual applications, companies with an advanced
application security program can demonstrate their
security assessment process for all their products, and
can provide documentation around the vulnerabilities
that were found and remediated in specific applications
during this process. In doing so, these companies avoid
the halt in the procurement process since their customers
feel confident they are purchasing from a company that
understands their security concerns.
8WHY AN APPSEC PROGRAM IS NECESSARY FOR THE SOFTWARE YOU SELL
The software providers that are prepared for these questions
will have a distinct competitive advantage over those that have to
scramble to provide security information. In fact, chances are, the
software providers that do not have an application security program
in place are more likely to have security issues pop-up once they
perform an attestation, as they are likely one of the 30 percent
of companies that never scan for vulnerabilities during code
development. Surprise findings like these, require hot-fixes, which
are more costly than finding and then fixing a vulnerability during
the development process rather than post release.
AS MORE ENTERPRISES become aware of the fact that 90 percent of security incidents result from exploits against defects in software, and that three out of four applications produced by software vendors fail to meet OWASP Top 10 standards when initially assessed for security, software providers are going to start fielding more questions about the security of the software they sell.
Competitive Advantage
3 OUT OF 4 APPLICATIONS FAIL TO MEET OWASP TOP 10 STANDARDS
LEARN MORE
90%
OF SECURITY INCIDENTS ARE DUE TO SOFTWARE EXPLOITS
LEARN MORE
9WHY AN APPSEC PROGRAM IS NECESSARY FOR THE SOFTWARE YOU SELL
Rather than waiting for customers to ask about
security, software companies that have taken
the time to implement an advanced application
security program that is part of the software
development lifecycle can proactively market
this fact to their potential customers. By using
security as a selling point, these companies are
pointing out the security deficiencies in their
competitors’ software, and thus shortening the
list of potential alternatives for their prospects.
In today’s competitive software landscape,
where enterprises can turn to open source
or attempt to develop their own applications,
software providers need to demonstrate
to customers that choosing to purchase
software is both less costly and less risky
than developing their own.
Having a strong process in place for assessing the security of software throughout the development lifecycle demonstrates just that.
SOFTWARE SECURITY ASSESSMENT PROCESS
Having an advanced application security program in place, rather than conducting one-off tests of individual versions of software, provides an opportunity to be proactive about this advantage.
10WHY AN APPSEC PROGRAM IS NECESSARY FOR THE SOFTWARE YOU SELL
Compliance is ComingSTANDARD #1
STANDARD #2
STANDARD #3
CURRENTLY, THERE IS NO SINGLE SET OF STANDARDS governing the security requirements for software. However, given the rapid proliferation of software, and its importance to everything from critical infrastructure, to healthcare facilities, to financial services, it may not be long before we see industry-wide standards for software providers.
In the absence of a set of standards for the security of software that is sold to businesses, there are generally accepted criteria all software, whether developed for use in-house or by a third-party, should comply to. One example is the OWASP Top 10. In addition, regulatory bodies such as the OCC and organizations such as NIST and the PCI Security Standards Council offer guidance and standards.
11WHY AN APPSEC PROGRAM IS NECESSARY FOR THE SOFTWARE YOU SELL
Industry groups like the FS-ISAC (financial services) have created standards they recommend their members follow when purchasing software.
When it comes to the security of the software they purchase, the OCC advises financial services companies to:
Assess the third party’s information security program. Determine whether the third party has sufficient experience in identifying, assessing, and mitigating known and emerging threats and vulnerabilities. When technology is necessary to support service delivery, assess the third party’s infrastructure and application security programs, including the software development lifecycle and results of vulnerability and penetration tests. Evaluate the third party’s ability to implement effective and sustainable corrective actions to address deficiencies discovered during testing.
Other industry groups such as the NH-ISAC (National Health) and
R-ISAC (retail ISAC) are expected to follow suit in the near future.
Software producing organizations such as SAFECode are also creating
similar guidance looking to the examples set forth by buying organiza-
tions. So, although there are no standards governing the production
of software, there are generally accepted guidelines for purchasing
applications that software vendors should pay attention to.
In a way, knowing what industry groups are requiring in terms of
security is a positive, as software providers can build their application
security programs to comply with these requirements.
A company loses a potential customer to a competitor because the solution couldn’t pass a security audit.
A company gains a new customer, only to lose it later because they cannot demonstrate that its software complies with a newly accepted standard.
Two worst-case scenarios:
2
1
TO AVOID THIS POTENTIAL PITFALL, software vendors should view these
standards as a harbinger of what is
to come in terms of regulation, and
strive to comply now — before they
are forced to do so.
The ability to quickly document the
security of specific software versions,
as well as demonstrate the overall
security posture of the software
development lifecycle, creates an
opportunity for software vendors
to be more competitive before
customers and compliance force
all software companies to adhere
to a set of standards.
Beyond Customers, Competition and Compliance
12WHY AN APPSEC PROGRAM IS NECESSARY FOR THE SOFTWARE YOU SELL
READ “HOW SOFTWARE VENDORS CAN MEET GROWING NEED FOR APPSEC WITHOUT SACRIFICING DELIVERY”
Get all the latest news, tips and articles delivered right to your inbox
13WHY AN APPSEC PROGRAM IS NECESSARY FOR THE SOFTWARE YOU SELL
WHILE THE THREE CS ARE DRIVING FACTORS in why software providers should create application security programs, another reason that is far more basic is reputation. If a large enterprise suffers a breach because of a vulnerability in the software it purchased, that vendor is sure to suffer reputational damage. In the fast-paced software world, reputation damage can mean the differ-ence between gaining customers and achieving business and suffering financial losses.
Creating secure development processes at a software vendor is often seen as a daunting task. However, creating an advanced application security program doesn’t have to be, if the software vendor knows where to start.
For more information on how to start an application security program at your software company, read “How software vendors can meet growing need for AppSec without sacrificing delivery” or subscribe to the Veracode blog for tips and information on starting an application security program and working with groups within your organization to make your application security efforts a success.
Subscribe Here