Enhancing the security of your applications

Issue 7 2021 Cyber Security

Is software part of how you are delivering value to your customers? But how is your organisation innovating through software?

Software adds value, but it also introduces risk. Let’s take the example of Equifax, described as a data ‘mega-breach’ that exposed the personal information of 147 million people and was caused by an application vulnerability that cost the company more than US$2 billion, with about US$700 million in settlements alone. The company went on to become the subject of US congressional hearings as well as several investigations.

The interesting thing about this is that they had application security tools in place, so what went wrong?

Veracode has partnered with companies to deliver application security programmes since 2006 and here are the most common reasons the company sees why secure software initiatives fail.

No remediation

Firstly, AppSec programmes fail when developers are not engaged or empowered to fix vulnerabilities and security teams are only incentivised to find weaknesses, but not to remediate them. Too often, security teams dictate rather than partner with development teams and have unrealistic expectations. The mountain of technical debt can be enormous and developers are often not trained to fix potential liabilities. The net result is a toxic relationship between security and development.

Complex tools

Secondly, tooling is difficult to manage and many solutions require weeks, if not months, of deployment before they are able to conduct the first scan. Then come the operational headaches, plus scalability and high availability issues. Maintaining solutions can be challenging, leaving businesses months behind coverage for the language and framework versions their development teams are using.

To busy putting out fires

Thirdly, security teams are often busy running scans and keeping infrastructure up to date that they simply don’t have time to focus on the programme itself. They’re in a vicious cycle and don’t have the headcount to deliver an holistic AppSec programme that gets stakeholders aligned on the vision and roadmap for it. Reporting the correct metrics to C-Level executives on successes is difficult and hence programmes continue to be underfunded.

Veracode’s approach to application security addresses these three areas:

Veracode provides a unified solution for all major application analysis types, languages, and frameworks. This helps companies to consolidate point solutions that would otherwise have to be managed separately, which can lead to complex deployments, operations and reporting. Veracode solutions integrate with the development pipeline so that analysis can be fully automated.

Veracode helps businesses to scale their security teams by engaging and empowering security champions within companies’ development teams. It guides teams towards targeted training; if one team has a higher frequency of the same security issue, it focuses its programmes on fixing vulnerabilities, not just finding them, so organisations don’t end up in the same position as Equifax.

Finally, it assists security teams with AppSec governance. This starts by helping businesses to define a programme to achieve compliance with internal policies, contractual requirements, regulatory mandates. It helps companies to scale programmes through best practices that we have developed over 15 years while working with over 2500 customers. Furthermore, it can also assist with selling the value of AppSec programmes to senior management, development teams and even customers.

Most AppSec programmes forget that there is only one role that can fix security finding and that`s the developer. Yet, many of them don’t empower developers to do so and focus their programmes on finding flaws and not fixing them.

Veracode offers developers three types of advice that delivers a high percentage of fixes. Firstly, they receive automated advice from Veracode’s solution in the form of text or video tutorials. Secondly, they can reach out to peers in the Veracode Community and see if they can find a solution there. Thirdly, they can schedule a call with a secure coding expert to go through the source code together and discuss approaches to fixing the issue. The Veracode approach makes this much easier because its consultants can view the data and control flow of the application to suggest the best way to fix issues.




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

It is time to take a quantum leap in IoT cybersecurity
Drive Control Corporation Cyber Security
IoT has become integrated everywhere, including enterprises. While it offers many benefits, such as increased productivity and the rollout of mission critical applications, it can also lead to (enterprise) cyber-attack vulnerabilities.

Read more...
Can we reduce cyberattacks in 2023?
Cyber Security
Zero-trust cybersecurity strategy with simplicity and risk reduction at the heart is mandatory to reduce exponential cyberattacks in 2023, says GlobalData.

Read more...
Key success factors that boost security resilience
Cyber Security
Adoption of zero trust, secure access service edge and extended detection and response technologies, all resulted in significant increases in resilient outcomes, as are executive support and cultivating a security culture.

Read more...
Enterprise threats in 2023
News Cyber Security
Large businesses and government structures should prepare for cybercriminals using media to blackmail organisations, reporting alleged data leaks, and purchasing initial access to previously compromised companies on the darknet.

Read more...
CA Southern Africa unmasks container security
Technews Publishing IT infrastructure Cyber Security
Adoption of software containers has risen dramatically as more organisations realise the benefits of this virtualised technology.

Read more...
Shifts in threat landscape to industrial control systems
Cyber Security
Kaspersky’s ICS CERT researchers’ predictions include increased attack surface due to digitisation, activities of volunteer and cybercriminal insiders, ransomware attacks on critical infrastructure as well as the technical, economic and geopolitical effects, and the rise of potential vulnerabilities being exploited by attackers.

Read more...
Advanced persistent cybercrime
Cyber Security
FortiGuard Labs predicts the convergence of advanced persistent threat methods with cybercrime. Advanced persistent cybercrime enables new wave of destructive attacks at scale, fuelled by Cybercrime-as-a-Service.

Read more...
Digital razor wire: sharpening endpoint protection
Cyber Security
Crypto-mining, hacking, vulnerabilities, and threats – protecting the organisation’s endpoints has never been more important than it is today, says Reggie Nkabinde, consultant: modern platform-security at Altron Karabina.

Read more...
Fast, reliable and secure cloud services
Technews Publishing Editor's Choice Cyber Security IT infrastructure
Security and speed are critical components of today’s cloud-based services infrastructure. Cloudflare offers a range of services supporting these goals beyond what most people think it does.

Read more...
Industrial control systems under attack
News Cyber Security
According to Kaspersky ICS CERT statistics, from January to September 2022, 38% of computers in the industrial control systems (ICS) environment in the META region were attacked using multiple means.

Read more...