Grab bag: Humility, utopia, and self control

The Forrester application survey: 62% hacked through apps

Last week I indulged in a little live tweeting of a webinar my firm, Veracode, did with Chanxi Wang of Forrester, following up on our recent announcement of an independent survey in which 62% of the respondents reported being breached through at least one application vulnerability in 2008.

I’ve reposted the substance of my tweets below, followed by my $0.02 on the survey:

  • (1) #Veracode & Forrester app risk mgmt survey: in 2008 62% of respondents were breached thru app vulns but don’t know their app risk.
  • (2) As Kaspersky breach shows, 3rd party code is a big blind spot for most orgs.
  • (3) open source, outsourced and off the shelf code used frequently but 59% don’t do anything to secure OSS.
  • (4) only 32% require security at all stages of sdlc.
  • (5) top training method in 37% of respondents is to learn on the job from experienced devs… who can’t be hired.
  • (6) False sense of security pervasive. 94% think they know security of app portfolio but 40% dont know COTS risk
  • (7) ease of use plus secure plus time saving is driving factor for third party assessments.
  • (8) if you outsource code, consider outsourcing security assessments too.

Bottom line: the survey results suggest that application vulnerabilities lead to real risk for a lot of companies, but most companies don’t have secure practices that cover their development or training adequately, to say nothing of the risk from third party code.