Categories

Editor's Choice
Tech Jobs Network
News & Events
Access Control & Identity Management
AI & Data Analytics
Asset Management
Associations
Conferences & Events
Facilities & Building Management
Fire & Safety
Information Security
Infrastructure
Integrated Solutions
IoT & Automation
Perimeter Security, Alarms & Intruder Detection
Power Management
Products & Solutions
Security Services & Risk Management
Smart Home Automation 
Surveillance
Training & Education
Videos
Security by Industry Sector ▾








Print this page printer friendly version

Enhancing the security of your applications

SMART Cybersecurity Handbook 2022 Information Security

By Craig de Lucchi, Veracode

Is software part of how you are delivering value to your customers? But how is your organisation innovating through software?

Software adds value, but it also introduces risk. Let’s take the example of Equifax – described as a data ‘mega-breach’ that exposed the personal information of 147 million people and was caused by an application vulnerability that cost the company more than US$ 2 billion, with about US$ 700 million in settlements alone. The company went on to become the subject of US congressional hearings as well as several investigations.

The interesting thing about this is that they had application security tools in place, so what went wrong?

Veracode has partnered with companies to deliver application security programmes since 2006 and here are the most common reasons we see why secure software initiatives fail.

No remediation

Firstly, AppSec programmes fail when developers are not engaged or empowered to fix vulnerabilities and security teams are only incentivised to find weaknesses but not to remediate them. Too often, security teams dictate rather than partner with development teams and have unrealistic expectations. The mountain of technical debt can be enormous and developers are often not trained to fix potential liabilities. The net result is a toxic relationship between security and development.

Complex tools

Secondly, tooling is difficult to manage and many solutions require weeks, if not months, of deployment before they are able to conduct the first scan. Then come the operational headaches, plus scalability and high availability issues. Maintaining solutions can be challenging, leaving businesses months behind coverage for the language and framework versions their development teams are using.

To busy putting out fires

Thirdly, security teams are often busy running scans and keeping infrastructure up to date that they simply don’t have time to focus on the programme itself. They’re in a vicious cycle and don’t have the headcount to deliver an holistic AppSec programme that gets stakeholders aligned on the vision and roadmap for it. Reporting the correct metrics to C-Level executives on successes is difficult and hence programmes continue to be underfunded.

Most AppSec programmes forget that there is only one role that can fix security finding and that`s the developer. Yet, many of them don’t empower developers to do so and focus their programmes on finding flaws and not fixing them.

Veracode offers developers three types of advice that delivers a high percentage of fixes. Firstly, they receive automated advice from its solution in the form of text or video tutorials. Secondly, they can reach out to peers in the Veracode Community and see if it can find a solution there. Thirdly, it can schedule a call with a secure coding expert to go through the source code together and discuss approaches to fixing the issue. The Veracode approach makes this much easier because its consultants can view the data and control flow of the application to suggest the best way to fix issues.

Veracode’s approach to application security addresses these three areas:

• Veracode provides a unified solution for all major application analysis types, languages and frameworks. This helps companies to consolidate point solutions that would otherwise have to be managed separately, which can lead to complex deployments, operations and reporting. Veracode solutions integrate with the development pipeline so that analysis can be fully automated.

• We help businesses to scale their security teams by engaging and empowering security champions within companies’ development teams. We guide teams towards targeted training; if one team has a higher frequency of the same security issue, we focus our programmes on fixing vulnerabilities, not just finding them, so organisations don’t end up in the same position as Equifax.

• Finally, we assist security teams with AppSec governance. This starts by helping businesses to define a programme to achieve compliance with internal policies, contractual requirements and regulatory mandates. We help companies to scale programmes through best practices that we have developed over 15 years while working with over 2500 customers. Furthermore, we can also assist with selling the value of AppSec programmes to senior management, development teams and even customers.

For more information go to www.veracode.com




Share this article:
Share via emailShare via LinkedInPrint this page


Further reading:

Managed security solutions for organisations of all sizes
Information Security News & Events
Cyber attackers have become significantly more sophisticated and determined, targeting businesses of all sizes. PwC’s Global Digital Trust Insights Survey 2025 Africa and South Africa highlights the urgent need for organisations to implement robust cyber risk mitigation strategies.

Read more...
Data resilience at VeeamON
Technews Publishing SMART Security Solutions Infrastructure Information Security
SMART Security Solutions attended the VeeamON Tour in Johannesburg in August to learn more about data resilience and Veeam’s initiatives to enhance data protection, both on-site and in the cloud.

Read more...
Troye exposes the Entra ID backup blind spot
Information Security Infrastructure
If you trust Microsoft to protect your identity, think again. Many organisations naively believe that Microsoft’s shared responsibility model covers Microsoft Entra?ID – formerly Azure AD – but it does not.

Read more...
Secure data protection without hardware lock-in
Infrastructure Information Security News & Events
New Veeam Software Appliance empowers IT teams to achieve instant protection with Veeam’s fully preconfigured, software-only appliance, delivering enterprise-ready simplified deployment and operational efficiency, robust cyber resilience.

Read more...
Check Point launches open, vendor-neutral MDR services
Information Security News & Events Products & Solutions
New Check Point MDR 360° and MXDR 360° offerings deliver 24/7 managed continuous threat monitoring protection across endpoints, cloud and network environments with built-in identity threat detection and 160+ integrations across hybrid, multi-vendor environments.

Read more...
Credential theft surges in South Africa
NEC XON Information Security
NEC XON issues a critical cybersecurity warning about the dual threat of massive credential theft and AI-powered cyberattacks sweeping across the region, with an increasing number of incidents and evolving threat tactics.

Read more...
Want effective Attack Surface Management? Think like an attacker.
Information Security
Effective ASM requires companies to think like attackers, anticipate risks, and act decisively to reduce exposure by knowing their environment, deploying a structured approach, leveraging capable tools, and addressing both internal and external risks.

Read more...
The growing role of hybrid backup
Infrastructure Information Security
As Africa’s digital economy rapidly grows, businesses across the continent are facing the challenge of securing data in an environment characterised by evolving cyberthreats, unreliable connectivity and diverse regulatory frameworks.

Read more...
POPIA non-compliance puts municipalities at risk
Information Security Government and Parastatal (Industry)
Digital responsibility must go beyond POPIA compliance to recognising that privacy and service delivery are fundamentally linked. Despite this, only 51 out of 257 municipalities submitted their mandatory data protection and access to information reports in 2024.

Read more...
Choicejacking bypasses smartphone charging security
News & Events Information Security
Choicejacking is a new cyberthreat that bypasses smartphone charging security defences to confirm, without the victim’s input or consent, that the victim wishes to connect in data-transfer mode.

Read more...











SMART Security Business Directory


While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.

Published by Technews

»  Dataweek Electronics & Communications Technology
»  Electronics Buyers' Guide (EBG)

»  SMART Security Solutions
»  SMART Security Business Directory

»  Motion Control in Southern Africa
»  Motion Control Buyers' Guide (MCBG)

»  South African Instrumentation & Control
»  South African Instrumentation & Control Buyers' Guide (IBG)



© Technews Publishing (Pty) Ltd. | All Rights Reserved.