With digital transformation at the top of the agenda for most businesses, it is not surprising that the last few years have seen an explosion of applications. According to Computer World, 73% of organisations were developing their own apps in 2016, with the number rising every year as mobile and web applications are increasingly seen as an integral part of a customer service.
However, as a growing number race to develop their own apps either for use within the organisation or for customers, or alternatively to purchase products built by third parties, security is sometimes an afterthought.
With large-scale breaches hitting the headlines on a regular basis, customers are becoming aware of the fact that the applications many trust with their personal details may not be water-tight. In fact, a report from Veracode finding that “four out of five applications written in popular web scripting languages contain at least one of the critical risks in an industry-standard security benchmark.”
Founded in 2006 in Burlington, Massachusetts, Veracode is application security company helping organisations ensure that their mobile, web-based and third-party applications are secure.
Sam King, CEO of Veracode, and EMEA CTO Paul Farrington told Verdict why application security is so important.
“Every company is really a software company”
As a founding member of the Veracode team, King has seen a growing awareness in the importance of app security first-hand. She explains that 13 years after the company was founded, Veracode’s central mission remains the same:
“We are in the application security space. And so what that means is that we help our customers secure the software applications that they are either building on their own that they are buying from third parties or increasingly open source code that they’re using in their applications.
“And our worldview on what we do really is that we think that every company is really a software company today, regardless of what industry vertical they’re in, and companies are using software and really interesting ways to change the world. And we see our places helping them secure that.”
Security vulnerabilities in web applications are a gold mine to hackers, providing a way to access sensitive information stored within. However, despite the potentially devastating consequences of a security bug, Farrington explains that vulnerabilities are worryingly common:
“There’s a common standard called the OWASP Top Ten, which stands for the open web application security project. So at the top 10, it really is just a list of those types of vulnerabilities you don’t want to see in your web applications in particular. We’ve been tracking that over a number of years in our state of software security report. I think in version nine, which is published towards the back end of last year, it’s about 22.5% of applications pass that top ten.
“So obviously most don’t, and unfortunately it’s been falling over recent years. So the status of software security seems to be degrading a little bit, but you have to put into context that the explosion of the amount of software that’s been produced the world is just going exponential. If you look at for example, the amount of open source projects which are being published, which are being created every single day.
According to application security company Arxan, these vulnerabilities typically come in the form of a lack of binary protections, insecure data storage, data leakage or a lack encryption, leading to a “mobile app vulnerability epidemic”. In other words, when an app is built, problems in the coding can lead to problems later on.
King explains that this can lead to a large-scale breach:
“When you look at the breaches that are occurring, and you look at generally what is the root cause behind these breaches, oftentimes, it is some vulnerability in some software applications, sometimes in an open source component that some of your developers are using to create an application.
“That is the root cause of whatever brought about the breach, it may not be the only thing that somebody exploited to cause the breach, but oftentimes, it is one of those critical elements in the kill chain of an event. So I think the industry and people that are trying to do security for companies are stepping back and saying, we spent all this money on securing our infrastructure and securing our networks and securing our endpoints.”
Education is key
Farrington believes that this is in part due to a lack of training on how to code securely. According to a survey by Cloud Passage, zero of the top 10 computer science programmes in the US require students to complete modules in cybersecurity:
“Most computer scientists or developers that come out of higher education, don’t actually get taught how to code securely, so they’ll leave in higher education without actually being required to take a module on secure coding or cyber security.
“So it’s not really the fault of developers that they don’t necessarily know what good looks like when it comes to getting this right. So that’s an imperative I think, and a call to action for industry and ourselves as well as a vendor to help with that issue.”
Part of Veracode’s mission is to address this, offering training programmes for clients to teach their developers to code securely.
Encouragingly, King believes that the importance of application security, as cybersecurity in general, is receiving much-needed board-level attention, partly due to high-profile breaches:
“Over the course of the last two to three years, we’ve seen the importance of application security and really rise in terms of the agenda that chief information security officers have. I think there was a survey that was done recently where I think 71% of European enterprise security decision makers said that software security is either a very high or high priority for them as they think about their agenda moving forward.
“It is absolutely now a board level discussion. The boards of public companies in particular, where they’re subject to a lot of external scrutiny, but just boards of companies in general, public or private, are asking management teams to talk to them about what is being done from a cyber security perspective.”
This has not always been the case. According to the UK Government’s Cyber Governance Health Check 2018, there is an “alarming” lack of awareness of cybersecurity at a board level in FTSE 350 members.
Fixing security vulnerabilities
But how does Veracode help ensure that moving forward, security is an integral part of the app development process?
King explains how Veracode works with clients to make this happen:
“We generally start the conversation with ‘what are the problems you’re trying to solve?’ ‘What are your business requirements?’ What does your current state look like? And what are some of the negative consequences associated with your current state? What are the positive business outcomes that you’re trying to drive?
“And then on the basis of that, they can come in and start using our platform on day one, where they can either upload their code to our platform, or just integrate us into their software development lifecycle.
“When a developer writes a piece of code and checks it in it also comes to us and we perform a security test on it, find some vulnerabilities, those vulnerabilities go right back into the bug tracking system, which developers are used to using every day anyways, and it gives them a lot of guidance on here’s how you go fix these security vulnerabilities.”
Farrington also explains that a large part of the company’s strategy moving forward is centred on incorporating artificial intelligence:
“If you incorporate automation is the process, you’re not trying to encourage people all the time to press the Scan button, it just happens automatically.
“We find that for those teams which are scanning every day, the results in terms of getting rid of those security flaws, they will be at 11 and a half times faster than those teams that say to scan three times a year, something like that. So, just that that the ability to put in the automation is a catalyst for change, and that’s that’s proven to be very successful.”
Looking to the future
Moving forward, Farrington believes that the future of application security lies in a focus on devops:
“I definitely think the DevOps movement is really kind of comes to the fore probably over the last four or five years. And now we’re seeing devsecops being a theme where security is no longer on the on the outside, looking in and saying, ‘why can’t we be part of a conversation?’ The security people are part of that development team, helping to inform how things get designed, and how the software gets created.”
Earlier this year, the company was acquired by private equity firm Thoma Bravo, which bought Veracode from previous owner Broadcom for $950m. King believes that this injection of funds has meant that the company is poised to continue expanding in this area:
“We’re excited about what lies ahead, because this gives us the opportunity to continue building our business as an independent brand. I really believe that this problem of application security, software security is so complex. And we are just getting started in this area….Because I think the real impact of these vulnerabilities in software applications, only in the last few years have people started to really prioritise it to the level that they needed to.
“The timing is right in terms of people caring more about this problem in us having the flexibility to be responsive to it in a way that you can only be when you’re an independent company.”
Verdict deals analysis methodology
This analysis considers only announced and completed deals from the GlobalData financial deals database and excludes all terminated and rumoured deals. Country and industry are defined according to the headquarters and dominant industry of the target firm. The term ‘acquisition’ refers to both completed deals and those in the bidding stage.
GlobalData tracks real-time data concerning all merger and acquisition, private equity/venture capital and asset transaction activity around the world from thousands of company websites and other reliable sources.
More in-depth reports and analysis on all reported deals are available for subscribers to GlobalData’s deals database.