Software developers are depending more and more on third-party code, or dependencies, when forging their applications. Rather than reinvent the wheel for tasks such as logging and authentication, developers often deploy open-source code. That can can create security problems for software writers, as the recent mammoth breach at credit services company Equifax illustrated.
The government has just announced a new strategy for industry that aims to tackle weak productivity and bolster businesses to counter any new problems caused by Brexit. The strategy highlights the need for improving digital skills especially in cybersecurity. Paul Farrington, Manager- EMEA Solution Architects at Veracode commented.
Developers can play a vital role in accelerating the adoption of AppSec practices, security vendor says. Data from a new study suggests that there are several measures developers can take to accelerate the adoption of formalized application security practices at their organizations.
The idea that developers don’t care about application security is a myth. A recently released report found that not only do developers take application security seriously, they take the time to find and fix vulnerabilities in their applications.
Developers today frequently find themselves between a rock and a hard place. The business may not place security at the top of its priorities, but we all know how vital it is – and in today’s agile and DevOps working environments, developers cannot afford to finish applications and then leave the tidying up to the security team.
A new report from CA Veracode issued today argues that while developers do care about security, and are getting better at it, more work still needs to be done – including to ‘think like an attacker.’
More than 90 percent of applications using the same computer programming library that, left unpatched, lead to the Equifax data breach also fail to keep the software up to date, reports the security firm CA Veracode.
On the developer side, Veracode's solution comes in Veracode Greenlight , a plugin for the most common development environments (Eclipse, Visual Studio, etc.). It retrieves the code compiled on the water on the developer's machine and sends it to the Veracode SaaS service, whose function is to check that security breaches have not been inadvertently inserted. When this is the case, the plugin immediately reports it to the developer, highlighting the flaw in the code being written and displaying, on the right side of the screen, a known means to correct it.
In an age of nation-state level cyberwarfare, countries with the best hacking tools are the new military powers. The US has been aggressive in efforts to find new and powerful vulnerabilities to exploit, and slow in disclosing them to technology vendors. But it has also not been effective in keeping those secrets from falling into the hands of hackers such as the Shadow Brokers and whistle-blower sites such as WikiLeaks and the Intercept.
“Come to my lab, I promise you’ll learn something cool,” a friend told Chris Eng. Within a couple of hours, he had walked him through writing an exploit for an obscure Linux bug, and Eng was hooked on the idea that one could leverage a programming error to gain root privileges on the system.
The development of microservices, instead of monolithic applications, can pay off in the long run. In terms of application security, however, there are some challenges, warns CA Veracode. Once a company has created the structures to consistently develop microservices, there are a number of advantages. For example, microservices can be used multiple times in different applications. Instead of, for example, developing four apps each with its own payment processing system, the component is programmed only once and used by several applications. This also results in easier maintenance: if part of the solution is outdated or malfunctions occur, only a small service needs to be updated or replaced. Compared to monolithic software this is a big advantage, because even the smallest changes can have unpredictable effects.
Rogue hackers or hostile states could "kill millions" using hijacked cars, and a spike in road deaths is inevitable if manufacturers do not rush to solve cybersecurity issues, an expert has warned.
CA Veracode makes checks throughout the development pipeline to ensure that security testing is a focus of the development process.
Yesterday at CA World, Las Vegas, Sam King, chief strategy officer at Veracode, spoke to DevOps Online Journalist, Leah Alger, about gender imbalance in the tech scene of today
Veracode Greenlight, which is available as a free trial to boost development speed and quality.
Java developers should be more aware of the open source software components they put in their applications if they want to avoid a security breach. A new report release by CA Veracode revealed 88% of Java apps include at least one vulnerable component, and about 53.3% of Java apps rely on a vulnerable version of the Commons Collections components.
There are a lot of ways that companies are missing the mark on AppSec, but there are a lot of ways they aren’t, and we can learn a lot from those that are doing it right.
While data security investments prove crucial to businesses, as evidenced by recent cyber attacks that have hijacked sensitive information from users around the world, applications are no longer secure today than they were a decade ago. This is revealed by Veracode, a software security company recently acquired by CA Technologies. The survey, for which 1,400 companies were evaluated, reveals that at least one failure was found in the initial tests of 77% of the reviewed apps and 25% of the sites contain at least one serious vulnerability.
Application security vendor Veracode has released the "2017 State of Software Security Report," and the results paint an unflattering picture of Java developers. An alarming 88 percent of Java applications contain at least one vulnerable component, the report's authors found. Why? Developers don't patch components in production once vulnerabilities are found and new versions of those components are released.
DevSecOps combines application security and DevOps. With this approach, IT security is included in the software development and software lifecycle right from the start. More from CA Veracode's Julian Totzek-Hallhuber.
Software and application security vendor Veracode has gone through a re-brand and a change of leadership, and Infosecurity recently met with SVP and general manager Sam King to learn all about it...
Digital transformation is one of the hottest buzzwords in the technology industry today. While it tends to be overused, the term does represent a widespread, ongoing movement that will set a standard for the next generation of enterprises. More from CA Veracode's Pete Chestna (@PeteChestna).
Pete Chestna (@PeteChestna), the director of developer engagement at CA Veracode, puts it all together by boiling down secure DevOps transformation to five key steps. Successful teams engage in automated software testing, integrate security early to fail quickly, avoid generating false alarms, appoint security champions within teams, and maintain operational visibility at all times.
In the year 79 AD, the citizens of Pompeii and Herculaneum thought that the smaller earthquakes they noticed were due to angry gods. They lacked the knowledge to interpret it as a warning of the imminent, devastating eruption of Mount Vesuvius. We should not make a similar mistake about cyber security.
On 25 May 2018, the transitional period for the European Data Protection Regulation (EU GDPR) ends. This will make data protection rules much more stringent for businesses and governments. Many previous data protection measures must be questioned, updated or expanded.
CA Veracode's Chris Wysopal explains how defenders can help developers create secure software through coaching, shared code, and services.