“Enterprises have hundreds of applications, sometimes well into the thousands,” said Chris Eng, vice president of research at Veracode, in an interview. “About two-thirds of those are externally developed apps – often outsourced, open source, mobile or cloud-based. [Organizations] understand that there are risks but they don’t know how to manage it.”
He said that only one in five enterprises has tested or done any diligence on even one application. “Four out of five are doing nothing,” Eng said. “And the ones that have, don’t actually have programs around it to manage the security of the supply chain.”
That’s where VAST comes in. Veracode gathers policy criteria from an enterprise, and then goes to its software vendors with that acceptance criteria and compliance rules. It then signs vendors onto the program, and each submits its binary code (not source code) to be tested. A detailed report goes to the vendor and the enterprise, and any issues are mediated and fixed. Veracode also provides vendors with data on improvement trends over time and other collateral the vendor can use for other clients.
The movement of businesses to cloud services is increasing the need for such independent testing programs. “Enterprises are starting to think about the risks introduced by mobile apps, data leaks and so on,” said Eng. “SaaS apps are increasingly putting more and more sensitive data in places that they don’t control. So there’s increased scrutiny on the data housed in cloud service, and enterprises want to be able to ask, show me what you’ve done to protect that data.”
“Application security testing of third party providers should be a critical element of any information security initiative,” said Joseph Feiman, research vice president at Gartner. “Enterprises need to start putting pressure on their providers to request independent security verification of vendor-supplied software to fully guarantee software supply chain integrity.”