This is the third entry in a series of blogs on how Veracode products fit into each stage of the software lifecycle – from coding to testing to production. We want to emphasize lifecycle here, because we continue to hear the misconception that application security falls squarely and solely into the testing stage. In our 10+ years helping organizations secure their applications, we’ve learned that effective application security secures software throughout its entire lifecycle – from inception to production or, put another way, from prevent to respond. In fact, rather than talking about securing the software development lifecycle, we should focus on securing the software lifecycle.
This blog series (and accompanying interactive infographic) will take that notion one step further and detail exactly how our products fit into each stage. We hope this series gives you a better sense of both the security requirements throughout the lifecycle and how Veracode can help at each step.
The move to Agile and DevSecOps development processes has fostered a lot of attention on the need to shift security testing left in the development cycle. And this is absolutely a pivot in the right direction. Moving security testing into the realm of the developer makes security testing faster, easier, more effective and less expensive. It gives developers the power to make great code by making security a part of the definition of “great.” However, it’s important not to lose sight of the fact that effective application security secures software throughout its entire lifecycle – from inception to production.
With the speed of today’s development cycles –and the speed with which software changes and the threat landscape evolves – it would be foolish to assume that code will always be 100 percent vulnerability-free after the development phase, or that code in production doesn’t need to be tested or, in some cases, patched.
Protecting production apps involves security testing completed code, whether it’s developed internally or externally, and implementing real-time protection for apps in production. Just as software is not static, application security isn’t either. Effective application security is not a one-and-done project, but an ongoing program that both prevents and responds to breaches at the app layer.
It’s important to note that operations has a role to play in securing production applications as well.
For our 2017 State of Software Security report, based on our Platform data, we looked at the overall basic hygiene of the production environments on which applications run. What we found was that there were an alarming number of insecure servers running production software. In fact, 25 percent of sites were running on web servers containing at least one high-severity vulnerability. Even if these applications were flawless, they’d be vulnerable.
On the other hand, our research also revealed that many operations people are making a positive impact on software in production. Dynamic testing revealed that apps running in production fared slightly better than those in pre-production. Digging deeper into these numbers, we uncovered that the categories with the biggest difference in vulnerability prevalence between development/QA and production were those that were most likely under the control of IT ops. So issues like easily guessable passwords and the wrong use of HTTP security headers that can be tackled by ops are likely to be shut down before they go live.
CA Veracode Web Application Scanning (Discovery plus Dynamic Testing): Find, secure and monitor all of your web applications — not just the ones you know about.
CA Veracode Manual Penetration Testing: Pen testers conduct simulated attacks for complete assurance.
CA Veracode Runtime Protection: Detect and block attacks in your production applications.
Veracode Software Composition Analysis: SCA alerts you if new vulnerabilities are found in embedded components, enabling you to respond and patch quickly.
Check out our new interactive infographic, Securing Every Phase of the Software Lifecycle, to further explore security considerations during the SDLC, and how Veracode products fit into that picture.