With January upon us, there’s undoubtedly a buzz in the air as security and development professionals eagerly plan out their 2019 strategies. You might be wondering what resolutions you can make that will help you navigate the New Year, and to take it a step further, what trends you should consider when crafting these resolutions. To help you get started, here are some suggestions from the Veracode team that will help you get a sense of what to expect in 2019 and have you on your way to a successful and secure year.
Sarah Gibson – Senior Application Security Consultant
Get your security and development teams collaborating and on the same page.
Good code is secure code, and having security help to design and build secure applications in a collaborative process allows for applications to be built better and faster. DevSecOps is a way to make that happen, and adopting a more automated and integrated approach between your security and development teams can make shipping secure code easier, with fewer last minute surprises.
Mark Curphey – Vice President of Strategy
Prepare for a boom in open source code use, and understand how to secure it.
Open source is now mainstream. We’re seeing it used in banking, autonomous cars, space travel, and even missiles, but as the community and commercial models for open source evolve, we’ll see a new realization that while you may get the code for free, you don’t always get security for free. How people continue to embrace open source code in light of that is still yet to be seen, but if you don’t want to be tomorrow’s news headline, you should be prepared with a game-plan of how to secure those components.
Chris Wysopal – Chief Technology Officer and Co-Founder
Prepare for the shift to serverless code, and turn your focus towards continuous security.
As more and more code moves to serverless, where there is no host or even container to configure, patch, and secure, the only thing left for organizations to secure will be their own code.
Code is increasingly becoming third party in the form of open source components and publicly available PaaS/SaaS APIs, which requires a supply chain security approach. With open source components, the public security posture of the components is taken into consideration to ensure that the least vulnerable version of a component is used, or – if necessary – a more secure component is used that has similar functionality. Supply chain security around PaaS/SaaS APIs is more challenging, but we see these providers publishing third-party reviews of their unique code, which open source components they use, and the security posture of the PaaS/SaaS APIs they used. The supply chain is becoming more public and more nested.
This will all be happening over a highly distributed set of microservices and APIs. These microservices will be developed using a DevOps methodology that will require continuous security. Newly developed code will be analyzed for weaknesses as it is written, and additionally analyzed as it is stitched into other code, and again as the context gets wider until a whole application or microservice is analyzed with its accompanying supply chain of open source components and PaaS/SaaS APIs.
Weaknesses will be transmitted to developers early, and the developers will be able to use suggested remediations, which will be reinforced by automated testing.
Maria Loughlin – Vice President of Engineering
Resolve to do something new, but just as important, resolve to continuously improve what you already do well.
You’ve probably been investing in automation for many years – automation of your testing, monitoring, metrics, and CI/CD pipelines. So in 2019, resolve to double-down on your automation investment to enable even more efficiency and quality consistency. In Veracode’s most recent State of Software Security report, we found a strong correlation between teams who have adopted a frequent, automated scanning approach and faster fix time for flaws.
To complement automation, turn your focus towards continuous security across all aspects of your organization, transforming your teams’ cultural mindset as well as in your pipelines and processes. It’s not realistic to hire a security expert for each scrum, so instead, resolve to train current team members to become security champions. Leverage their voices to represent the security perspective in each and every story prioritization, grooming, and review, and don’t be afraid to pull in security experts where needed. A nice side-effect of this practice is that investing in training for your team is proven to improve retention – a happy developer who is growing their career will stay in your organization.
Paul Farrington – Director of Solutions Architecture, EMEA & APAC
Continue to secure your software to mitigate against threats and avoid higher GDPR fines in 2019.
We are almost guaranteed to see more mega-breaches in 2019. Some of these will be undetected right now at time of writing, and may have been taking place for a number of months or years. The Marriott breach is a prime example of how serious an issue this is for large businesses. GDPR fines for breaches disclosed in 2018 are likely to top anything we have seen before when they are imposed in 2019 – in order to avoid being affected, organizations will need to continue to secure their software to mitigate against threats.
Everything You Need to Know to Kick-off and Mature Your Application Security Program
Whether you’re looking to measure the success of your application security program or want to know more about how you can mature your program in 2019, our “Everything You Need to Know” guides have you covered. Kick-start your journey to an advanced AppSec approach in the coming year by checking out the following: