The architecture of software is changing fundamentally - Microservices are on the rise. Veracode, now part of CA Technologies, identifies three key challenges that drive application security. Microservices have been on the rise in software development for several years. Developing many small services rather than single monolithic applications offers many advantages.
Digital transformation has revolutionised the role of applications and software within the business. Previously viewed as the IT Team’s domain, companies are increasingly investing in how they can drive greater productivity and create new revenue streams.As the importance of software and applications – and the speed with which it is developed –increases, we’re witnessed the transformation to DevOps. DevOps is changing the way companies build, test and deploy applications and is rising in popularity among many businesses, including major brands like Starbucks, LinkedIn, Apple and even the NASA that want to drastically speed up the product-to-market lifecycle.
2018, the transitional period for the European Data Protection Regulation (EU-DSGVO) will end on 25 May. This makes the data protection rules for companies and authorities much more stringent. Many previous data protection measures must be questioned, updated or expanded. The time is running. Many companies are running behind. The modern economy is nothing without data: no orders, no production, no sales, no customer service, no advertising from new customers and no employee administration. Collection and processing of personal data is therefore a "must". Because this data is so important, it is also coveted. In the past two years, every second company in Germany has become a victim of data loss, data theft, economic crime or sabotage (53%, source: Bitkom). The resulting loss is estimated at € 55 billion annually. Data misuse happens on a daily basis and can happen to anyone. However, it is not only caused by cyber-attacks or economic espionage, but often by negligent handling of data, for example, when no or unprofessional data management is operated.
Veracode announced support for security testing in applications built with Scala language, as well as the Python Boto3 framework within the Veracode Static Analysis solution.
Asking developers to stop using components would be like asking writers to stop using word processing and go back to typewriters. Components are a technological advance that enables productivity and innovation, and have simply become a standard tool of the trade. But with these benefits comes some risk. They can, and often do, contain vulnerabilities. And the nature of their use – the functionality in one component is used again in multiple other components – means they spread risk like wildfire. More from Veracode's Chris Wysopal (@WeldPond).
With Veracode Static Analysis, applications that have been created using the Scala programming language and the Boto3 software development kit for Python can be investigated. AWS applications and microservices are especially benefiting from the support. Boto3 is used to develop cloud applications that directly access Amazon Web Services. Scala has also become more and more popular, not least thanks to the interoperability with the Java programming language. Thanks to Java archive integration, existing Java libraries and frameworks can easily be integrated into Scala projects. According to Scott Crawford, Research Director at 451 Research, Scala is "well suited to the increasingly emerging microservices application architectures, thanks to its scalability." The Veracode Static Analysis enhancements enable developers to test these early-stage applications for their security. The solution leverages the experience Veracode has gained with the investigation of more than two trillion code lines and continuous improvements.
Veracode, which has been part of CA Technologies since March 2017, has expanded its SaaS platform (software as a service) for the static analysis of software. Developers can now test Veracode Static Analysis applications for vulnerabilities that they have written in Scala or with the Python framework Boto3.
Veracode has announced an expansion to its security testing capabilities. This will enable developers to do security testing early in the development process to ensure that their applications are secure. Veracode Static Analysis now supports applications built in Scala and the Python Boto3 framework.
New support for Python Boto3 framework and Scala to ensure static application testing in software development for secure coding practices
The SaaS offering Veracode Static Analysis now provides vulnerability testing for applications created in the JVM Scala language or the Boto 3 framework. Veracode, which has been part of CA Technologies since March 2017, has expanded its SaaS platform (software as a service) for the static analysis of software. Developers can now test applications on vulnerabilities that they have written in Scala or with the Python framework Boto 3 via Veracode Static Analysis. Boto 3 is the SDK of Amazon Web Services (AWS) to access Python via an object-oriented API on AWS services such as S3 and EC2. According to the announcement, Veracode is currently the only security vendor to offer static analysis for the framework. The Scala programming language is becoming increasingly popular thanks to its scalability. Apache Spark is based on the JVM language, which combines functional and object-oriented approaches.
Developer-focused education crucial as pen-testers find the same application security problems, over and over again
Digital transformation has completely changed how businesses consume applications and software. Businesses are increasingly looking to technology to drive greater efficiencies and create new revenue streams, with Gartner predicting that the enterprise software spend will increase to $351 billion this year. More from CA Veracode's Colin Domoney (@colindomoney).
The latest targets of attackers are developers and insecure development processes, highlighting the need to instill security checkpoints in the development process.
It was reported that a malicious WordPress plugin has been discovered which has been used to hijack more than 200,000 websites. The plugin called Display Widgets has been found to contain a backdoor that could allow hackers to access what is posted on the site and modify content on infected pages. Colin Domoney (@colindomoney), Consultant Solution Architect at Veracode commented.
Some are concerned by the prospect of automation threatening the jobs of humans, but it could give skilled professionals the time to defend against cyberattacks more effectively.
In this episode of the O'Reilly Security Podcast, Courtney Allen talks with Chris Wysopal (@WeldPond), co-founder and CTO of Veracode. They discuss the increasing role of developers in building secure software, maintaining development speed while injecting security testing, and helping developers identify when they need to contact the security team for help.
According to CA Veracode's Colin Domoney (@colindomoney), open source software brings a new set of challenges but if implemented correctly it keep your organisation just as secure as proprietary software.
Cyber criminals and security researchers are constantly finding new ways to hack IoT devices. Julian Totzek-Hallhuber, Solutions Architect at Veracode, explains why "Security by Design" is so important for IoT devices.
Scientists in China have found that ultrasound frequencies that human ears cannot perceive, could be used to issue commands to smart home assistants, such as Alexa, Siri and Cortana. Dubbed DolphinAttack, researchers at Zhejiang University said in a research paper, that they managed to successfully test attacks on several products, including Alexa, Cortana, Google Now, Huawei HiVoice, Samsung S Voice, and Siri.
Security researchers have warned that voice assistants made by the likes of Amazon, Google and Apple could be ‘hacked’ by remote attackers broadcasting commands in ultrasonic frequencies. Researchers in China found that broadcasting the commands via a loudspeaker enabled them to activate the assistant from several metres, in what they called a “DolphinAttack."
A team of researchers from the Zhejiang University in China have demonstrated how several popular speech recognition systems can be controlled using ultrasound via an attack method they have dubbed “DolphinAttack.” The experts tested Apple’s Siri, Google Now, Samsung’s S Voice, Huawei’s HiVoice, Microsoft’s Cortana, Amazon’s Alexa and the speech recognition system in an Audi Q3 vehicle. They modulated various voice commands on ultrasonic carriers, at a frequency of 20,000 Hz or higher, in order to make them inaudible to humans.
Despite the many hacks and breaches consistently making headlines, businesses can't afford to slow down their development processes because they don't want to lose out to the competition. This places them in an awkward position: deciding between speed and an extra step for the sake of security. But the worry is misplaced; companies don’t need to trade speed for security or security for speed.
More from Veracode's Pete Chestna (@PeteChestna)
The Federal Office for the Protection of the Constitution has warned of hacker attacks on the German federal election months ago. Could criminals distort the result by attack?
When the polling stations close on September 24, it can become critical. For then the votes of the federal election are counted. From the level of the regional election leaders it becomes digital. And here the security authorities count with hacker attacks on the server. Werner Maaßen, President of the Federal Office for the Protection of the Constitution, has warned of hacker attacks on the Bundestag election for several months. The Chancellery and election officers take these reminders very serious. "Together with the employees of the Federal Office for Security in Information Technology, we have looked very intensively for weaknesses and are well prepared," says Klaus Pötzsch from the office of the federal election leaders. Thus, the rapid notifications with the first counting results in the election night are passed over the telephone. (…)
According to Veracode's Julian Totzek-Hallhuber, the planning of a possible attack is dependent on whether the election is simply to be disturbed or manipulated. In the first case, the hacker would start an overload attack on the switching computers of the telecommunication companies that provide the trunks for the management network. Many millions of data packets are shot down on the exchange machine until they get to their knees. In this case the count would be delayed by many hours. (…)
"Those who want to chop the federal elections in September have already completed the preparations for the attack", says Totzek-Hallhuber.
Can the German federal election be hacked? Reports of security problems are currently hitting waves. In focus: A software that counts the results of individual polling points. In fact, however, it is more of a secondary importance. And then there would be the good old paper.
The federal election is a decentralized matter - federalism wants it so. Cities and municipalities largely decide independently, as they manage, for example, election results. The statutory provisions of the Federation provide only one framework. In addition, the election officerr gave some urgent recommendations, which should be taken into account in the counting of the votes on the election day and the subsequent transmission. (…)
"As a hacker, I would attack exactly this data transfer," says IT security officer Julian Totzek-Hallhuber from the security specialist Veracode. "Because it is based on public lines and is thus in principle vulnerable."
In today’s application economy, we’re seeing ever-greater demand on software development. Software and applications have risen to the front office, where missed deadlines result in lost revenues and poor functionality can lead to lost customers. Increasingly, businesses are embracing DevOps to feed their need for speed, binding the previous separate developer and operations teams.
More from Veracode's Maria Loughlin (@marialoughlin).