The results of Veracode's State of Software Security report are alarming: 88 percent of Java applications contain at least one component that makes them vulnerable to cyber-attacks. The reason for this is the lack of visibility and management of open source components in enterprise applications.
When building and deploying applications, developers continue to make the same security errors year after year, according to a new study from CA Veracode. The 44-page CA Veracode State of Software Security Report, released on Oct. 18, provides insight from 400,000 software assessments conducted using the CA Veracode platform between April 1, 2016 and March 31, 2017. Among the high-level findings in the report is that the same classes of vulnerabilities continue to be found in similar percentages in the last several years. Of note, CA Veracode found that 88 percent of Java applications that were scanned had at least one vulnerable component. In this slideshow, eWeek looks at some of the highlights from CA Veracode's latest State of Software Security Report.
Application security continues to stink at many organizations, a new report from Veracode shows. But developers are not the only ones to blame. A failure by organizations to provide adequate security training and by operational teams to address vulnerabilities in the production environment have a big impact on application safety as well, the company said.
According to a study by Veracode, the lack of visibility and management of open source components in enterprise applications are the reasons why Java applications are vulnerable to cyber attacks. Veracode reports on the status of user security in its latest study "State-of-the-art Software Security Report." According to the results, 88 percent of Java applications contain at least one component that acts as the gateway to cybercriminals. The reasons for this are a lack of visibility and the management of open source components in enterprise applications. According to Veracode, less than 28 percent of companies regularly analyze the open source and third party components used in their applications.
Solution architect at Veracode Chris Campbell (@chris_campbell) says that 0pen source software is clearly enabling business to lean in on community expertise and deliver value from applications faster than ever before. “But as recent high-profile breaches have shown us, there are tangible consequences to customers and employees if the vulnerability risk associated with OSS components isn’t managed effectively,” said Campbell. Veracode’s 2017 State of Software Security report suggests that 88% of Java applications have at least one vulnerability from OSS components. “The tools already exist to record and deal with OSS risk, many businesses now need to build these in to their application security programs as a top priority,” notes Campbell.
A recently released study conducted by CA Veracode has found that the majority of Java applications contain at least one vulnerable component, making them predisposed to widespread attacks.
In this 67th episode of The Security Ledger Podcast, Tim Jarrett of Veracode talks about how a single security hole in an open source library found its way into millions of applications.
Veracode's 2017 State of Software Security Report, an annual review of application security testing data, revealed that 88 percent of Java applications contain at least one vulnerable component.
Study Finds That Less Than 28 Percent of Organizations are Actively Monitoring the Components That Could Lead to Security Breaches
A new report from CA Veracode has exposed the pervasive risks companies face from vulnerable open source components. In its 2017 State of Software Security Report the firm reviewed application security testing data from scans of its base of 1400 customers, discovering that 88% of Java applications contain at least one vulnerable component, making them susceptible to widespread attacks.
CA Veracode announced findings from the 2017 State of Software Security Report, a comprehensive review of application security testing data from scans conducted by a base of more than 1,400 customers.
Veracode publishes the State of Software Security Report, and the results are alarming: 88 percent of Java applications contain at least one component that makes them vulnerable to cyber attacks.
Nearly nine in ten web applications written in a popular coding language use out of date open-source components that are now known to have security vulnerabilities, according to the software analysis firm Veracode.
DevOps poses special challenges for IT security. But continuous feedback can make applications safer. In this article, CA Veracode's Nabil Bousselham looks at which technologies can help.
Five anonymous former Microsoft employees tell Reuters that Microsoft's database of internally discovered vulnerabilities was compromised in 2013, but Microsoft will not confirm it occurred.
The architecture of software is changing fundamentally - Microservices are on the rise. Veracode, now part of CA Technologies, identifies three key challenges that drive application security. Microservices have been on the rise in software development for several years. Developing many small services rather than single monolithic applications offers many advantages.
Digital transformation has revolutionised the role of applications and software within the business. Previously viewed as the IT Team’s domain, companies are increasingly investing in how they can drive greater productivity and create new revenue streams.As the importance of software and applications – and the speed with which it is developed –increases, we’re witnessed the transformation to DevOps. DevOps is changing the way companies build, test and deploy applications and is rising in popularity among many businesses, including major brands like Starbucks, LinkedIn, Apple and even the NASA that want to drastically speed up the product-to-market lifecycle.
2018, the transitional period for the European Data Protection Regulation (EU-DSGVO) will end on 25 May. This makes the data protection rules for companies and authorities much more stringent. Many previous data protection measures must be questioned, updated or expanded. The time is running. Many companies are running behind. The modern economy is nothing without data: no orders, no production, no sales, no customer service, no advertising from new customers and no employee administration. Collection and processing of personal data is therefore a "must". Because this data is so important, it is also coveted. In the past two years, every second company in Germany has become a victim of data loss, data theft, economic crime or sabotage (53%, source: Bitkom). The resulting loss is estimated at € 55 billion annually. Data misuse happens on a daily basis and can happen to anyone. However, it is not only caused by cyber-attacks or economic espionage, but often by negligent handling of data, for example, when no or unprofessional data management is operated.
Veracode announced support for security testing in applications built with Scala language, as well as the Python Boto3 framework within the Veracode Static Analysis solution.
Asking developers to stop using components would be like asking writers to stop using word processing and go back to typewriters. Components are a technological advance that enables productivity and innovation, and have simply become a standard tool of the trade. But with these benefits comes some risk. They can, and often do, contain vulnerabilities. And the nature of their use – the functionality in one component is used again in multiple other components – means they spread risk like wildfire. More from Veracode's Chris Wysopal (@WeldPond).
With Veracode Static Analysis, applications that have been created using the Scala programming language and the Boto3 software development kit for Python can be investigated. AWS applications and microservices are especially benefiting from the support. Boto3 is used to develop cloud applications that directly access Amazon Web Services. Scala has also become more and more popular, not least thanks to the interoperability with the Java programming language. Thanks to Java archive integration, existing Java libraries and frameworks can easily be integrated into Scala projects. According to Scott Crawford, Research Director at 451 Research, Scala is "well suited to the increasingly emerging microservices application architectures, thanks to its scalability." The Veracode Static Analysis enhancements enable developers to test these early-stage applications for their security. The solution leverages the experience Veracode has gained with the investigation of more than two trillion code lines and continuous improvements.
Veracode has announced an expansion to its security testing capabilities. This will enable developers to do security testing early in the development process to ensure that their applications are secure. Veracode Static Analysis now supports applications built in Scala and the Python Boto3 framework.
New support for Python Boto3 framework and Scala to ensure static application testing in software development for secure coding practices
The SaaS offering Veracode Static Analysis now provides vulnerability testing for applications created in the JVM Scala language or the Boto 3 framework. Veracode, which has been part of CA Technologies since March 2017, has expanded its SaaS platform (software as a service) for the static analysis of software. Developers can now test applications on vulnerabilities that they have written in Scala or with the Python framework Boto 3 via Veracode Static Analysis. Boto 3 is the SDK of Amazon Web Services (AWS) to access Python via an object-oriented API on AWS services such as S3 and EC2. According to the announcement, Veracode is currently the only security vendor to offer static analysis for the framework. The Scala programming language is becoming increasingly popular thanks to its scalability. Apache Spark is based on the JVM language, which combines functional and object-oriented approaches.
Veracode, which has been part of CA Technologies since March 2017, has expanded its SaaS platform (software as a service) for the static analysis of software. Developers can now test Veracode Static Analysis applications for vulnerabilities that they have written in Scala or with the Python framework Boto3.