October is cybersecurity awareness month, and this year, the overarching theme is “Do Your Part. #BeCyberSmart.” When considering what “cybersmart” means in application security, we realized we unearthed some data this year that made us a little cybersmarter and could help other security professionals and developers increase their AppSec smarts as well. We’re sharing those data gems below.
1. Lack of developer participation in and engagement with security training is a problem.
A recent research report, sponsored by Veracode and conducted by Enterprise Strategy Group (ESG), found that most organizations require their developers to consume AppSec training, but 35 percent said less than half of development teams are participating in formal training. In addition, most respondents reported that they lack programs to measure the effectiveness of developer security training. What’s the lesson here? Given that developers have been increasingly tasked with implementing security measures, including writing secure code and remediating vulnerabilities, it’s vital that they are trained to do so. But it has to be relevant, engaging training that will encourage participation.
2. It’s nearly impossible to have effective AppSec without integrating into developer workflows.
In the ESG survey, 43 percent of organizations agreed that DevOps integration is critical to improving application security (AppSec) programs. With the speed of development today, security tests that slow or block developers are simply not feasible. Lesson No. 2: AppSec should be integrated and automated. Integrating security measures into the CI/CD toolchain not only makes it easier for developers to run AppSec tests, but it also helps organizations discover security issues sooner, which speeds up time to deployment.
3. Open source code is pervasive, vulnerable, and typically not checked for security.
Our most recent State of Software Security (SOSS) report found that a typical Java application is made up of 97 percent open source and third-party libraries. In addition, our State of Software Security: Open Source Edition report published this year found that 70.5 percent of applications have a security flaw in an open source library. But – shockingly – the ESG report referenced above found that less than 50 percent of organizations scan their open source libraries for security. Why? It’s not uncommon for application developers to assume that third-party libraries were already scanned for vulnerabilities by library developers. Unfortunately, you can’t rely on library developers to keep your applications safe. The cybersmart practice is to scan third-party libraries on a regular basis.
4. You could be pulling in more open source code than you think.
Developers pull in one open source library, but that library is dependent on another library, which is dependent on another library, and so on. In fact, research for our State of Software Security: Open Source Edition report found that most applications have a large percentage of secondary (and tertiary, and more) dependencies.
Take a look at the image below taken from our Software Composition Analysis solution. The empty circle in the middle is your application, and all of the sections around it are different direct and indirect libraries. In this specific example, all of the colored sections are libraries containing vulnerabilities that affect the application either directly or indirectly. Bottom line: Get a handle on all the code that makes up your applications, even the open source code reaching your app indirectly.
5. The majority of open source flaws are pulled into the code indirectly.
As mentioned above, flaws can be introduced into code directly by the application developer or indirectly by another library in use. And flaws introduced indirectly, known as transitive dependencies, make up the majority of open source flaws. In fact, in our recent report, State of Software Security: Open Source Edition, we found that 70.5 percent of the applications had an open source flaw, and of those applications, 46.6 percent of the flaws were transitive, and 41.9 percent were direct (11.5 percent were both).
Takeaway: You can have vulnerabilities lurking several layers deep; don’t be complacent if you’re just assessing the security of your direct dependencies.
#BeCyberSmart about application security, this month and every month. To learn more, watch this short video.