SHELLSHOCK

The danger of Shellshock to application security.

Shellshock is an application-layer vulnerability in Bash, a widely-used UNIX/Linux program. Shellshock has a severity ranking of 10 – the highest level – on the NVD Common Vulnerability Scoring System Support (CVSS) because of how easy it is to execute and how severely it can damage an organization. Attackers use Shellshock to expose sensitive files, access databases and install malware that can turn a system into a component of a DDoS botnet. The applications that are most vulnerable to a Shellshock attack are public-facing web applications, especially legacy applications that rely on the Bash program.

While Shellshock is fairly easy to remediate in an individual program, most enterprises have thousands of public-facing web applications, including many legacy applications they may not even be aware of. Using traditional testing tools on thousands of applications at once can be highly expensive and time-consuming, but CA Veracode provides an innovative solution that can help.

Testing for Shellshock with CA Veracode.

CA Veracode is a leading provider of automated software testing tools that help protect the software the world depends on.

CA Veracode’s comprehensive suite of SaaS-based application security solutions include software development tools for testing applications from inception through production, including unit testing tools, static analysis tools, blackbox testing techniques, software composition analysis and more. By employing CA Veracode’s dev ops tools throughout the SDLC, development teams can find and fix vulnerabilities in software at the point when it is easiest and most cost efficient to do so.

How CA Veracode helps to protect against Shellshock.

CA Veracode Web Application Scanning (WAS) provides a highly effective solution for combating Shellshock. Built on a massively parallel, auto-scaling cloud infrastructure, WAS performs scans on thousands of websites and applications in parallel to identify flaws and provide guidance for remediation.

To find Shellshock vulnerabilities, WAIS discovers all the public-facing web applications of an organization, even those that IT has lost track of and applications outside the normal corporate IP range. These may include sites acquired through M&A or temporary sites hosted with cloud service providers. Once these applications and websites have been inventoried, CA Veracode WAS automatically crawls all pages on a site and probes the surface of web applications to find flaws like the Shellshock vulnerability. This approach to vulnerability scanning is far more thorough and exhaustive than traditional methods which only inject signatures into a few well-known directories.

 

Learn more about Shellshock and CA Veracode solutions for PCI security.

PCI SECURITY

CA Veracode testing tools enable PCI security compliance.

For software development organizations, complying with Payment Card Industry Data Security Standard 3.0 (PCI 3.0) requires an investment in application testing for PCI security.

PCI 3 directs software organizations to comply with secure guidelines for developing applications and requires that custom application code can be adequately scanned for potential vulnerabilities. To meet these PCI security dictates, organizations need a consistent approach to application security and powerful software development tools for application testing.

Because PCI security requirements apply both to software in development and software in production, enterprises may need solutions to test thousands or tens of thousands of public-facing web applications that are already running. They’ll also need Dev Ops tools that can integrate testing throughout the development process, from inception through preproduction. And tools to quickly scan and evaluate third-party code are a must.

CA Veracode enables organizations to easily comply with PCI security requirements by providing a comprehensive suite of solutions that make testing easier, faster and less costly.

PCI security solutions from CA Veracode.

CA Veracode solutions help to seamlessly integrate security and testing into development processes to ensure that secure code is synonymous with quality code. By combining automation, process and speed, CA Veracode technology enables organizations to eliminate software flaws at the most cost-efficient point in the development/deployment chain.

To promote PCI security, CA Veracode enables developers to automatically test applications and receive results, often within four hours. Rather than relying on on-premise hardware and software, developers can use CA Veracode’s cloud-based services to test applications without needing to open a new environment. CA Veracode’s suite of solutions provides a comprehensive approach to testing, with tools for static analysis, black box testing techniques, software composition analysis, vendor application security testing and more.

How CA Veracode simplifies PCI security.

  • To comply with PCI security mandates, IT administrators can use CA Veracode’s predefined policies to authorize automated scans for a variety of applications. Once configured, the CA Veracode platform can:
  • Automatically test software in development, pre-production and production.
  • Provide analysis of the results, prioritized by severity, along with detailed remediation instructions that enable developers to re-create and fix flaws faster.
  • Retest software as needed to demonstrate successful remediation and to document progress against planned timelines.
  • Provide detail of compliance with PCI security guidelines, including proof that applications have been tested and that remediation has been accomplished.

 

Learn more about PCI security and CA Veracode, and about CA Veracode solutions for mitigating Shellshock vulnerabilities.

PCI 31

Improve PCI 3 compliance with help from CA Veracode.

For software organizations, complying with Payment Card Industry Data Security Standard 3.0 (PCI 3) can be a significant burden.

PCI 3 mandates that organizations meet strict guidelines for security when developing applications, and that third-party custom code can be scanned for vulnerabilities. Compliance with PCI 3.0 requires organizations to have a robust testing program in place, with tools for evaluating third-party software.

But managing PCI security can be costly and time-consuming, adding unacceptable delays to timelines for developing new applications. And organizations that have thousands of web applications – some which they may not even know about – faced serious hurdles to ensuring that every piece of software has been adequately scanned for vulnerabilities.

As a leading provider of application security testing solutions, CA Veracode can help with PCI 3 compliance by providing dev ops tools that integrate testing throughout the SDLC and provide an easy way to evaluate third-party code.

PCI 3 security solutions from CA Veracode.

CA Veracode application security solutions help organizations protect business-critical software. Built on a unified platform, CA Veracode’s comprehensive testing tools include static analysis,unit testing, software composition analysis, black box testing techniques, vendor application security testing and other technologies for scanning code as it is built, purchased and assembled to rid it of flaws and vulnerabilities.

With CA Veracode’s automated testing solutions, software development teams can ensure PCI 3 compliance by testing for flaws at multiple points in the software development lifecycle. From scanning code as it is being written to analyzing binaries of applications already in production, CA Veracode delivers the solutions that make application security easier, faster and less costly

How CA Veracode makes it easier to comply with PCI 3 requirements.

To ensure compliance with PCI 3 guidelines, IT administrators can assign predefined policy for CA Veracode solutions to each application and authorize automated scans. Once this is done, the CA Veracode platform will:

  • Perform automatic tests of designated applications in development and in production.
  • Analyze the results, provide detailed findings and categorize issues based on severity.
  • Deliver remediation recommendations that enable developers to fix vulnerabilities more quickly.
  • Retest software and provide data on the effectiveness of remediation as well as progress against target timelines.
  • Provide proof of compliance with PCI 3, including documentation that applications have been tested and that remediation has been accomplished.

 

Learn more about PCI 3 and CA Veracode, and about CA Veracode’s solutions for mitigating Shellshock vulnerabilities.

PCI 3.0

Automated testing solutions help ensure PCI 3.0 compliance.

The Payment Card Industry Data Security Standard 3.0 (PCI 3.0) establishes data and network security standards intended to protect the financial data and personal information of millions of credit card users. For software development organizations, compliance with PCI 3.0 is critical to avoid penalties and fines, not to mention the irreparable damage to business and reputation that a critical software flaw can cause.

For development teams, the most important requirements of PCI 3 have to do with adhering to secure guidelines when developing applications and ensuring that custom code is scanned for potential flaws. Complying with PCI 3.0 requires well-designed security testing protocols that can consistently look for vulnerabilities in software throughout development and in production. Development teams also need ways to successfully scan third-party and open source components for security flaws.

For organizations that have thousands or tens of thousands of applications in production, ensuring PCI 3.0 compliance can be remarkably expensive, and the time required to test software at a variety of stages can jeopardize the ability to meet build deadlines.

That’s where CA Veracode can help. With a suite of automated testing solutions and dev ops tools, CA Veracode enables organizations to comply more easily with PCI 3.0 by embedding testing throughout the SDLC, from inception through production, and by providing organizations with an easy way of evaluating third-party software.

Solutions for PCI 3.0 security from CA Veracode

CA Veracode’s application security testing solutions and services help enterprises protect the software they rely on to innovate and compete. CA Veracode’s comprehensive technologies provide multiple approaches to PCI security testing, including static analysis, blackbox testing techniques, penetration testing, unit testing, software composition analysis and vendor application security testing. When using CA Veracode’s automated testing tools, software development teams can more easily find and fix flaws at the easiest and most cost-efficient point in the development chain.

How CA Veracode supports PCI 3.0 requirements.

With CA Veracode, development teams can improve compliance of PCI 3.0 by automatically and consistently testing for vulnerabilities. Administrators can assign predefined policy for PCI compliance to each application, authorizing automated application scans at critical junctures during the SDLC. CA Veracode’s technology will:

  • Automatically test applications and provide analysis of the results.
  • Prioritize issues by severity and deliver recommendations and instructions that accelerate remediation.
  • Retest software as needed to demonstrate successful fixes.
  • Demonstrate compliance with PCI 3.0 by providing documentation that applications have been tested and fixed.

 

Learn more about PCI 3.0 and CA Veracode, and about solutions for mitigating the Shellshock vulnerability.

MICROSERVICES

The challenge of making microservices secure.

Microservices represent a decentralized approach to software development, where larger applications are broken down into smaller components, or microservices, and developed separately and concurrently. Working with microservices can help to increase the speed of development, provide more resilient applications and promote more efficient scaling.

Testing code is one of the challenges of working with microservices. Unit testing tools that scan small bits of code as they are written are ideal for testing microservices, but the time required for unit testing is prohibitive for many software development teams. Writing unit tests can often take as long as writing the actual bits of software. To take advantage of the many benefits of microservices, development teams need technology that can scan microservices quickly, easily and cost efficiently.

That’s where CA Veracode can help. With automated software testing tools that let developers test code as it is being written, CA Veracode simplifies testing of microservices and enables development teams to deliver more secure code more easily.

Microservices testing technology from CA Veracode.

CA Veracode provides application security solutions for a software-driven world. Built on a unified platform, CA Veracode’s application testing technology provides a comprehensive suite of solutions for securing applications from inception through production. CA Veracode solutions allow developers to find flaws at any point in the development process, and to fix them more easily and cost-efficiently. CA Veracode Dev Ops tools for testing include static analysis, black box testing techniques, software composition analysis, vendor application security testing and more.

CA Veracode Greenlight is a testing tool that finds security defects in microservices as code is being written and provides immediate contextual remediation advice to fix issues within seconds. Greenlight runs right in the developer’s IDE, scanning code in background to provide immediate, actionable and accurate results with very few false positives. With Greenlight, developers can test code easily and quickly within their normal development workflow. They receive immediate feedback as soon as a flaw is introduced, and positive feedback when they have performed actions to improve security in the application.

Benefits of CA Veracode’s microservices testing solutions.

With CA Veracode, development teams can secure microservices more easily by:

  • Testing code as it is being written and remediating flaws immediately.
  • Scaling testing protocol with an SaaS-based solution.
  • Relying on CA Veracode’s static analysis engine which has scanned more than 2 trillion lines of code to date.

Learn more about testing microservices with help from CA Veracode, and about CA Veracode solutions for PCI 3 compliance.

Get Answers and Connect in the CA Veracode Community



Join the Community

DEV OPS TOOLS

Improve application security with powerful Dev Ops tools.

As Secure Dev Ops continues to transform software development, organizations and development teams require innovative new Dev Ops tools that can simplify application security testing.

In Secure Dev Ops, application security is no longer the concern of a small group of security experts – everyone from developers through operations must make the security of applications a top priority. To improve security without hindering agility and speed, development teams need powerful Dev Ops tools that can find and fix software vulnerabilities quickly and easily. Automation is critical – manual processes are too resource-intensive and time-consuming. And Dev Ops tools that can inject testing into every phase of the SDLC are essential. When developers have the software development tools they need to test software as is being written, purchased, compiled and prepared for shipment, Secure Dev Ops can truly be effective.

For organizations looking for Dev Ops tools that can do all this and more, CA Veracode provides a comprehensive suite of cloud-based services for application security testing.

Dev Ops tools from CA Veracode.

CA Veracode application testing solutions help to secure the software that businesses and the world depend upon. Built on a unified platform, CA Veracode’s scalable, cloud-based solutions provide tools for testing applications from inception through production, reducing the risk of application-layer vulnerabilities in web, mobile and third-party applications.

CA Veracode’s Dev Ops tools combine process, speed and automation to improve the quality of application security testing while reducing cost and complexity. With CA Veracode, organizations can significantly improve security in the software they write, purchase and assemble.

CA Veracode’s integrated suite of Dev Ops tools for security testing.

CA Veracode’s Dev Ops tools for testing include:

  • CA Veracode Greenlight, a tool that provides developers with immediate feedback on potential flaws as code is being written. Greenlight includes unit testing tools for testing microservices.
  • Software Composition Analysis, a solution for identifying vulnerabilities in commercial and open source code.
  • Static Analysis, a tool that analyzes binaries to identify flaws and prioritize remediation in applications that are written, bought or downloaded.
  • Web Application Scanning, a testing solution that inventories public-facing websites and applications and uses a combination of Dev Ops tools, including blackbox testing techniques, to identify flaws in software in production.
  • Vendor Application Security Testing, a tool for testing third-party software without requiring access to source code.

Learn more about CA Veracode Dev Ops tools and CA Veracode solutions for PCI 3.0 compliance and for mitigating Shellshock vulnerabilities.

Get Answers and Connect in the CA Veracode Community



Join the Community

BLACK BOX TESTING TECHNIQUES

Black Box testing techniques are critical to application security.

Black box testing techniques are an essential part of any application security testing program. In contrast to white box testing where source code is available for testing and review, black box testing techniques are employed without access to code and with no information about the application structure. Blackbox testing techniques look for vulnerabilities and flaws from the outside of the application, imitating methods and tools that attackers might use to penetrate security.

Black box testing techniques can be highly effective at finding certain kinds of flaws, from server configuration mistakes or errors to input/output validation problems and other issues specific applications.

Routinely using black box testing techniques for application security testing presents challenges for many development teams. Managing black box testing requires a great deal of time and resources, which can be a hindrance for adhering to aggressive development timelines.

For organizations that want to deploy black box testing techniques as part of the application development process, CA Veracode provides cloud-based software development tools that can significantly simplify the use of these testing tools.

Solutions for black box testing techniques from CA Veracode.

CA Veracode delivers vital application security solutions for a world that is driven by software. Offering a powerful combination of process, speed and automation, CA Veracode helps to seamlessly integrate application security into the software development lifecycle, fixing flaws and eliminating vulnerabilities at the most cost-efficient points in the development/deployment chain. CA Veracode’s solutions cover all phases of the SDLC, including unit testing tools for microservices.

CA Veracode Web Application Scanning (WAS) is a unified solution for application security testing that combines black box testing techniques with static analysis and other testing tools to find and fix vulnerabilities quickly. CA Veracode WAS tests applications to find security flaws that may be overlooked by other testing applications. With CA Veracode’s black box testing techniques, you may be able to find SQL strings, ODBC connectors, hidden usernames and passwords or other sensitive information that could be used to penetrate security or that are common to vulnerabilities like Shellshock and other code injection issues.

CA Veracode WAS also inventories all external web applications and performs a lightweight scan on thousands of sites in parallel to identify vulnerabilities and prioritize remediation.

Advantages of black box testing techniques from CA Veracode.

With CA Veracode’s black box testing techniques, you can:

  • Scan applications in any language including JAVA/JSP and PHP – CA Veracode’s solution is not language-dependent.
  • Emulate the methods of malicious attackers to probe the application surface and identify the results that are not part of the expected result set.
  • Prioritize critical flaws and use detailed remediation information to resolve issues quickly.
  • Incorporate proactive recommendations for longer-term strategies to improve application security across the software portfolio.

 

Learn more about CA Veracode’s black box testing techniques and about testing tools for PCI 3.0 compliance.

BLACKBOX TESTING TECHNIQUES

The Pros and Cons of blackbox testing techniques.

Blackbox testing techniques – also known as dynamic analysis – are a crucial component of a comprehensive application security testing protocol. Blackbox testing techniques probe applications in production and have no view of source code and no information about the internal structure of the software. Consequently, black box testing techniques operate similarly to the way an attacker would search an application for vulnerabilities, for example, by inputting malicious code into web forms or shopping carts.

Blackbox testing techniques can be very effective at finding certain kinds of flaws such as input/output validation errors, server configuration mistakes and other application problems. But blackbox testing is also highly resource-intensive to deploy and manage, creating issues for development teams trying to meet aggressive deadlines. And to be successful, blackbox testing techniques must be combined with other testing tools to identify and remediate more vulnerabilities successfully.

That’s where CA Veracode can help.

Technology for blackbox testing techniques from CA Veracode.

CA Veracode automated software testing solutions help to secure the software that businesses depend on. Seamlessly integrating application security into development, CA Veracode enables more effective and cost-efficient testing without requiring additional staff, resources or equipment. CA Veracode solutions include everything from unit testing tools for testing microservices to tools for vendor application security and runtime protection.

CA Veracode provides blackbox testing techniques as part of its Web Application Scanning (WAS) solution. In addition to dynamic analysis, this technology uses static analysis and software composition analysis to provide a comprehensive approach to finding and fixing software flaws.

With CA Veracode WAS, software teams can use blackbox testing techniques to search inside debug code, directories, left over source code and resource files to find ODBC connectors, hidden username/passwords and SQL strings that may be used by attackers to hack an application. CA Veracode’s solution also provides an inventory of all externally facing web applications and runs a lightweight scan to find critical vulnerabilities and prioritize risks.

Benefits of CA Veracode’s blackbox testing techniques.

Blackbox testing techniques from CA Veracode enable development teams to:

  • Simulate attacks by malicious individuals to find unexpected vulnerabilities that may be missed by other testing techniques.
  • Find and fix issues and vulnerabilities in applications before they are shipped.
  • Resolved issues faster with a complete report of critical vulnerabilities and detailed guidance for re-creating and fixing flaws.
  • Develop longer-term strategies for proactively improving application security throughout the SDLC.

 

Learn more about blackbox testing techniques from CA Veracode and about CA Veracode solutions for improving PCI security and PCI 3.0 compliance.

SQL ATTACKS

The danger of SQL attacks.

SQL attacks are among the most common threats to application security today. It takes relatively little skill to mount an SQL injection in .NET, Java or PHP, and the rewards for hackers are significant. Successful SQL attacks enable malicious individuals to access sensitive information stored in databases, make unauthorized changes to the content of an app or website, view users’ credentials, and more.

Hackers typically initiate SQL attacks by entering SQL commands into web form fields. If the application fails to adequately clean this untrusted data before using it in an SQL query, the attackers’ SQL language may be executed by the database, compromising systems and breaching application security.

The bad news: most enterprises still fail to put proper controls in place to prevent SQL attacks. The good news: stopping SQL attacks is relatively easy, but frequent and consistent testing of apps in development and production is critical. Automated testing is even better, enabling developers to focus on coding while automated testing tools perform a .NET, Java or PHP SQL injection test to identify vulnerabilities.

When choosing the application security and testing solutions that can help to prevent SQL attacks, more development teams and enterprises today turn to CA Veracode.

Stop SQL attacks with CA Veracode.

CA Veracode provides industry-leading solutions for securing web applications, mobile applications and other business-critical software. Built on a unified platform, CA Veracode’s SaaS-based services help to simplify application security and testing throughout the SDLC agile process, from inception through production. With CA Veracode, you can find and fix flaws at any point in the development process where it is convenient and cost-effective to do so.

As a cloud-based solution, CA Veracode is easy to implement and requires no special expertise for operating, maintaining or upgrading solutions. And CA Veracode’s services are constantly being refined to adhere to the latest web application security standards and to defend against the most advanced SQL attacks as well as a myriad of other threats.

CA Veracode solutions for preventing SQL attacks.

CA Veracode provides multiple tools that can help to prevent Java, PHP and .NET SQL injection, including:

  • CA Veracode Static Analysis. This security testing technology scans compiled binaries in applications and third-party software to identify vulnerabilities and to tell developers exactly how to fix them. CA Veracode returns results based on severity and risk, enabling developers to remediate the most dangerous flaws first.
  • CA Veracode Web Application Scanning. This service scans public facing web applications, performing lightweight and authenticated scans to discover vulnerabilities like those that may lead to SQL attacks.

Learn more about working SQL attacks with CA Veracode, and about CA Veracode tools to prevent LDAP injection.

SQL INJECTION JAVA

The threat of SQL injection in Java applications.

For attacks like SQL injection, Java applications remain a primary target and the damage to an organization can be significant. An SQL injection in Java is easy for even novice hackers – a few simple lines of SQL in a web form field can provide unauthorized access to an application’s database, enabling the attacker to view or steal data or change the way the application behaves.

Preventing SQL injection Java attacks is relatively simple – applications must validate all data inputs against business-specific rules and prevent users from using queries to dynamically interact with database. But these fixes are only helpful once SQL injection Java vulnerabilities have been discovered, and few organizations have the application security and testing technology in place to identify weaknesses that could permit Java SQL injection.

The reason for this lapse in application security? Traditional testing technology has usually been cumbersome and expensive, leading to unacceptable delays in the software development process.

CA Veracode offers an easier, more efficient way to test software and prevent SQL injection Java attacks: a suite of cloud-based application security services that automate testing throughout the SDLC.

Preventing SQL injection Java attacks with CA Veracode.

CA Veracode’s SaaS-based testing services let development teams and IT security administrators add automated testing protocols throughout the software development lifecycle and the procurement process. Our suite of applications security solutions can help to find and fix flaws as code is being written, while software is being assembled, and in third-party applications and open source code that is purchased or downloaded.

As a cloud-based service, CA Veracode lets your IT team avoid the need to deploy and manage on-premise testing solutions. And we are continually upgrading our technology and refining our testing methodologies, providing you with up-to-date defenses against a quickly evolving threat landscape.

CA Veracode’s solutions for avoiding SQL injection Java vulnerabilities.

Our suite of testing solutions include several technologies that can help to prevent SQL injection in Java.

  • CA Veracode Web Application Scanning is a web application monitoring service that continuously finds and scans your public facing web applications – even the ones you don’t know about. Lightweight and authenticated scans help to identify potential SQL injection Java flaws and other vulnerabilities.
  • CA Veracode Static Analysis finds SQL injection vulnerabilities and other application flaws by scanning compiled binaries, providing a list of weaknesses and recommendations for how to repair them.

Learn more about CA Veracode’s technology for stopping SQL injection Java attacks, and about CA Veracode solutions for identifying a cross site scripting vulnerability and preventing XSS attacks.

Get Answers and Connect in the CA Veracode Community



Join the Community

Pages

 

 

contact menu