Software security testing company Veracode’s just-released Supplemental to its 2012 State of Software Security Report focuses on the software supply chain. It reveals that organizations are confronting externally developed application security risks more than ever – yet most enterprises place a reckless trust in their third-party software suppliers.
Veracode has been publishing their State of Software Security reports since 2010, and – of course, in light of the report’s focus – it’s no surprise a software security testing company is concluding a need for multi-sector, systematic software security testing.
I asked security researcher and CTO of Veracode Chris Wysopal what kind of reactions the report has had so far.This 2012 Supplemental marks the first time Veracode has re-examined its dataset from varying perspectives. This second supplemental focused on software security testing metrics, and how different program approaches impact software vendor compliance with app security policies.
He told me, “CIOs and CISOs love it. It gives them data that they can use to design a 3rd party risk program. It gives them evidence that these programs can work.”
However, he added, “A few have come to me and said XYZ huge software company is never going to participate.” (Read More)