Black Hat USA 2021 kicked off this week and we enjoyed the show! In addition to hosting a Cards and Coding virtual casino night to discuss the future of cybersecurity (and give away some prizes), we held a Lunch & Learn with Wallace Dalrymple, CISO of Emerging Markets at Advantasure. In the session, our Founder and CTO Chris Wysopal chatted with Wallace about how Veracode and Advantasure worked together to build a mature application security (AppSec) program while addressing modern software security requirements.
As Chris noted when the Lunch & Learn session began, the pandemic drove many organizations to digitally transform most functions of business, quickly, which meant increased security threats — especially for organizations in the healthcare industry where Advantasure thrives. The effort to produce more secure code is especially critical after the Biden Administration’s recent Executive Order on cybersecurity, which impacts software security for organizations big and small.
We know from our annual State of Software Security report that 75 percent of apps in the healthcare industry have security flaws, and 26 percent have high-severity vulnerabilities. To get ahead of this risk in the pandemic (during which they saw an uptick of cyberattacks by 50%), Advantasure knew they needed to bolster their AppSec program and set themselves up for a successful digital transformation. That’s where Veracode came in, helping Wallace and his team build a stronger security program and enable their developers to become more security-minded.
“I believe in: if you write it, you own it. You really have to have that buy-in from development, from project managers to deployment teams and release teams, all the way up to the management,” Wallace said. Speaking about Veracode Security Labs he continued, “Veracode provides a platform where we can actually provide a tool for developers to not just learn – not just watch a webinar – but to actually be hands-on and understand the coding mistakes they make through real-time feedback.”
Wallace elaborated that their developers have been able to embrace new tools as part of their existing processes, giving them ownership over the efforts and boosting security adoption. If you missed the Lunch & Learn, you can read Advantasure’s full story here to see how they got it done.
From Big Data to Open Source
We also had the chance to sit in on some sessions, one of which delved into the security of big data infrastructures: The Unbelievable Insecurity of the Big Data Stack: An Offensive Approach to Analyzing Huge and Complex Big Data Infrastructures. Sheila A. Berta of Dreamlab Technologies spoke about data ingestion, storage, processing, and access, as well as the techniques threat actors use to get into data infrastructures.
As Head of Research for Dreamlab Technologies, Sheila asked the question, “What is a security problem and what is not a security problem in Big Data infrastructures?” What it comes down to, she said, is that security teams need to stay on top of methodologies and keep their skills sharp if they want to proficiently evaluate the security of these infrastructures. The methodology presented by Sheila came with new attack vectors in data; for example, she discussed techniques like the remote attack of a centralized cluster configuration managed by ZooKeeper, as well as relevant security recommendations to prevent these attacks.
Another interesting session titled Securing Open Source Software – End-to-End, at Massive Scale, Together was held by Christopher Robinson, the Director of Security Communications at Intel, and Jennifer Fernick, SVP & Global Head of Research at NCC Group. In their discussion, they highlighted that, while open source software is foundational to the Internet, it’s also rife with risk if left unchecked.
This is a problem we work to combat here at Veracode with tools like Software Composition Analysis and developer enablement programs — our recent State of Software Security: Open Source Edition report found that just over half of developers have a formal process in place for selecting third-party libraries, but when they have the right information and scanning tools in hand while they work, developers can fix 17 percent of flawed libraries within an hour of their security scan and 25 percent within seven days.
In their talk, Christopher and Jennifer discussed some of the most well-known vulnerabilities that they helped remediate, such as Heartbleed and Shellshock. Heartbleed, Christopher noted, was still impacting over 90,000 devices as of July of 2019; the result of a team of two developers working to fix the issue at hand for free, on their own.
Many of the benefits of open source are also challenges, they noted, such as lack of consistently deployed security standards, reviews, and tooling. Christopher and Jennifer highlighted the Open Source Security Foundation (OpenSSF), established in 2020 as a collaborative effort to improve these and other issues and reduce vulnerabilities at scale. What are other critical steps to take? According to Christopher and Jennifer, the community should work to:
- Prevent flaws through threat modeling and resource concentration
- Find flaws through integrated security tools, like Software Composition Analysis
- Perform enhanced testing like manual code reviews and audits
- Improve the disclosure of security flaws
- Implement fundamentals like a Software Bill of Materials
Christopher and Jennifer believe that the developer community can come together to make open source code more secure by taking the above initiatives seriously, joining the efforts of OpenSSF to share knowledge, and working to improve their overall security posture.
Did you attend Black Hat USA this year? Let us know which sessions you thought were most interesting!