This is the second in a series of blogs on how Veracode products fit into each stage of the software lifecycle – from development to production. We want to emphasize lifecycle here, because we continue to hear the misconception that application security falls squarely and solely into the testing stage. In our 10+ years helping organizations secure their applications, we’ve learned that effective application security secures software throughout its entire lifecycle – from inception to production or, put another way, from prevent to respond. Application security should be considered and conducted from the planning phase through to the development phase, on to the testing phase and right into production. In fact, rather than talking about securing the software development lifecycle, we should focus on securing the software lifecycle.
This blog series (and accompanying interactive infographic) will take that notion one step further and detail exactly how our products fit into each stage. We hope this series gives you a better sense of both the security requirements throughout the lifecycle and how Veracode can help at each step.
Every year, we publish a State of Software Security (SOSS) report based on the hundreds of thousands of applications we scan annually. And we continue to see the same vulnerabilities, in the same volume, year in and year out. As applications first underwent the scrutiny of software testing this year, approximately 70 percent of them failed security testing when measured against major industry vulnerability standards. And for the most part, that 70 percent failure rate is a consistent one that hasn’t budged much in at least three years.
Although we are moving toward developers security testing and fixing code incrementally as they write it, we aren’t there yet. A focus on speed and functionality over security, and a lack of developer security knowledge and training, are still roadblocks to the day when secure code is coming directly out of development. Bottom line: security testing completed code against policy remains a critical step. If your developers have been testing incrementally as they code, ideally these policy scans will find significantly less show-stopping security issues. But testing is still essential. Most organizations would consider it unacceptable to ship code with functionality defects, and we need to reach a point where security defects are equally as unacceptable
And we are seeing some positive movement on this front with the shift toward DevSecOps. This next phase in the evolution of DevOps brings security into the DevOps process, making secure code an element of high quality code.
Our SOSS reports also provide supporting data to the idea that multiple testing techniques are more effective than a single technology. A recent SOSS found that there are significant differences in the types of vulnerabilities that are discovered by looking at applications dynamically at runtime, as compared to static tests in a non-runtime environment. For instance, among the top 5 vulnerability categories we found during dynamic testing, two of them were not in the top 5 found by static, and one was not found by static at all. Clearly, only running static scans would leave some significant vulnerabilities unidentified.
Static and dynamic analysis offer different strengths at unearthing different kinds of vulnerabilities. For example, dynamic testing may be better at picking up deployment configuration flaws, while static testing might find SQL injection flaws more easily. The point is that neither test alone is sufficient for application security.
Cumulatively, these data points reveal that security testing, with multiple methods, remains a necessary step in securing your app layer and avoiding a damaging breach. Here’s how we can help:
Veracode Static Analysis: Upload a single packaged application to the Veracode Application Security Platform to kick off a scan and get a pass/fail result.
Veracode Software Composition Analysis: Identify and eliminate risk in third-party components.
Veracode Web Application Scanning (WAS) (Dynamic Testing): WAS identifies architectural weaknesses and vulnerabilities in your running web applications from the outside in.
Veracode Manual Penetration Testing: Pen testers conduct simulated attacks for complete assurance.
Veracode Mitigation Proposal Review: Get expert reviews to speed mitigations and satisfy auditors.
Veracode Remediation Advisory Services: Take advantage of one-on-one consultations with secure development experts.
Veracode Security Program Management: Security program managers collaborate with their Veracode colleagues to coordinate on developer consultations, remediation advisory services and mitigation proposal reports.
Check out our new interactive infographic, Securing Every Phase of the Software Lifecycle, to further explore security considerations during the SDLC, and how Veracode products fit into that picture.
And stay tuned for the next installment in this blog series, covering Veracode products in the production stage.