SOURCE: Veracode

March 01, 2010 09:00 ET

58 Percent of Software Vulnerable to Security Breaches Similar to Google, Department of Defense Cyber Attacks

In the Largest, Most Comprehensive Analysis of the State of Software Security, Veracode Dispels Myths About Open Source; Finds Third-Party Code Is Pervasive

SAN FRANCISCO, CA--(Marketwire - March 1, 2010) -  RSA Conference 2010 - booth #729 -- In the largest and most comprehensive code-level security analysis to date, Veracode, the leader in cloud-based application risk management, today released a new report detailing vulnerabilities found in software that large organizations rely on for business critical processes. The Veracode "State of Software Security" report finds that more than half of the nearly 1,600 Internally Developed, Open Source, Outsourced, and Commercial applications analyzed when first submitted to Veracode contained vulnerabilities similar to those exploited in the recent cyber attacks on Google, the U.S. Department of Defense, and others.

Veracode's State of Software Security is the first report of its kind to provide security intelligence derived from multiple testing methodologies (static, dynamic and manual) on the full spectrum of application types (components, shared libraries, web and non-web applications) and programming languages (including Java, C/C++ and .NET) from every part of the software supply chain on which organizations depend. It represents intelligence gleaned from analyzing billions of lines of code submitted to Veracode for independent verification of software security from more than 15 industries. To access the full report, visit

"This is invaluable information for CISOs," said Donna Durkin, CISO of Computershare. "Understanding vulnerabilities across internal and third-party players by language and application type will help us make informed decisions about mitigating risks in our global application portfolio."

Highlights of the first State of Software Security report include the following key findings:

  • 58 Percent of Software Susceptible to Large-scale Attacks: Extrapolating from the application sample set, more than half of the software deployed in enterprises today is potentially susceptible to an application layer attack similar to that used in last year's Heartland Payment Systems breach, or this year's Google and U.S. Department of Defense security breaches. Depending on the standard applied (based on application criticality), between 58 percent and 88 percent of all applications submitted for verification did not achieve an acceptable security score upon first submission to Veracode for testing.
  • Open Source Myth Dispelled: Open Source software has comparable security, faster remediation times, and fewer potential Backdoors than Commercial or Outsourced software. Therefore, the myth that Open Source is inherently riskier than Commercial for enterprise use is dispelled.
  • Third-Parties are the Achilles Heel in the Software Supply Chain: 40 percent of all applications submitted at the request of large Enterprises were from third-parties, and more than 30 percent of all Internally Developed applications also included identifiable Commercial, Open Source, and Outsource code. Yet software-related industries recorded the lowest security scores on first submission to Veracode. In addition, the prevalence of C/C++ in both Commercial and Open Source suppliers exposes system-compromising vulnerabilities to attackers.
  • Finance, Government Sectors Score Better: More than half of applications in the Financial-related industries and Government sectors were deemed acceptable at first submission. This placed them at the top of the more than 15 industries represented in the data set.

"Gartner advises its clients to conduct their own inspection of all application code they procure from third-parties. However, if they lack their own resources or expertise, we recommend that they outsource third-party code testing to trusted service providers," said Joseph Feiman, Vice President and Gartner Fellow, Gartner, Inc.

"Because of the depth and breadth of the data in our platform, we have expansive knowledge about risk from all types of applications and across the software supply chain," said Matt Moynahan, CEO of Veracode. "The report not only analyzes the state of security more comprehensively than any others in this market, but it offers specific recommendations for each type of potential threat. It's essential reading for security professionals and executives accountable for the software supply chain and its impact on the business."

Report Methodology
The report is the first in a semi-annual series. It analyzes data provided by Veracode's customers (application portfolio information such as assurance level, industry, application origin) and information that was calculated or derived in the course of Veracode's analysis (application size, application compiler and platform, types of flaws, origin of components, Veracode rating). It draws on the continuously updated information resident in Veracode's cloud-based application risk management services platform. The data is growing at an accelerated pace as more providers independently verify the state of their software using one or more of Veracode's patented binary static analysis, enhanced dynamic assessments, and manual penetration testing. 

For more information, visit

About Veracode
Veracode provides the world's leading Application Risk Management Services Platform. Veracode SecurityReview's patented and proven cloud-based capabilities allow customers to govern and mitigate software security risk across a single application or an enterprise portfolio with unmatched simplicity. Customers include the world's largest and most security aware organizations in every industry. Recognized as a Gartner "Cool Vendor," The Wall Street Journal's "Technology Innovation Award," The Banker's "Information Security Project of the Year" with Barclays, SC Magazine's "Best Vulnerability Assessment Solution," Information Security "Readers' Choice Award," and AlwaysOn Northeast's "Top 100 Private Company," Veracode is Software Security Simplified™. For more information, visit

Contact Information