Veracode has released new research revealing the widening gap between software creation and software security, with the rush to innovate outpacing the urgency to secure the process. The “Securing the Digital Economy” report highlights how investment in software and digital transformation is rapidly accelerating, with around one in five business leaders indicating that their software budget had increased 50 percent or more over the past three years to support digital transformation projects. However, the increased software development investment has not translated to greater security budgets or awareness of the security risks insecure software introduces: only 50 percent of business leaders surveyed understand the risk that vulnerable software poses to their business.
Developers are getting better at creating more secure software, but about the same proportion of programs are vulnerable as a decade ago, according to CA Veracode's most recent security report. Meanwhile, the risks have only increased. The impact of a security breach has dramatically increased because applications are the custodians of more critical data and functions than ever before.
Software is the lifeblood of most businesses today. So, what happens if that software is unreliable or insecure? It seems like a no-brainer that the software being pushed out should be protected. But, as software is being developed and deployed at a rapid pace, an important aspect of the life cycle gets lost in the race: Security.
The developer guide uses new data from the CA Veracode platform to support the fact that vulnerable open source components pose an omnipresent risk. Developers still have a high need for training and support in this area.
Particularly worrying: 91 percent of all Java applications that contain Struts components are based on a version of the framework with at least one critical or even particularly critical vulnerability.
Further findings of the Veracode study are:
Developers underestimate errors in code: Once again, 70 percent of applications fail this year when they run a Veracode security scan for the first time. Open-source software components as a source of risk: developers are increasingly turning to microservices to speed up their work. However, open source components in particular often contain risks and vulnerabilities, as the state-of-the-art software security report shows. 88 percent of the Java applications reviewed last year had at least one point of attack based on one of their components.
Hand in hand with security to enormous security gains: In modern DevOps teams, developers usually carry out the security tests for their applications themselves in order to eliminate errors directly. If they actively seek the advice of their security colleagues regarding the vulnerabilities, they can improve their bugfix rate by as much as 87.6 percent.
Thanks to Pete Chestna, Director of Developer Engagement and Jessica Lavery, Senior Manager, Security Strategy at CA Veracode for taking the time to speak to me at CA World 17. Pete and Jess were excited that CA Veracode Greenlight was now available as a free trial to help developers accelerate velocity and quality. Developers can produce vulnerability-free code with instant feedback on security defects in their IDEs. This enables them to speed the SDLC without compromising security while fulfilling the promise of DevSecOps.
CA Veracode has just published its annual State of Software Security (SOSS) report which analyzes data from 400,000 application scans from April 1, 2016 to March 31, 2017. The applications were written in more than a dozen programming languages for large and small organizations across a wide range of industries. A key finding is that most developers don't try to game the system by rejecting findings as false positives, or as mitigated by design. Developers documented mitigations for just 14.4% of all the flaws found by the CA Veracode platform.
Attacks by cybercriminals can be costly for businesses if they want to avoid losing their data. The most recent example is Uber, a global American driver services broker who has been the victim of a Ransomware attack: data from 57 million customers and drivers has been hacked, including names, addresses and driver's license numbers. Over paid $100,000 to the hackers and concealed the incident, but is now exposed to the serious charge of covering up a criminal offence. This latest case shows once again the importance of advanced data protection to prevent cyberattacks. Julian Totzek-Hallhuber, Solution Architect at the application security specialist CA Veracode, gives five tips on how companies can easily and effectively protect themselves against Ransomware attacks.
Akamai has published the latest report on the "State of the Internet". Some key statements: The number of DDoS attacks increased again in the third quarter of 2017, with eight percent growth compared to the second quarter. However, the number of attacks decreased slightly compared to the third quarter of 2016. (…) And the guest author, Chris Wysopal of Veracode, explicitly criticizes the ICT industry: "Although Application Security Testing promises a lot and is growing fast, it shows that applications are generally not more secure today than they were ten years ago". And further, Wysopal complains: "Most open source components remain unpatched once they have been built into the software."
More than 90 percent of applications using the same computer programming library that, left unpatched, lead to the Equifax data breach also fail to keep the software up to date, reports the security firm CA Veracode.
Software developers are depending more and more on third-party code, or dependencies, when forging their applications. Rather than reinvent the wheel for tasks such as logging and authentication, developers often deploy open-source code. That can can create security problems for software writers, as the recent mammoth breach at credit services company Equifax illustrated.
The government has just announced a new strategy for industry that aims to tackle weak productivity and bolster businesses to counter any new problems caused by Brexit. The strategy highlights the need for improving digital skills especially in cybersecurity. Paul Farrington, Manager- EMEA Solution Architects at Veracode commented.
Developers can play a vital role in accelerating the adoption of AppSec practices, security vendor says. Data from a new study suggests that there are several measures developers can take to accelerate the adoption of formalized application security practices at their organizations.
The idea that developers don’t care about application security is a myth. A recently released report found that not only do developers take application security seriously, they take the time to find and fix vulnerabilities in their applications.
Developers today frequently find themselves between a rock and a hard place. The business may not place security at the top of its priorities, but we all know how vital it is – and in today’s agile and DevOps working environments, developers cannot afford to finish applications and then leave the tidying up to the security team.
A new report from CA Veracode issued today argues that while developers do care about security, and are getting better at it, more work still needs to be done – including to ‘think like an attacker.’
On the developer side, Veracode's solution comes in Veracode Greenlight , a plugin for the most common development environments (Eclipse, Visual Studio, etc.). It retrieves the code compiled on the water on the developer's machine and sends it to the Veracode SaaS service, whose function is to check that security breaches have not been inadvertently inserted. When this is the case, the plugin immediately reports it to the developer, highlighting the flaw in the code being written and displaying, on the right side of the screen, a known means to correct it.
In an age of nation-state level cyberwarfare, countries with the best hacking tools are the new military powers. The US has been aggressive in efforts to find new and powerful vulnerabilities to exploit, and slow in disclosing them to technology vendors. But it has also not been effective in keeping those secrets from falling into the hands of hackers such as the Shadow Brokers and whistle-blower sites such as WikiLeaks and the Intercept.
“Come to my lab, I promise you’ll learn something cool,” a friend told Chris Eng. Within a couple of hours, he had walked him through writing an exploit for an obscure Linux bug, and Eng was hooked on the idea that one could leverage a programming error to gain root privileges on the system.
The development of microservices, instead of monolithic applications, can pay off in the long run. In terms of application security, however, there are some challenges, warns CA Veracode. Once a company has created the structures to consistently develop microservices, there are a number of advantages. For example, microservices can be used multiple times in different applications. Instead of, for example, developing four apps each with its own payment processing system, the component is programmed only once and used by several applications. This also results in easier maintenance: if part of the solution is outdated or malfunctions occur, only a small service needs to be updated or replaced. Compared to monolithic software this is a big advantage, because even the smallest changes can have unpredictable effects.
Rogue hackers or hostile states could "kill millions" using hijacked cars, and a spike in road deaths is inevitable if manufacturers do not rush to solve cybersecurity issues, an expert has warned.
CA Veracode makes checks throughout the development pipeline to ensure that security testing is a focus of the development process.
Yesterday at CA World, Las Vegas, Sam King, chief strategy officer at Veracode, spoke to DevOps Online Journalist, Leah Alger, about gender imbalance in the tech scene of today
Veracode Greenlight, which is available as a free trial to boost development speed and quality.
Java developers should be more aware of the open source software components they put in their applications if they want to avoid a security breach. A new report release by CA Veracode revealed 88% of Java apps include at least one vulnerable component, and about 53.3% of Java apps rely on a vulnerable version of the Commons Collections components.
While data security investments prove crucial to businesses, as evidenced by recent cyber attacks that have hijacked sensitive information from users around the world, applications are no longer secure today than they were a decade ago. This is revealed by Veracode, a software security company recently acquired by CA Technologies. The survey, for which 1,400 companies were evaluated, reveals that at least one failure was found in the initial tests of 77% of the reviewed apps and 25% of the sites contain at least one serious vulnerability.