How dangerous are your app security holes? Sadly, they are quite dangerous and getting far more so. In a study released Tuesday (Oct. 18) that examined billions of lines of code from 300,000 assessments performed over the last 18 months, a stunning 97 percent of Java applications contained at least one component with a known vulnerability.
To be fair, that probably isn't that surprising. Nor should it surprise any veteran security specialist that 60 percent of apps fail security testing in the first scan or that more than half of the examined apps were affected by misconfigured secure communications. What is surprising is the lax approach that so many companies are taking with such a monumental security nightmare.
Today, a cybercriminal can focus on a single vulnerability in one component to exploit millions of applications. Software components are used by every industry and for software of all kinds, and given our dependence on applications, the ease at which millions of applications can be breached has the potential to create havoc in our digital infrastructure and economy.
~ Brian Fitzgerald, CMO, CA Veracode
Here's more non-surprises: Standard time-tested (but unexciting) security tactics—things like remediation coaching, sandbox testing, continuous scanning and eLearning—were found to improve security as much as six-fold. These approaches do work, when dealt with in a rigorous and serious manner.
In so many ways, security effectiveness is about attitude. A simple and consistent approach of using known security monitoring and testing tools really does work. That, however, requires company management to first accept that these holes are real and dangerous to the company in a litany of ways. The tools are here today. The attitudes, frighteningly enough, are what's lagging.
"The prevalent use of open source components in software development is creating unmanaged, systemic risks across companies and industries," said Brian Fitzgerald, CMO of CA Veracode, which performed the study. "Today, a cybercriminal can focus on a single vulnerability in one component to exploit millions of applications. Software components are used by every industry and for software of all kinds, and given our dependence on applications, the ease at which millions of applications can be breached has the potential to create havoc in our digital infrastructure and economy."
Let's drill down into one of these key defenses: continuous scanning. Whether the app is operating at the desktop or mobile level, there are two entirely distinct areas of security concern: what the itself can do—it's code alone—of security concern and what it actually does when interacting with the OS and networks and other apps.
As for the first element—which we'll call code at rest—that is dangerous enough, especially when the code is open-source or third party. You don't even need to get into the issue if you trust the company that provided the app. If malware is lurking inside, the ISV may not know it, either.
And remember that there are two kinds of security holes: deliberate efforts (aka malware): and unintended privacy/security holes, where data can leak. Both are troublesome but it's the second that bypass standard security safeguards. That's precisely why watching the data while it is interacting with everything it has to work with—battlefield conditions, if you will—is so critical and that is what continuous scanning is all about.
Sandbox testing is essential as it allows developers to test their work on an application in a private space before being tested against the corporate policy.
It's critical to understand that this is a winning battle, but your people have to set aside the resources to do it properly. Cyberthieves are so very much hoping you don’t.
Read the full report here: https://www.veracode.com/soss