We recently announced our CA Veracode Verified program. To better suit the needs of organizations that are producing and updating apps at DevOps speed, we are attesting to the security of the overall development process of an application, rather than to the security of an application at one point in time. In this way, your prospects and customers can rest assured that security was embedded into the development process that created your product. With the Verified seal, you prove at a glance that you’ve made security a priority, and that your security program is backed by one of the most trusted names in the industry.
Is the CA Veracode Verified program right for you? It is if you are:
The CA Veracode Verified program includes three tiers, allowing you to quickly get ramped up and achieve your first seal, then work toward the other tiers over time as you grow and mature your application security program. This is the second in a three-part blog series that takes a detailed look at each of the three tiers. The first tier of the CA Veracode Verified program is Verified Standard, the second tier is the Verified Team tier. What does application security look like at the Verified Team tier?
Organizations in the Verified Team tier:
Here’s a look at each of these Team tier elements:
Document that the application does not include Very High or High flaws, that you have a 60-day remediation deadline. Tackling the most severe vulnerabilities first is always best practice. Ultimately, successful vulnerability management is all about prioritizing remediation based on risk. Encouragingly, we found that to be a best practice among our customer base in 2017. Our most recent State of Software Security report compared the fix rate of very high and high severity vulnerabilities to the overall fix rate, and found that organizations are reducing the most severe flaws at about twice the overall fix rate. In the CA Veracode Verified Team Tier, you expand your focus from very high flaws to both very high and high flaws.
In addition, finding application security issues is only half the equation; it’s equally as important to fix what you find. But many developers aren’t equipped to remediate the vulnerabilities static analysis uncovers. In fact, in a survey we conducted with DevOps.com, seven in 10 developers said their organizations don’t provide adequate training in security, and 76 percent reported that they weren’t required to complete any security courses while in school. On the other hand, providing the team with remediation guidance gets results. Research done for our 2017 State of Software Security report revealed that CA Veracode customers that offer developers remediation coaching improve fix rates by 88 percent. In the CA Veracode Verified Team Tier, you not only provide remediation coaching to developers, but introduce a 60-day remediation deadline. Given that industry studies find that most attackers are leveraging vulnerabilities within days of discovery, enforcing deadlines on remediation is an important step in reducing risk.
Identify a security champion within the development team to ensure secure coding practices are used across the development lifecycle. What’s a security champion? This role is a developer with an interest in security who helps to reduce culture conflict between development and security by amplifying the security message on a peer-to-peer level. This person doesn’t need to be an expert, more like the “security consciousness” of the group.
As the responsibility for security testing shifts left into earlier phases of the development lifecycle, and as the security skills gap widens, this role becomes increasingly critical. Security teams simply can’t scale at the same pace as development teams, yet creating a security bottleneck is unacceptable in today’s fast-paced development.
Learn more about security champions in this video.
Provide training on secure coding best practices for the identified security champion. Again pointing to our DevOps.com survey, most developers receive little or no training on secure coding, either in school or on the job. So, when building out your AppSec program, you should arrange for the security champion, at least, to get secure coding training.
For instance, at CA Veracode our security champions work to incorporate security considerations in the peer reviews development teams are already conducting. We train our champions to identify security issues during code reviews.
We have also found that developer training makes a dramatic impact on the state of application security among our customers. Our 2017 State of Software Security report found that our customers that offered eLearning on secure coding to development teams improved developer fix rates by 19 percent.
Assess open source components for security. Another trend related to the increased pace of development is developers’ use of open source libraries. With the speed of development today, creating every piece of code from scratch is simply unfeasible, leading development teams to rely on open source code. This practice in and of itself is not bad; in fact, it’s best practice. The problem arises with lack of visibility. When development teams are using open source libraries indiscriminately and not keeping track of which components are used where, it becomes nearly impossible to patch risky code when a big vulnerability hits the news. With clear visibility into where components are in use, managing their risk becomes much more effective and efficient.
Ultimately, your application security program is missing a significant section of your risk landscape if it’s only focusing on first-party code. Reaching the Team Tier means you understand this gap and have expanded your program to address the security of not only your in-house developed code, but open source code as well.
Application security can be a daunting prospect for many, but breaking it into manageable steps, prioritizing the tasks, and starting small make it doable. In addition, not all apps are created equal, and they don’t all need the same level of security attention. For instance, an application that has IP, is public facing and has third-party components should be held to higher security standards than a one-page temporary marketing site. The CA Veracode Verified program can help you secure your application landscape in a manageable way, while proving to your prospects that security is a priority at your organization.
Learn more about how to get started.