Omniquad breach was not unexpected, says Veracode

Third-party applications are not to be trusted, according to security experts.

security breach

Third-party code should not be taken on trust and installed without a security test, claimed Veracode at the RSA Security Conference in London this week.

Veracode, an application risk management cloud service company, has issued a report on the findings of its software testing over the past 18 months. It showed that applications from all types of third-party suppliers were less secure than internally developed applications.

"Third-party suppliers failed to achieve acceptable levels of security 81 per cent of the time," the report stated.

As if to illustrate Veracode's point, earlier this week UK company Omniquad, a cloud-based email and web access filtering service, fell victim to a flaw in third-party software it was using to manage helpdesk calls.

The exploit resulted in customer log-in details being published online. Omniquad said that as soon as the problem was discovered the information was removed and the system put offline.

Daniel Sobstel, managing director of Omniquad denied negligence on his company's part. He said that action was swift and all affected customers had been notified. The software had been in use for "a few years" without any previous incidents, he added.

Privacy International has reported the incident to the Information Commissioner for investigation.

"Breaches such as this demonstrates all too well the dire consequences that follow from failing to assess the risks that come from third party software," commented Chris Eng, senior director for security research at Veracode.

Both Safecode.org and Secunia, security testing organisations, have also recently pointed out the elevated risks associated with third-party software in the supply chain.

In Veracode's State of Software Security report, 2,922 applications were tested and more than half (57 per cent), both third-party and in-house, failed to meet an acceptable level of security. In the case of

web applications, 80 per cent failed to comply with the Open Web Application Security Project (OWASP) standards.

OWASP is a reference for US government departments and the PCI standards body for software security. It has listed ten security risks that should be tested for before software is brought online.

Featured Resources

Unlocking collaboration: Making software work better together

How to improve collaboration and agility with the right tech

Download now

Four steps to field service excellence

How to thrive in the experience economy

Download now

Six things a developer should know about Postgres

Why enterprises are choosing PostgreSQL

Download now

The path to CX excellence for B2B services

The four stages to thrive in the experience economy

Download now

Recommended

How to encrypt files and folders in Windows 10
encryption

How to encrypt files and folders in Windows 10

9 Apr 2021
The definitive guide to IT security
Whitepaper

The definitive guide to IT security

9 Apr 2021
Evidence suggests REvil behind Harris Federation ransomware attack
ransomware

Evidence suggests REvil behind Harris Federation ransomware attack

9 Apr 2021
Fujitsu taps Trend Micro to secure private 5G networks in smart factories
5G

Fujitsu taps Trend Micro to secure private 5G networks in smart factories

8 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
Hackers are using fake messages to break into WhatsApp accounts
instant messaging (IM)

Hackers are using fake messages to break into WhatsApp accounts

8 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021