Enhancing the security of your applications

Smart Cybersecurity Handbook 2022 Cyber Security

Is software part of how you are delivering value to your customers? But how is your organisation innovating through software?

Software adds value, but it also introduces risk. Let’s take the example of Equifax – described as a data ‘mega-breach’ that exposed the personal information of 147 million people and was caused by an application vulnerability that cost the company more than US$ 2 billion, with about US$ 700 million in settlements alone. The company went on to become the subject of US congressional hearings as well as several investigations.

The interesting thing about this is that they had application security tools in place, so what went wrong?

Veracode has partnered with companies to deliver application security programmes since 2006 and here are the most common reasons we see why secure software initiatives fail.

No remediation

Firstly, AppSec programmes fail when developers are not engaged or empowered to fix vulnerabilities and security teams are only incentivised to find weaknesses but not to remediate them. Too often, security teams dictate rather than partner with development teams and have unrealistic expectations. The mountain of technical debt can be enormous and developers are often not trained to fix potential liabilities. The net result is a toxic relationship between security and development.

Complex tools

Secondly, tooling is difficult to manage and many solutions require weeks, if not months, of deployment before they are able to conduct the first scan. Then come the operational headaches, plus scalability and high availability issues. Maintaining solutions can be challenging, leaving businesses months behind coverage for the language and framework versions their development teams are using.

To busy putting out fires

Thirdly, security teams are often busy running scans and keeping infrastructure up to date that they simply don’t have time to focus on the programme itself. They’re in a vicious cycle and don’t have the headcount to deliver an holistic AppSec programme that gets stakeholders aligned on the vision and roadmap for it. Reporting the correct metrics to C-Level executives on successes is difficult and hence programmes continue to be underfunded.

Most AppSec programmes forget that there is only one role that can fix security finding and that`s the developer. Yet, many of them don’t empower developers to do so and focus their programmes on finding flaws and not fixing them.

Veracode offers developers three types of advice that delivers a high percentage of fixes. Firstly, they receive automated advice from its solution in the form of text or video tutorials. Secondly, they can reach out to peers in the Veracode Community and see if it can find a solution there. Thirdly, it can schedule a call with a secure coding expert to go through the source code together and discuss approaches to fixing the issue. The Veracode approach makes this much easier because its consultants can view the data and control flow of the application to suggest the best way to fix issues.


Veracode’s approach to application security addresses these three areas:

• Veracode provides a unified solution for all major application analysis types, languages and frameworks. This helps companies to consolidate point solutions that would otherwise have to be managed separately, which can lead to complex deployments, operations and reporting. Veracode solutions integrate with the development pipeline so that analysis can be fully automated.

• We help businesses to scale their security teams by engaging and empowering security champions within companies’ development teams. We guide teams towards targeted training; if one team has a higher frequency of the same security issue, we focus our programmes on fixing vulnerabilities, not just finding them, so organisations don’t end up in the same position as Equifax.

• Finally, we assist security teams with AppSec governance. This starts by helping businesses to define a programme to achieve compliance with internal policies, contractual requirements and regulatory mandates. We help companies to scale programmes through best practices that we have developed over 15 years while working with over 2500 customers. Furthermore, we can also assist with selling the value of AppSec programmes to senior management, development teams and even customers.

For more information go to www.veracode.com




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

The 5 most common security concerns in the Web 3.0 world
Cyber Security
Cisco Talos has done a deep dive to highlight the most common security challenges, driven by cryptocurrency, blockchain technology, decentralised applications and decentralised file storage.

Read more...
The components of and need for cyber resilience
Cyber Security Security Services & Risk Management
Organisations need to implement a comprehensive cyber resilience solution with data protection, backup, disaster recovery and business continuity to protect against ever-more complex and rising cyberthreats.

Read more...
Preventing cyberattacks on critical infrastructure
Industrial (Industry) Cyber Security
Cyberattacks have the potential to disrupt our lives completely, and in instances where critical national infrastructure is attacked, they could disrupt the country’s entire economy, leading to loss of life and livelihoods.

Read more...
Unrecoverable encrypted data
News Cyber Security
Cybersecurity research indicates that 76% of organisations admit to paying ransomware criminals, however, one-third are still unable to recover data.

Read more...
Citrix App Protection helps secure remote workers
Cyber Security IT infrastructure
Many organisations are implementing a zero-trust security model with data protection as a top priority. This is largely due to the increase in remote work and unmanaged personal devices playing a growing role in the enterprise.

Read more...
2022 Cloud Security Report
Cyber Security IT infrastructure
The 2022 Cloud Security Report reveals how security executives and practitioners are using the cloud, how their organisations are responding to security threats in the cloud, and the challenges they are facing.

Read more...
Arcserve launches N Series appliances
IT infrastructure Cyber Security
Arcserve introduces N Series appliances offering enterprise-level integrated data protection, recovery and cybersecurity to allow customers to simplify their IT environments and secure data.

Read more...
Securing business information more important than ever
Cyber Security Products
SMBs need to operate safely within the physical and virtual boundaries created by work-from-home business practices, as well as in-office operations.

Read more...
Storage is essential for a comprehensive cybersecurity strategy
Integrated Solutions Cyber Security
Cyber resilience is the ability of an enterprise to limit the impact of security incidents by deploying and arranging appropriate security tools and processes.

Read more...
Malicious file protection for mobile devices
Cyber Security
The new version of Check Point Harmony Mobile, a mobile threat solution, can now block the download of malicious files to mobile devices, preventing file-based cyberattacks on organisations.

Read more...