SOURCE: Veracode

January 13, 2010 19:38 ET

Veracode Statement on Cyber Attacks Against Google and Others

Urges All Software Suppliers and Software Buyers to Proactively Adopt Software Security Verification Policies

BURLINGTON, MA--(Marketwire - January 13, 2010) - The cyber attacks against Google and others currently being reported were a direct result of the exploitation of a zero-day vulnerability in a highly valued software application that was broadly adopted by both consumers and enterprises alike.

The attack is indicative of the changing risk posed by the integrity of software used to access or perform anything important -- be it financial transactions, critical infrastructure or healthcare. Threats attacking end-user software vulnerabilities where there is no available patch, such as those surfacing today, are unable to be prevented by perimeter security defenses and virus checking technologies. Trusted applications and components of applications that are widely re-used are being infiltrated to launch these attacks from inside networks and PCs that are otherwise considered "secure." These insidious threats can come from anywhere and anyone and take advantage of a global supply chain and inconsistent patch and upgrade cycles across consumers as well as enterprises.

"The only way to stop zero-day attacks is to not run vulnerable software in the first place," said Matt Moynahan, Veracode CEO. "Organizations must begin implementing a security policy of not running software that lacks appropriate inspection for vulnerabilities by a third party. In a world of exploding devices, content and globally distributed content creators such as developers for mobile applications, it is no longer good enough to hope that their software suppliers have security built in. The time is now for independent verification and validation that appropriate due care has been taken."

Veracode believes that complacency is criminal in this matter and urges both an awakening and action. Organizations who supply and buy software must recognize that widespread use and re-use of software exists, that the origin of every component is often unknown or unknowable and that its integrity cannot be presumed.

"Veracode is first and foremost a software security company," said Chris Wysopal, Chief Technology and Quality Officer at Veracode. "These successful attacks on some of the most sophisticated IT companies in the world demonstrate that the days when an organization could be secure by patching quickly and using signature based detection on its desktops are over. Latent software risk needs to be quantified before software is deployed and the risk de facto accepted. A third party software security assessment is the best way for organizations to protect themselves from unbounded and unknown software risk."

Contact Information