If there's something of a déjà vu-like quality to vendor and analyst reports summing up the state of Web application security these days its because they all inevitably arrive at the same conclusion: Web apps are becoming more insecure, not less.
Which web risks are new, which are the same as four years ago? And where the problem lies, explains Julian Totzek-Hallhuber, Solution Architect at application security expert CA Veracode.
CA Veracode's Joe Pelletier (@joepelletier) shares three best practices to secure your website for the coming retail boom.
The speed of open source deployment by enterprises everywhere puts software security into question.
Year after year businesses face challenges when it comes to security, and 2017 was no different. Instead of trying to lecture the industry about the importance of application security testing, organizations tried to find new ways to bring security front and center.
CA Veracode has made great strides transitioning from a chiefly direct sales model to a partner-led business within the space of 12 months.
A recent study by CA Veracode revealed that only 14% of high severity vulnerabilities are fixed in less than 30 days, which drives the conclusion that 86% take longer than 30 days.
Only 28 percent of business leaders have heard of the Equifax breach, just 31 percent are aware of the 2014 eBay data breach, and just 34 percent have heard of WannaCry ransomware, a recent CA Veracode survey of 1,403 business leaders in the U.S., the U.K. and Germany found.
According to a new survey from CA Veracode, breach awareness regarding recent major cyber incidents was low among executives, managers and directors, surprising some experts.
The application security headlines of the year 2017 seemed like more of the same grim news, but some AppSec trends are reasons to be hopeful.
CA Veracode has released new research revealing the widening gap between software creation and software security, with the rush to innovate outpacing the urgency to secure the process. The “Securing the Digital Economy” report highlights how investment in software and digital transformation is rapidly accelerating, with around one in five business leaders indicating that their software budget had increased 50 percent or more over the past three years to support digital transformation projects. However, the increased software development investment has not translated to greater security budgets or awareness of the security risks insecure software introduces: only 50 percent of business leaders surveyed understand the risk that vulnerable software poses to their business.
A shocking revelation of cybersecurity ignorance among UK business leaders has shown that as many as a quarter do not understand common cyberattacks. Ransomware and phishing are among basic attack variants that UK business leaders are in the dark about, proving that even major, global data breaches are not enough to capture the attention of all. Spending has been increasing across the board as organisations pursue digital transformation, but this has not prompted UK business leaders to learn more about the risks involved.
CA Veracode today released research revealing the large gap between software creation and software security, outpacing the urgency to secure the process. The security company’s report ‘Securing the Digital Economy’ highlights how investment in software and digital transformation is moving fast, with around one in five business leaders indicating that their software budget which supports digital transformation projects has increased by more than 50% over the past three years.
Developers are getting better at creating more secure software, but about the same proportion of programs are vulnerable as a decade ago, according to CA Veracode's most recent security report. Meanwhile, the risks have only increased. The impact of a security breach has dramatically increased because applications are the custodians of more critical data and functions than ever before.
The developer guide uses new data from the CA Veracode platform to support the fact that vulnerable open source components pose an omnipresent risk. Developers still have a high need for training and support in this area.
Particularly worrying: 91 percent of all Java applications that contain Struts components are based on a version of the framework with at least one critical or even particularly critical vulnerability.
Further findings of the CA Veracode study are:
Developers underestimate errors in code: Once again, 70 percent of applications fail this year when they run a CA Veracode security scan for the first time. Open-source software components as a source of risk: developers are increasingly turning to microservices to speed up their work. However, open source components in particular often contain risks and vulnerabilities, as the state-of-the-art software security report shows. 88 percent of the Java applications reviewed last year had at least one point of attack based on one of their components.
Hand in hand with security to enormous security gains: In modern DevOps teams, developers usually carry out the security tests for their applications themselves in order to eliminate errors directly. If they actively seek the advice of their security colleagues regarding the vulnerabilities, they can improve their bugfix rate by as much as 87.6 percent.
Software is the lifeblood of most businesses today. So, what happens if that software is unreliable or insecure? It seems like a no-brainer that the software being pushed out should be protected. But, as software is being developed and deployed at a rapid pace, an important aspect of the life cycle gets lost in the race: Security.
Thanks to Pete Chestna, Director of Developer Engagement and Jessica Lavery, Senior Manager, Security Strategy at CA Veracode for taking the time to speak to me at CA World 17. Pete and Jess were excited that CA Veracode Greenlight was now available as a free trial to help developers accelerate velocity and quality. Developers can produce vulnerability-free code with instant feedback on security defects in their IDEs. This enables them to speed the SDLC without compromising security while fulfilling the promise of DevSecOps.
CA Veracode has just published its annual State of Software Security (SOSS) report which analyzes data from 400,000 application scans from April 1, 2016 to March 31, 2017. The applications were written in more than a dozen programming languages for large and small organizations across a wide range of industries. A key finding is that most developers don't try to game the system by rejecting findings as false positives, or as mitigated by design. Developers documented mitigations for just 14.4% of all the flaws found by the CA Veracode platform.
Akamai has published the latest report on the "State of the Internet". Some key statements: The number of DDoS attacks increased again in the third quarter of 2017, with eight percent growth compared to the second quarter. However, the number of attacks decreased slightly compared to the third quarter of 2016. (…) And the guest author, Chris Wysopal of CA Veracode, explicitly criticizes the ICT industry: "Although Application Security Testing promises a lot and is growing fast, it shows that applications are generally not more secure today than they were ten years ago". And further, Wysopal complains: "Most open source components remain unpatched once they have been built into the software."
Attacks by cybercriminals can be costly for businesses if they want to avoid losing their data. The most recent example is Uber, a global American driver services broker who has been the victim of a Ransomware attack: data from 57 million customers and drivers has been hacked, including names, addresses and driver's license numbers. Over paid $100,000 to the hackers and concealed the incident, but is now exposed to the serious charge of covering up a criminal offence. This latest case shows once again the importance of advanced data protection to prevent cyberattacks. Julian Totzek-Hallhuber, Solution Architect at the application security specialist CA Veracode, gives five tips on how companies can easily and effectively protect themselves against Ransomware attacks.
Developers today frequently find themselves between a rock and a hard place. The business may not place security at the top of its priorities, but we all know how vital it is – and in today’s agile and DevOps working environments, developers cannot afford to finish applications and then leave the tidying up to the security team.
A new report from CA Veracode issued today argues that while developers do care about security, and are getting better at it, more work still needs to be done – including to ‘think like an attacker.’
The idea that developers don’t care about application security is a myth. A recently released report found that not only do developers take application security seriously, they take the time to find and fix vulnerabilities in their applications.
The government has just announced a new strategy for industry that aims to tackle weak productivity and bolster businesses to counter any new problems caused by Brexit. The strategy highlights the need for improving digital skills especially in cybersecurity. Paul Farrington, Manager- EMEA Solution Architects at CA Veracode commented.
More than 90 percent of applications using the same computer programming library that, left unpatched, lead to the Equifax data breach also fail to keep the software up to date, reports the security firm CA Veracode.
Developers can play a vital role in accelerating the adoption of AppSec practices, security vendor says. Data from a new study suggests that there are several measures developers can take to accelerate the adoption of formalized application security practices at their organizations.