/oct 15, 2019

Beyond Testing: The Human Element of Application Security

By Suzanne Ciccone

Companies of every size and in every industry are changing the world with software. From healthcare to agriculture, education, and manufacturing, software is enabling unprecedented advancement and innovation. But if that software is insecure, these innovations may get held up, or worse, put us at risk. And this is a very real concern; our most recent State of Software Security report found that 83 percent of applications had at least one vulnerability on initial scan. In turn, testing the security of software and addressing any security-related defects is a critical undertaking.

However, it’s important not to lose sight of the fact that effective application security secures software throughout its entire lifecycle — from inception to production. With the speed of today’s development cycles — and the speed with which software changes and the threat landscape evolves — it would be foolish to assume that code will always be 100 percent vulnerability-free after the development phase, or that code in production doesn’t need to be tested or, in some cases, patched.

An effective application security program requires some “human” elements beyond testing, including:

Developer secure coding training, because the vulnerability that is never introduced will always be the cheapest and easiest to fix. Most developers don’t receive training on secure coding, either in school or on the job, but when they do, it pays off. Data collected for our State of Software Security report found that eLearning on secure coding improved developer fix rates by 19 percent.

A solid vulnerability disclosure policy, which ensures that vulnerabilities unearthed by security researchers are addressed and disclosed in an effective manner. Veracode’s co-founder and CTO Chris Wysopal notes that, “Today, we have both tools and processes to find and reduce bugs in software during the development process. But even with these tools, new vulnerabilities are found every day. A strong disclosure policy is a necessary part of an organization’s security strategy and allows researchers to work with an organization to reduce its exposure. A good vulnerability disclosure policy will have established procedures to work with outside security researchers, set expectations on fix timelines and outcomes, and test for defects and fix software before it is shipped.”

Bug bounty programs, which put the power of multiple security researchers behind your application security. Wysopal says of bug bounty programs, “bringing in outside hackers with their own attack tools will uncover new risks. This is one of the clear values of bug bounty programs.”

Ultimately, effective application security focuses on both prevention and detection. You wouldn’t let your kids play with matches just because you have a fire extinguisher. On the other hand, even if you teach your kids about fire safety and never let them play with matches, you wouldn’t toss out the fire extinguisher. Fire safety requires prevention and detection, as does application security.

Testing your code for vulnerabilities early and often in the development process, and assessing the security of both third-party and open source code are all essential software security steps. But detecting and responding to vulnerabilities with human solutions plays a critical part as well. Developer training, a vulnerability disclosure policy, and a bug bounty partnership all play a role.

Continue this conversation with us at our fall road show; we’ve teamed up with Bugcrowd and Edgewise on a series of networking events -- coming to a city near you!

Related Posts

By Suzanne Ciccone

Suzanne is part of the content team at Veracode, working to create resources that shed light on AppSec problems and solutions.