April 19, 2011, 2:42 PM — Secure software services provider Veracode this week released its security analysis of 4,835 applications that were submitted to the firm for evaluation during an 18-month period.
The results could be considered startling to anyone who would hope that the software applications they run are reasonably secure. However, according to Veracode's State of Software Security Report, 58% of all applications first submitted to security vendor had a level of what Veracode deems to be of "unacceptable security quality."
The findings don't get much better from there. The report found that 66% of applications developed by the software industry had unacceptable security quality, and a surprising 72% of security software met the same poor ranking. "Many executives think that when they spend $500,000 for an application from a major ISV that they're getting a product that is inherently secure," says Gunnar Peterson, software security architect and CTO at IT consultancy Arctec Group. "It's just absolutely not true, and I think this is news to a lot of executives," he says.
As complex as it is when trying to evaluate quality software development, some analysts felt the data showing raw vulnerability numbers doesn't shed much light onto how well companies may be doing in their efforts. "It would be interesting to see this data correlated with the size and complexity of the applications being evaluated," says Pete Lindstrom, research director at Spire Security.
The report also found that the finance and software industries request the most formal verification, or vetting, of the software quality of third party suppliers. When combined, these two verticals consisted of about 75% of all firms requesting the evaluation of the software quality of suppliers. "We're also seeing an increase in demand from the aerospace and defense industry," says Sam King, vice president of product marketing at Veracode. "They are starting to bring a similar level of diligence to software quality as they do with their physical supply chain," King says.