We recently announced our CA Veracode Verified program. To better suit the needs of organizations that are producing and updating apps at DevOps speed, we are attesting to the security of the overall development process of an application, rather than to the security of an application at one point in time. In this way, your prospects and customers can rest assured that security was embedded into the development process that created your product. With the Verified seal, you prove at a glance that you’ve made security a priority, and that your security program is backed by one of the most trusted names in the industry.
Is the CA Veracode Verified program right for you? It is if you are:
The CA Veracode Verified program includes three tiers, allowing you to quickly get ramped up and achieve your first seal, then work toward the other tiers over time as you grow and mature your application security program. This is the third in a three-part blog series that takes a detailed look at each of the three tiers. The first tier of the CA Veracode Verified program is Verified Standard, the second tier is the Verified Team tier, and the third is the Verified Continuous tier. Each tier builds upon the elements of the previous tier. What does application security look like at the Verified Continuous tier?
Organizations in the Verified Continuous tier:
Here’s a look at each of these Continuous tier elements:
Integrate security tools into development workflows: To keep up with the shift to DevOps and rapid release cycles, application security solutions need to integrate into security and development teams’ existing tools and processes as much as possible. Tacking additional steps onto the development process or forcing teams to interrupt their workflows to switch tools is becoming increasingly unfeasible within today’s development paradigms. In fact, AppSec tools that lack flexible APIs and customizable integrations will eventually be under-used, or not used at all.
CA Veracode integrates with the development team’s IDEs, ticketing systems, and build systems. Get details on our integrations in the CA Veracode Integrations guide.
Assess web applications with dynamic analysis: One of our recent State of Software Security (SoSS) reports provides supporting data to the idea that multiple testing techniques are more effective than a single technology. SoSS version 7 shows statistically that there are significant differences in the types of vulnerabilities that are discovered by looking at applications dynamically at runtime, as compared to static tests in a non-runtime environment.
Although the move to Agile and DevSecOps development processes has fostered a lot of attention on the need to shift security testing left in the development cycle, it’s important not to lose sight of the fact that effective application security secures software throughout its entire lifecycle – from inception to production.
With the speed of today’s development cycles – and the speed with which software changes and the threat landscape evolves – it would be foolish to assume that code will always be 100 percent vulnerability-free after the development phase, or that code in production doesn’t need to be tested or, in some cases, patched.
Dynamic analysis, which examines the application dynamically in a runtime environment, plays an important role in ensuring that security spans from left to right in the SDLC.
Static and dynamic analysis offer different strengths at unearthing different kinds of vulnerabilities. For example, dynamic testing is better at picking up deployment configuration flaws, while static testing finds SQL injection flaws more easily. The point is that neither test alone provides a 360-degree security view of the application.
Document that the application does not include any Very High, High or Medium flaws, that they have a bi-annual mitigation review and a 30-day remediation deadline: The Continuous tier raises the policy requirement to address very high, high flaws, and also medium-level security flaws. This tier also adds a bi-annual mitigation review. With this requirement, you decrease your risk of breach by ensuring that any mitigations your organization is using to eliminate the threat from a known security-related defect is in fact valid and effective. Every six months, a security consultant will review all the mitigations proposed and accepted by your organization and either confirm their validity or offer recommendations and guidance on mitigating or remediating the flaw in question. This requirement addresses and reinforces the critical need to not just find application security flaws, but fix them.
Provide advanced training on secure coding for the security champion identified on the development team: To reach the Verified Team tier, an organization identifies a security champion on the development team and provides training for the champion so that this individual can be a resource for the team on secure coding practices. At the Team level, the security champion takes a minimum of three eLearning courses that provides the developer with a foundation of application security knowledge – an introductory course and two secure development courses. At the Continuous level, you expand upon the champion’s training, taking a minimum of two secure coding courses annually.
Provide the development team with training on secure coding: We recently conducted a survey with DevOps.com that concluded that most developers receive little or no training on secure coding, either in school or on the job.
Our 2017 State of Software Security report found that our customers that offered eLearning on secure coding to development teams improved developer fix rates by 19 percent, making a dramatic impact on the state of application security among our customers.
Therefore, in the Continuous tier, you expand secure coding training from the security champion to the wider development team. At this tier, development team members complete a minimum of one introductory eLearning course and one secure development course annually.
Application security can be a daunting prospect for many, but breaking it into manageable steps, prioritizing the tasks, and starting small make it doable. In addition, not all apps are created equal, and they don’t all need the same level of security attention. For instance, an application that has IP, is public facing and has third-party components should be held to higher security standards than a one-page temporary marketing site. Proper evaluation of the business criticality of your application inventory is crucial. The CA Veracode Verified program can help you secure your application landscape in a manageable way, while proving to your prospects that security is a priority at your organization.
Learn more about how to get started.