Veracode today released the findings in its annual State of Software Security Report (SoSS). The seventh edition of the report presents metrics drawn from code-level analysis of billions of lines of code across 300,000 assessments performed over the last 18 months.
New Offerings Deepen Coverage for Popular Web and Mobile Languages, While Helping Users of Older Mission-Critical Applications Improve Security
Survey data reveals that although majority of respondents feel as though their software and applications are secure, many lack the proactive, layered security programs necessary to combat today’s vulnerabilities
The FBI has reportedly told election officials in Arizona and Illinois that Russian hackers are pursuing their voters list. Federal officials have sent a warning to all state election officials that there could be attempts to hack any election related networks. Veracode Co-Founder Chris Wysopal (@WeldPond) and Harvard Cyber Security Project Postdoctoral Fellow Ben Buchanan (@BuchananBen) joined Jim to discuss potential election hacking.
Delivering key tech infrastructure and software through the cloud is one of the biggest technology trends today, driving billions in new revenue—and also much of the tech industry’s recent M&A activity.
These announcements are evidence of Veracode’s aggressive strategy to transform application security, extending it across the entire software lifecycle to reduce risk, manage compliance and shorten deployment times for secure software applications, while making secure coding practices a more seamless and positive part of the development processes.
The campaign of Republican presidential candidate Ted Cruz updated its mobile app after an independent review found security flaws that could have allowed hackers to access personal data from users. The computer-security firm Veracode performed audits of the "Cruz Crew" app and those released by other 2016 presidential contenders at the request of The Associated Press.
Whenever you have a supply chain and the more complicated it is, and the more individual pieces it has, the more difficult it is to do security. There are so many different parties involved: infotainment, connectivity, and they’re going with someone else to do the OS, like Apple Car Play, for example. Ford and Toyota are going with their own OSes. Who’s building the apps? [Likely] a third party. For at least three years they are going to have to deal with in-bound vulns at a rate higher than today and have to respond to them.
Who’s going to decide when you have negligent security or good security? There are certain common sense things you need to do. The thing is codifying those common sense things – like application security best practices. I think the cyber insurance industry will help do that because they don’t want to pay out, which in turn will create a baseline for security best practices.
Services like Veracode can help because their remediation services include consultation with coding experts so that developers see where mistakes are being made. "You need to start before you get to that point," Wysopal said. "You need to understand your application's threat model up-front, how you could be attacked, what data they might go after. Then test before you get hacked versus the threat model."
Chris Eng, VP of research at Veracode, points out DROWN is the most recent, but far from the only example of intentionally crippled encryption (or backdoors) that have come back to haunt security professionals. “In the security industry there are a number of examples. That’s happened over and over again. The most recent is the Juniper backdoor and Dual EC DRBG. These (backdoors) were meant to be secrets that maybe only the maintenance staff or only a few knew about. But once that secret gets out then the good guys know it and the bad guys know it. It then takes a lot of effort to go back and patch the long tail of deployed products.”
“When you think about the plans to allow customers to download apps for infotainment systems to control different environments the risks is only going to increase,” Wysopal said. “What’s going to happen when something goes wrong?” Eight-seven percent of drivers polled said car manufacturers should be liable for the safety of the car, including third-party app reliability, manufacturer apps and protection from hackers. “We have answered a lot of these questions in the smartphone world with iOS and Android,” Wysopal said. “But when it comes to automobile safety it gets much trickier.”
Combining driver sentiment with in-depth interviews from organizations such as Fiat-Chrysler, Seat, Scania, Delphi and German industry body ADAC, new research sheds light on key questions, such as: What are the cybersecurity implications of the connected car? Who is responsible for ensuring the applications are secure? Where does product liability lie? What are the issues and approaches for personal data and privacy?
Like Heartbleed and Shellshock before it, the glibc vulnerability reinforces the reality that using components in the application development lifecycle introduces risk. ...our software is constructed like Legos, relying on components rather than coding. This is why it's important to have complete visibility into all of the components development team are using, as well as the versions being used to ensure they can quickly patch and/or update the component version when a new vulnerability is disclosed.
For decades, cities were built and developed with functionality and convenience in mind. It wasn’t until the Great Chicago Fire destroyed an entire city and cost the lives of hundreds of people did cities begin creating fire codes. They realized there was diminishing returns on building more fire stations. The buildings themselves needed to become more fireproof. Like a rapidly growing city, we’ve built our applications quickly and without regard for the fact they exist in a hostile environment. Every application that holds valuable data will be attacked, just like every car will drive on a slippery road and every person will be exposed to pathogens. We have to stop pretending we can keep the bad guys from attacking the code that protects our data.
Fortunately, the path to writing and deploying secure applications is not as hard as it’s made out to be. Any company can go from having an ad-hoc approach to having an advanced program, regardless of the number of applications that need securing.
The raise in healthcare mobile applications could cause headaches for the government. That's why it's vital that all applications which access confidential data are fully tested and protected from vulnerabilities which could be an easy target for cyber-criminals wishing to damage the NHS or profit from the wealth of sensitive data it holds.
Any vendor should be able show proof that they conduct code reviews on any applications that touch your applications. “If they say, 'No, we don't do that,' or 'We don't share results on our internal security,' they probably do, and they're just trying to make you go away," said Chris Wysopal, CTO for Veracode. "One of the things we've learned is that if you push hard enough, they say, 'Yeah, you're right. We have had a third-party audit, and we can show you the results.'"
Veracode’s Sam King comments that the strategic benefits of cloud and mobile adoption within organizations means that security professionals no longer have fight to be heard in their firms. "They don't have to convince anybody that there's something they have to be concerned about when you've got an application and you're retailing it through another person, like Apple iTunes or Google Play or what have you.”
Healthcare organizations need to carefully scrutinize the security of electronic health record and other applications they use because encryption and other features often have shortcomings.
The report reveals how application security is viewed and addressed by healthcare providers across the US. The number one concern of these executives was the exploitation of vulnerabilities in web, mobile and cloud-based applications. Survey respondents cited the potential for loss of life due to compromised networks or medical devices, brand damage due to theft of patient information and regulatory enforcement as their top fears related to such security breaches.
One thing insecure applications have accomplished is to increase healthcare’s fear of liability. 57% of those surveyed are increasing spending on external security assessments; 56% are adding liability clauses into contracts with commercial-software vendors in their supply chain; 54% are implanting frameworks like the SANS Institute Security Controls.”
Veracode’s Chris Wysopal said that 80 percent of healthcare applications contain easily avoidable cryptographic issues such as weak algorithms, which is why keeping security a priority as software is being built is essential for the industry.
The fear of cyberthugs exploiting vulnerabilities in web, mobile, and cloud-based apps is more worrying to healthcare organizations than user error like employee negligence, malicious insiders, and phishing attacks.