What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2021-04-29 16:28:56 | Developer Training Checklist: 5 Best Practices (lien direct) |  The role of the developer has evolved over the past several years. Developers are not only responsible for writing code and releasing new software rapidly but also for securing code. By implementing security in the software development lifecycle, you can reduce risk and cost without slowing down time to production.
But the developer role is already stretched so thin and many developers don???t have a background in security. How can you get developers up to speed on security measures in an engaging manner that doesn???t add too much extra work? And how can you ensure that your developers are successfully implementing the security learnings?
Leveraging findings from a recent Enterprise Strategy Group report, Modern Application Development Security, and tips from our Director of Development Enablement, Fletcher Heisler, we were able to establish a list of best practices to follow when training developers in security.
Make security training a real requirement. Developers are very busy. If they???re not required to take secure coding training, it???s highly unlikely that they will. So, make it part of their goals. And to ensure that they???re paying attention to the trainings, consider adding knowledge checks.
ツ?
Make sure the training is relevant and engaging. As Fletcher states in Four Fundamentals of Education The Sticks, use training tool like Security Labs that ???bring magic, adventure, and exploration back to security so that developers can actually explore when something goes wrong.??? And make sure the examples are relevant to the developer???s day-to-day work. The more realistic, the more serious they take the training.
ツ?
Measure the effectiveness of the training. Don???t just assume that developer training is working, track it. To ensure that your developers are implementing the learnings from their security training, you should track both issue introduction and continuous improvement metrics for both scrum teams and individual developers. By keeping track of these metrics, you can tailor future security trainings toward areas of weakness. [As you can see in the chart below from Enterprise Strategy Group, only 41 percent of organizations are tracking the continuous improvement of development teams.]ツ?
ツ?
 ???
ツ?
Offer a mix of training types. Not everyone learns the same way. Some developers might prefer instructor-led courses while others might like on-demand courses or hands-on training tools. It???s also important to keep in mind that developers likely have different levels of security knowledge. A new developer might need an introductory course to secure code training while a more experienced developer might benefit from a more technical course.
ツ?
Implement a security champions program. Many organizations benefit from implementing a security champions program. To start a security champions program, select interested volunteers from each development team and give them extra tools and training needed to be security experts on their scrum teams. They???ll be able to pass along their additional security skills to peers on their team. |
Tool | ||
|
2021-04-29 15:20:23 | Executive Order on Cybersecurity Is Imminent: It\'s Been a Long Time Coming (lien direct) |  Following President Biden???s address to Congress last night in which he referenced cybersecurity as a priority twice, news is circulating today that the executive order on cybersecurity is imminent. This news comes as a much awaited and long overdue step towards creating standardization and structure around cybersecurity.
Anne Neuberger, the deputy national security advisor for cyber and emerging technology, says the order will be like the National Transportation Safety Board, or NTSB, for cyber. ???What can we learn with regard to how we get advance warning of such incidents,??? she recently told reporters. She also notes that this executive order will be a starting point that should eventually trickle down to the consumer market as well. ???If we start incentivizing security, then companies, [and] the market will then inherently prioritize it because more people will buy the product,??? she says.
From my perspective, I am happy that this topic is finally coming full circle. In 2013, Chris Wysopal addressed this very topic in a keynote at RVASec where he discussed ???The Future of Government Sharing.???ツ?
In fact, Chris started creating awareness with the federal government 23 years ago when he and some colleagues from hacker thinktank the L0pht testified to Congress in efforts to expose the risks and threats of cybersecurity. Eight years later, I joined Chris when he launched Veracode to actually start solving the critical problem of software security ??? together we focused on helping developers and security teams on not just finding but also fixing vulnerabilities in their software (developed in-house, open source or third-party purchased).
Just last month on International Women???s Day, I sat down with The New York Times cybersecurity reporter Nicole Perlroth and OWASP board member Vandana Verma to discuss this topic at an RSA Conference Podcast ??? sharing that Veracode???s recent research revealed that 66 percent of applications fail to meet the OWASP Top 10 standards, meaning they have a major vulnerability. This highlights that there is work to be done and we must embed security testing into the software development lifecycle so, as developers write code, they write securely. In that discussion, Perlroth said, ???We can???t be trying to band-aid on these fixes after vulnerable code has already made its way to users, but also into critical infrastructure ??ヲ We need to think about security and security design from the start. We have to start bringing in security engineers from the very beginning.???
Part of making software more secure involves integrating security into the software development lifecycle and training developers. We should not expect secure code if we haven???t established clarity on what good looks like, equipped developers with the right guidance, the right knowledge, and the right tools.
The executive order has been a long time coming, and I hope it establishes what the right expectations and accountability should be. We must put structure and standardization around cyber and software security, and there are a number of great examples on how this has been done successfully. One of our customers, an educational software vendor, joined the Veracode Verified program in order to provide evidence of its security processes and |
Uber | ||
|
2021-04-26 09:06:15 | How a Microsoft Engineer Implemented Veracode for a Large Azure Project (lien direct) |  With the need to produce innovative software faster than ever, and cyberattacks not slowing down, it???s no surprise that, for projects large and small, ensuring the security of your code at every step is key. But if software engineers want to meet these everyday demands with success, it???s important to understand how different security scanning types fit in throughout the development process, and how the needs of your team might impact scans. ツ?
In my role as a Principal Solutions Architect here at Veracode, one of the main benefits is that I???m able to help customers do just that. One recent project in particular involved working with Stephanie Visser, a Software Engineer at Microsoft, to help a large manufacturing customer implement Veracode into their development process. The customer was undergoing a digital transformation at their factories and was missing those critical security scans to cover their code at the developer layer.ツ?
As new Veracode users, Stephanie and her team spent quite a bit of time with me and other members of the team figuring out the best approach for implementing our testing tools. Here???s how that project unfolded to improve productivity and boost quality for the customer.
Setting the scene with user stories
Like many organizations, the scenario Stephanie???s team faced was multilayered. They were working with a large mono-repository that spanned teams, projects, and languages ??? .NET, JavaScript, and TypeScript to be exact. Stephanie notes that in just one month, the team would generate more than 500 pull requests and over 8,400 commits from 100-plus developers. By leaning on Azure DevOps, they were able to collaborate more efficiently, share code, and build and test their projects.
But the customer also wanted to use Veracode???s scanning solutions to improve the level of security in multiple stages of their software development lifecycle. That would, in turn, help them move security to the left so that it???s integrated sooner in the coding process, helping them catch critical issues faster, saving the organization time and money.
We know there???s no one-size-fits-all when it comes to application security programs, and so Stephanie???s team first began to lay out the most relevant user stories. This helped them better understand which scan types fit best at certain stages of the development process:
 ???
Evaluating the user stories with paired scenarios, scan types, and frequency not only clarified where they needed to integrate critical Veracode scans but also helped them understand when these scans need to run for maximum efficiency.
My code, our code, production code
???My Code, Our Code, Production Code??? is a visual representation of why you can???t treat security scans as one-and-done, highlighting where these critical tests should take place in the software development lifecycle. For example, in the Our Code phase of the process, which includes building, unit tests, and integration tests, using Static Analysis, Software Composition Analysis, and Interactive Analysis gives you better coverage on both proprietary and open source code.
|
|||
|
2021-04-23 12:58:34 | Are You Targeting These Risky Red Zone Vulnerabilities? (lien direct) |  Modern software development is full of security risk. Factors like lingering security debt, insecure open source libraries, and irregular scanning cadences can all impact how many flaws dawdle in your code, leading to higher rates of dangerous bugs in susceptible and popular languages. For example, we know from State of Software Security v11 that PHP has a high rate (nearly 75 percent) of cross-site scripting flaws on initial scan, which is also the most common type of open source code vulnerability across nearly every language. It???s a dangerous one.
CRLF injection ??? which is commonly seen in Java and JavaScript ??? can lead to maliciously manipulated web applications if a threat actor is able to inject a CRLF sequence into an HTTP stream. CRLF injection is dangerous and appears in a sizeable 65 percent of applications with a flaw on initial scan, posing a decent risk to apps written in Java and JavaScript if left unchecked.
 ???
But not all flaws are so high-risk for common languages; Information Leakage, for example, is most often seen in .NET, PHP, and Java, typically stemming from a lack of secure code training. To stay one step ahead of even the low-risk (and high-risk) flaws, developers need to be armed with the right knowledge and tools so that they can produce more secure code to reduce the chance of a breach ??? whether low risk or in the danger zone.
 ???
Understanding how flaws impact programming languages across the board is crucial to preventing them. Take note of which languages tend to carry the most high-risk flaws first; whether or not yours in the mix, it???s a good idea to brush up on secure coding best practices and try your hand at hacking and patching real applications with Veracode Security Labs.
You can???t fake it when it comes to security: hands-on-keyboard education is critical to jumping these (and other) hurdles as you create innovative applications. If you want to keep data safe and squash these risky bugs, you have to think like an attacker and avoid flaw-filled curveballs in the future.
To learn more about which vulnerabilities are in the danger zone (and how to go about preventing them), check out our infosheet here. |
Vulnerability Threat Patching Guideline | ||
|
2021-04-23 09:34:12 | Reporting Live From Collision Conference 2021: Part Two! (lien direct) |  If you caught part one of our recap series on this year???s Collision conference, you know we covered a roundtable talk hosted by Veracode???s own Chris Wysopal. The talk focused on the risks of AI and machine learning, delving into discussions of how to manage the security aspects of these future-ready technologies ???ツ?especially when it comes down to consumer privacy.ツ?
Chris also had the opportunity to host a session of his own, covering the critical aspects of modern application security and the reasons that organizations need to get serious about security-minded approaches to their code. Here???s what we learned.ツ?
Secure from the top down
Chris began his session Secure From the Top Down by noting that, today, it???s important to think about application and product security through the eyes of the developer or the builder. With so many applications running in the cloud and so many devices connected to the Internet of Things (IoT), Chris pointed out that the attack surface for threat actors is growing exponentially and that everyone building and deploying technology needs to consider the risks moving forward.
Connected devices are everywhere, Chris said, but they???re not typically behind a firewall. Normally, these devices are connected to 5G or Wi-Fi. According to Chris, this means devices essentially need to secure themselves and all of the connection points where they talk to other devices or they pose a security risk.ツ?
Further, everything is connected through APIs today. ???We used to have big, monolithic software packages with one big block of code,??? Chris said. ???Today, we have a lot of small devices; even with applications running in the cloud, they???re built with microservices and are talking to each other through APIs.??? This is a way an attacker can exploit a device or an application, and means the builders of today need to improve the security around their APIs for a more secure tomorrow.
It???s already a problem; Chris pointed out in his session that, according to the 2020 Verizon Data Breach Investigations Report, 43 percent of breaches come from single page applications. Developers working on building these single page apps need to be more considerate with their security.ツ?
Looking ahead at trends
Time is the biggest competitor for most organizations, according to Chris, and there are three main trends that are going to impact product security moving forward: ubiquitous connectivity, abstraction and componentization, and hyperautomation of software delivery.ツ?
Ubiquitous connectivity
While this involves the rise of APIs and IoT devices, what it really comes down to is that each piece of software connected through the network and APIs must think about securing itself. ???Each code that is exposing an API needs to think about how it will authenticate, encrypt, and secure itself from all |
Data Breach Threat Patching | ||
|
2021-04-23 09:19:39 | Practical Steps for Fixing Flaws and Creating Fewer Vulnerabilities (lien direct) |  All security flaws should be fixed, right? In an ideal world, yes, all security flaws should be fixed as soon as they???re discovered. But for most organizations, fixing all security flaws isn???t feasible.
A practical step your organization can ??? and should ??? take is to prioritize which flaws should be fixed first. To figure out which flaws should take precedence on your remediation ???to-do??? list, consider defect severity, the criticality of the application, and how easy it would be to exploit the flaw. In other words, which flaws pose real and immediate risk?
Once you???ve determined which flaws should be fixed first ??? like OWASP Top 10 vulnerabilities ??? you can create an application security (AppSec) policy to break the build whenever a flaw falls into that category. For example, if an AppSec scan uncovers a SQL injection flaw, it will break the build so that a developer can fix the flaw prior to production.
At this time, developers have three options for fixing the flaw: remediation, mitigation, or acceptance. Remediation fixes a vulnerability using code or configuration changes or patches. Mitigation is used when the primary control is not available or not feasible to implement, so compensatory controls (such as virtual patches with a WAF) are put in place to reduce or eliminate the exploitability of the vulnerability. And lastly, acceptance is used if the vulnerability is declared low-risk and not worth remediating.
As your developers get used to the AppSec policy and are comfortable fixing OWASP Top 10 flaws, you can then add additional policies. But it???s important that you don???t add too many policies at once. (Unrealistically high expectations for flaw remediation can result in developers taking shortcuts to avoid the policies.)
Another way to ???fix??? flaws is to prevent them from existing in the first place. If you train your developers to write secure code, you can decrease the number of code errors that will need to be fixed later in the software development lifecycle (SDLC). Integrating automated security tools early into the SDLC and providing guidance for fixing security-related defects can also prevent late-stage fixes.
And, if your organization isn???t doing so already, start scanning more frequently. Scanning frequently not only ensures that you???re introducing fewer flaws into your code, but also helps improve time to flaw remediation. In fact, according to our State of Software Security v11 report, scanning frequently can reduce the time it takes to remediate 50 percent of security flaws by 22.5 days.ツ?
Bottom line: the best way to fix flaws fast while creating fewer vulnerabilities is to prioritize which flaws to fix first, train your developers to write secure code, integrate and automate security tools early into the SDLC, and scan frequently.
To learn more about AppSec best practices and practical first steps ??? like which AppSec testing types to deploy first or how to shift left ??? or for additional information on fixing security flaws, check out our guide, Application Security Best Practices vs |
Vulnerability | ||
|
2021-04-22 12:43:02 | Reporting Live From Collision Conference 2021: Part One! (lien direct) |  This week, Collision (virtually) kicked off its annual conference, bringing together creatives, builders, influencers, innovators, and other great minds to cover some of the hottest topics in business and technology. Known as ???America???s fastest-growing tech conference,??? this year Collision featured over 450 speakers with more than 100 hours of content to consume across the three-day event.
With a sizable group of 40,000-plus attendees to entertain, the team behind Collision came prepared with a packed schedule. The lineup included speakers from some brand heavy-hitters ??? Amazon, Twitter, TikTok, and PayPal to name a few ??? as well as our very own Chris Wysopal representing the application security (AppSec) space for Veracode!
AI, AI??ヲOh!
Chris first led a hodgepodge of talent from security and tech to moderate Collision???s AI, AI??ヲ Oh!: AI, Security and Privacy in Online Society session. For this roundtable, Chris was joined by Jeff Moss of DEF CON, Jordan Fisher of Standard Cognition, Katie Moussouris of Luta Security, Alexander Vindman of Lawfare, Gary Harbison of Bayer, and Window Snyder of Thistle Technologies. The topic at hand? Just how major the impacts of AI and machine learning are on all industries today, and the risks this technology can bring if left unchecked.
The roundtable dug into important issues like allocating organizational resources to security, privacy, and transparency to monitor AI, as well as what can go wrong when companies don???t quite get it right. Chris kicked off the conversation by asking, how can we have technology figure out exactly what algorithms are doing so that we know when something is going awry, and who is to blame when it does? Gary Harbison brought up the idea of self-driving cars, which take data from their environment and make decisions in the moment. At some point, if there is a decision made by the algorithm that pits the safety of the driver against a pedestrian, who is to blame and what is the ramification? Gary followed up that we as an industry need to think this through sooner rather than later.
Another risky implication of this technology, the group suggested, is that in cases where AI is used to track consumer behavior, such a tool can quickly become an invasion of privacy. Window Snyder noted that implementing security (and being able to measure it) is a critical first step. She posed the question, how are we going to measure efficacy and improvements in security around AI technologies so that we can see what is actually providing value to consumers? ???Consumers will feel understandably uncomfortable knowing that a brand is tracking what they do inside of a store, and they may feel like they???re being watched everywhere they go,??? she said.
Window went on to explain that, if we want to create a trust between technology companies and the people we???re observing, we need to make sure that we???re creating clear business requirements and metrics, reducing the scope and time for tracking, and doing as much as possible to reduce the granularity of the data that is collected. Another important step, she says, is that when you build a mechanism to collect data, you also need to build a mechanism to remove it after extracting as much granularity as possible. Doing so tells consumers that the technology was built with their privacy in mind.ツ?
There???s an economic and geopolitical aspect to the risks of AI te |
Tool | ||
|
2021-04-19 09:05:28 | DevSecOps in Practice: How to Embed Security into the DevOps Lifecycle (lien direct) |  You???ve heard of DevOps. And by now, you???ve probably also heard of DevSecOps, which extends DevOps principles into the realm of security. In DevSecOps, security breaks out of its ???silo??? and becomes a core part of the DevOps lifecycle.
That, at least, is the theory behind DevSecOps. What???s often more challenging for developers to figure out is how to apply DevSecOps in practice. Which tools and processes actually operationalize DevSecOps? Until you can answer that question, DevSecOps will be just another buzzword.
To help bridge the gap between theory and practice, let???s walk through what DevSecOps means from a practical perspective, and how to go about embedding it into your development workflows.
DevSecOps, defined
If you???re familiar with DevOps (which encourages collaboration between developers and IT operations engineers in order to speed application delivery), then the meaning of DevSecOps is easy enough to understand. DevSecOps adds security operations teams into the equation so that they can collaborate seamlessly with developers and IT engineers.
DevSecOps places a DevOps spin on basic security concepts. Just as DevOps encourages continuous delivery, DevSecOps is all about continuous security ??? meaning the constant and holistic management of security across the software development lifecycle. Similarly, DevSecOps encourages continuous improvement in the realm of security ??? meaning that no matter how secure you believe your environment is, you should always be looking for ways to improve your security posture even further.
DevSecOps in practice
These are all great ideas to talk about, and it???s easy to see why they are valuable. Security postures are indeed stronger when developers, IT engineers, and security engineers work together, rather than working in isolation. It???s much easier to optimize security when developers prioritize security with every line of code they write, and when IT engineers think about the security implications of every deployment they push out, rather than viewing security as something that someone else will handle down the line.
The big question for teams that want to embrace DevSecOps, though, is how to go about putting these ideas into practice. That???s where things can get tougher. There is no simple methodology that allows you to ???do??? DevSecOps. Nor is there a specific tool that you can deploy or a particular role that you can add to your team.
Instead, operationalizing DevSecOps means building holistic combinations of processes and tools that make it possible to integrate security into DevOps workflows. While the best approach to this will vary from team to team, the following are some general best practices for implementing DevSecOps.
Scanning early and often
One basic step toward implementing DevSecOps is to ensure that you perform security tests and audits at the beginning of the software delivery pipeline. You don???t want to wait until code is written and built to start testing it for flaws (and you certainly don???t want to let it get into production before testing it). Instead, you should be scanning code as it is written, by integrating security tooling directly into your IDEs if possible.
Importantly, security scanning should continue as code ???flows??? down the pipeline. You should scan your test builds and application release candidates before deployment. Security monitoring and auditing should also continue once code is in production.
Automation
Automation is a founding principle of DevOps, and it???s just as important to DevSecOps. Automation not only makes processes faster and more efficient, but also helps reduce friction between the different stakeholders in DevSecOps |
Tool | Uber | ★★★ |
|
2021-04-16 11:34:42 | The First Step to Achieving DevSecOps Is Shifting Security Culture Left (lien direct) |  To achieve DevSecOps you need to shift security left. Sounds simple, right? Well, it???s easier said than done.
A recent survey conducted by SANS Institute found that 74 percent of organizations are deploying software changes more than once per month ??? an increase in velocity of nearly 14 percent over the past four years. To release software monthly, weekly, or even daily, security has to be integrated into the development process, not tacked on at the end.
By scanning code for vulnerabilities in the development phase, flaws are easier and more cost-effective to remediate. In fact, our State of Software Security report showed that organizations following DevSecOps best practices remediated flaws significantly faster ??? and had less security debt.
But adding security testing into early stages of development is a disruption to the roles of both developers and security professionals. With security in the development phase, developers take on more responsibility for testing and remediating vulnerabilities, and security professionals transition to more of an oversight role. This shift requires training developers in secure coding and remediation tactics, but this is a heavy lift for a lot of organizations.
So how do you get your organization ??? especially developers ??? onboard with shifting left?
A good first step is to shift security culture left. In other words, you should begin by helping the development team be more security-minded.
Start by understanding how the development team works. What tools and processes do the developers use? How do they build software? And see if there are any ways that security can be integrated into these tools and processes so that it doesn???t add extra work for the development team.
Then start looking for ways to automate the security tests into the CI/CD pipeline so that the developers don???t have to manually run tests. If security tests run automatically, developers can fix code immediately instead of waiting to hear back from the security team. Automated scans also ensure more frequent scans and a steadier cadence. When developers have to scan manually, it???s easy to forget about a scan or intentionally skip a scan to save time. Automating static analysis scans in the build process is a good place to start.
Lastly, arm developers with the tools and training that they need to fully understand security best practices. Some developers might benefit from instructor-led security courses while others might like on-demand courses or hands-on training tools like Security Labs.
Many organizations with mature AppSec programs also recommend implementing a security champions program for security training. A security champions program is a way for elected developers to bond with security professionals and learn detailed security best practices that can be shared with their broader scrum team.ツ? This program also acts as a force multiplier for security teams with limited bandwidth.
To learn more about AppSec best practices and practical first steps ??? like which AppSec testing types to deploy first ??? or for additional information on shifting security left, check out our |
|||
|
2021-04-13 15:04:46 | The Biggest Breaches and Data Leaks of 2020 (lien direct) |  Year after year, cyberattackers cause unnecessary stress for organizations, disrupting innovation and impacting profit. 2020 was no different ??? last year brought a bevy of damaging breaches that cost organizations precious money and time they couldn???t get back. ツ?
Ranging from thousands to billions of records exposed, breaches big and small gave threat actors access to sensitive information like email addresses, locations, passwords, dates of birth, and more. Impacts were felt across the board with organizations from Nintendo to Broadvoice and even the U.S. Small Business Administration making waves in the news.
The biggest breach, however, went to Keepnet Labs with what was most likely a directory traversal exploit from an unsecured server. This typically allows threat actors to gain unauthorized access to files and, ultimately compromise an entire web server. Unfortunately for Keepnet Labs, attempting to move an unsecured server with their firewall disabled for about ten minutes landed them in the headlines with over 5 billion records leaked from previous cybersecurity incidents, including hash types, passwords, email addresses, email domains, and more.
So why are security breaches still so common? We know from State of Software Security v11 that 76 percent of applications have at least one flaw on initial scan today (24 percent with high-severity flaws), and that organizations with a higher flaw density remediate risky flaws a whopping 63 days slower than others. The good news: some of the biggest breaches from 2020 stemmed from common problems with code quality, CRLF injection, and cryptographic issues, which are preventable with secure coding best practices.
 ???
Check out our full infographic here to see the biggest breaches of 2020 and learn how to prevent similar threats. Looking ahead to 2021 and beyond it???s critical that organizations continue to pivot and improve their security; with the right combination of secure coding best practices, educational training, and integrated testing types, developers can stay one step ahead of these and other modern threats. ツ?ツ?ツ? |
Threat | ||
|
2021-04-12 15:14:27 | DevSecOps and the Cloud: How Leaning on Your Cloud Provider Can Help You Shift Left (lien direct) |  Over the past several years, an increasing amount of organizations have been moving their applications from on-premises to cloud-hosted platforms. And with the current pandemic forcing most businesses to adopt a fully remote work environment, the cloud is even more appealing. Gartner reported that cloud spend rose by double digits in 2020, and it???s expected to continue to grow by 18.4 percent in 2021. But as organizations move their applications to the cloud, are they managing security and compliance risk?
In a recent Veracode-sponsored survey, SANS Institute examined a subset of organizations to get a better understanding of DevSecOps in the cloud. The organizations ??? comprised of government, banking and finance, technology, and cybersecurity ??? were asked a series of questions including how successful they???ve been at shifting security into development.
The survey found that most organizations are implementing DevOps in the cloud, but not enough have made the transition to DevSecOps. In fact, only 40 percent of the assessed organizations reported that they have fully adopted a DevSecOps methodology.
But with the current speed of deployments, in order for organizations to keep up, they need to have efficient processes in place. The survey shows that around 74 percent of organizations are deploying software changes more than once per month. This represents an increase in velocity of nearly 14 percent over the past four years.
If security assessments aren???t conducted early in the software delivery lifecycle (SDLC), they have to be conducted right before production ??? if at all. When security assessments are conducted before production, if flaws are detected, it can be time-consuming and costly to make changes. When flaws are detected early in the development phase, it???s faster and more cost-efficient.
Why are organizations struggling to adopt DevSecOps?
Over 60 percent cited organizational problems as their barrier to shifting security left. The top challenges listed include lack of resources, lack of buy-in, bureaucracy, or poor communication between the security and development teams.
The beauty of moving to the cloud is that organizations can take advantage of the cloud provider???s scale, resources, and agility to compensate for internal weaknesses or gaps. This gives security and development resources time to focus on other priorities, like secure code training or getting executive buy-in for maturing their AppSec program.
By leaning on the cloud provider, organizations should have an easier time shifting left. But remember, shifting left shouldn???t be all on the developers. The whole organization needs to support the effort in order for it to be successful. As respondents cited, the more buy-in your organization has for DevSecOps, the better the chances of it being a long-term success.
For additional insights regarding DevSecOps in the cloud, check out the SANS |
|||
|
2021-04-07 09:30:20 | Password Storage Using Java (lien direct) |  This is the eighth entry in the blog series on using Java Cryptography securely. The first few entries talked about architectural details, Cryptographically Secure Random Number Generators, encryption/decryption, and message digests. Later we looked at What???s New in the latest Java version. All of this equipped us to talk in detail about some of the most common Cryptographic applications. We started by looking at the symmetric cryptography-based application with Message Authentication Code.
Password being such a central piece of any authentication-based system, every developer would be involved with it at some point in his or her career. These are usually stored in databases. Due to various vulnerabilities like SQL Injection, Remote Code Execution, etc., these databases could be compromised[16]. It becomes exceedingly important to make sure these stored passwords can???t be cracked offline easily.
Historical methods of storing passwords[15] have fallen short against growing computing powers, modern computer architectures, and enhanced attacks. Currently, the most secure way to store passwords is using Password Based Encryption (PBE), which provides functions (called Key Derivation Functions (KDFs)) that will convert low entropy user passwords into random, unpredictable, and most importantly one-way, irreversible bytes of data. It should be these bytes of data which should be stored and never plain text passwords to safeguard against offline attacks. KDFs used to generate these random bytes of data are commonly called as password hashing algorithms. They can also be extended to store any kind of sensitive information such as PII (Personally Identifiable Information) which your business needs to protect against offline attacks.
Skip to the TL; DR
In this post, we will be talking about various KDFs based password hashing algorithms to be used for any password storage requirements.
Password-Based Key Derivation Functions
Construction of KDFs has evolved over time. There are twoツ?broad categories of password hashing algorithmsツ?that are widely implemented:
Adaptive Functions: Designed to iterate over inner crypto operations 1000s of times, to make password computations slower. Prominent functions are PBKDF2[3][4][9] which iterates over a HMAC function and bcrypt[10] which iterates over a blowfish based encryption scheme.
Memory Hard Functions: Memory hard functions are designed with significant internal memory, which effectively decimates traditional brute forcing techniques even with utilizing modern computer architectures. Prominent functions in this category are Argon2[7] and script[8].
Each of these algorithms has some set of parameters that needs to be configured judiciously. Before getting into a full-fledged conversation about various algorithms, let???s talk about some of the commonalities:
1. Salt Generation: When designing salting features of your application, make sure:
Unique salt is generated for each password.
To store salt and corresponding hashed passwordツ?far from each other; like different |
|||
|
2021-04-06 12:22:43 | Introducing the Veracode Technology Alliance Program (lien direct) |  At Veracode, we have long promoted and nurtured strong partnerships. Through our network of strategic partners, technical alliances, and integration partners, we believe that by working together, we can bring even more value to our customers. ツ?
That???s why we???re excited to introduce our Technology Alliance Program (TAP). Through TAP, we make it easier forツ?organizationsツ?to implement, manage, and scale their software security programs.ツ?
The new program emphasizes our commitment to developing partnerships with adjacent technology providers that produce best-in-class technology integrations. With TAP, partners will be able to empower their customersツ?with a structured frameworkツ?to develop secure software at scale, modernize their environments with SaaS-based software security, and cost-effectively demonstrate the clear business value of secure coding.
???Modern business applications are more complex than ever before, and even in the most rigorous Software Development Life Cycle (SDLC), the complexity of development means vulnerabilities will be introduced.ツ? As part of the Veracode Technology Alliance Program, we can deliver solutions for customers that protect the software supply chain and secures data from the most sophisticated cyberattacks facing organizations today.???ツ? -ツ?Michael McCollough, Global Vice President, Strategic Growth at Imperva
Our Technology Alliance Program represents a new path forward in how we collaborate with our technology partners, driving the best possible integrations to delight customers and providingツ?program benefits such as:
Association with the leader in software security
In-depth access to products
A developer toolkit with APIs
Technical validation
Co-marketing opportunities
Simply put, by having the best-of-breed scanning tools integrated into their software, Veracode TAP partners will have an easier time helping their customers deliver secure software faster.
And this is just the start. Over time, we???ll add more integrations and evolve our Technology Alliance Program to provide even greater resources, tools, and business opportunities for our partners.
For more information on our TAP, including becoming a partner, contact us today. |
Guideline | ||
|
2021-04-01 15:22:17 | Secure Coding Urban Myths and Their Realities (lien direct) |  ???Science and technology revolutionize our lives, but memory, tradition, and myth frame our response.??? ??? Author Arthur M. Schlesinger
Urban myths rely on their communities of origin to thrive and survive. Perpetuated by offhand anecdotes, sensational news stories, and friend-of-a-friend legends, urban myths about secure coding are no different; as developers share tidbits of information around common struggles and issues in application security, those conundrums quickly become myths that can make secure coding seem daunting.
Schlesinger???s quote is even more important today as so much of the world is powered by modern applications, yet at the same time myths clouding the development community often frame how developers respond to (or avoid) issues with their code. The reality is clear: when you take ownership over your code and rally around your team???s security efforts to squash these myths, your apps carry far less risk than before. And once you recognize these myths for what they are, you have the power to reframe how you approach similar challenges in the future.
Popular myths in programming
So what are some of the common urban myths in software development? They can range from the security of open source code to relying solely on developer tools and why PHP is considered a ???dying language??? ??? did you know 80% of all websites built on known programming languages are powered by PHP? Some of today???s heavyweights like Etsy, Facebook, and Wikipedia were built on PHP, and PHP-based publishing platforms like WordPress and Drupal are still extremely popular. It isn???t going anywhere anytime soon.
Maybe you???ve also heard the urban myth that fixing flaws in your open source code is too time-consuming? Myth busted: almost 75 percent of known vulnerabilities in open source code are fixable with a simple library update to patch the exploits. Even better, tools like Veracode Software Composition Analysis provide immediate and actionable guidance to help you remediate flaws in your open source code before they add risk to your organization.
Or, perhaps you???ve seen comments on Reddit that your favorite developer tool is all you need to secure your code, but security features in basic developer tools typically lack the comprehensiveness required for ample coverage. In reality, you need the right testing types in the right places throughout your SDLC, ensuring coverage for your CI/CD pipeline and giving you peace of mind while you work. ツ?
 ???
We???ve only scratched the surface when it comes to urban myths about secure coding! To learn more about some of these common conundrums (and their realities), download our eBook: 6 Urban Myths About Secure Coding. |
Tool | ||
|
2021-04-01 09:00:21 | AppSec with LolCats: Click2Cat - the Security Extension to Veracode You Didn\'t Realize You Needed (lien direct) |  Fixing security findings in your code can be hard. Sometimes you need help from other developers who have solved these problems before. Veracode provides one-on-one time with ex-developers who can coach you through different approaches to address security findings.
But sometimes, you don???t really want advice. Instead, you need a boost to help you get through the day of reducing risk in your software. Enter Veracode???s Click2Cat feature ??? a quick pick-me-up while you are preparing that report about the security of your software.
 ???
In 2017, Willa Riggins recognized a gap in Veracode???s product offering: a lack of lolcats. As a leader of the manual penetration testing team, she took it upon herself to close this gap during a Veracode Hackathon. So Click2Cat chrome extension was born and it makes getting a lolcat from the Veracode UI quick and easy.
Download now to improve your flaw fixing experience today: https://github.com/willasaywhat/click2cat
Real quotes from real Click2Cat users:
I was struggling with how to fix a particularly nasty SQLi issue. Digging through the code in Veracode???s Triage Flaw viewer I could see the taint source and the actual sink. Before I dug into the fix, I got myself a coffee and a quick lolcat, then I was ready to go! ??? Jennifurr B.
There is nothing better to start my day of CRUSHING SECURITY DEBT than a lolcat - Katy Purry
I ship customer value all day, so a little Click2Cat gives me the edge in solving tricky security problems that slow me down ??? Paul McCatney
*note: lolcats can be fickle and sometimes wander away from the Veracode UI.ツ?
 |
Guideline | ||
|
2021-03-30 21:29:05 | Manufacturing Has the Lowest Percentage of High-Severity Flaws but Needs to Improve Time to Remediation (lien direct) |  The past 12 months have been especially challenging for the manufacturing industry. The pandemic affected in-person manufacturing jobs as well as supply and demand, causing many manufacturing companies to shut their doors or lay off valuable employees. Recognizing the vulnerable state of manufacturing companies, cybercriminals saw manufacturing as an easy target. In fact, the manufacturing industry saw an 11 percent increase in cyberattacks in 2020.
And even more concerning, our recent State of Software Security v11 (SOSS) report found that, when compared to other industries, the manufacturing industry ranks last for fix-rate and median time to remediate security flaws. That means that the manufacturing industry has security flaws in applications that aren???t getting resolved in a timely manner. And more lingering flaws mean more opportunity for a cyberattack.
That said, it is reassuring to see that the manufacturing industry falls in the middle of the pack for the percentage of applications with flaws and ??? even better ??? has the lowest portion of applications with high-severity flaws.
What are some steps that the manufacturing industry can take to improve its fix rate and half-life?
When reviewing the SOSS data, there are several factors contributing to the low fix rate and time to remediation. Some of the factors are simply the ???nature??? of the applications and can???t necessarily be changed. For example, applications in the manufacturing industry tend to be large and have a high flaw density. But there are several factors that can be ???nurtured??? to improve fix rate and time to remediation, like scanning via API, scan frequency, and using software composition analysis (SCA) with static analysis (SAST).
Just by scanning applications for flaws more frequently, industries improved their time to remediation by 22 days. By leveraging APIs, industries improved time to remediation by 18 days. It really comes down to adopting and implementing DevSecOps best practices.
And while talking about flaws, it???s important to note that the most common security flaws in the manufacturing industry are information leakage, CRLF injection, and code quality. Credentials management is also surprisingly common, perhaps due to the fact manufacturing used to not require authorization for applications.
For more information on software security trends in the manufacturing industry, check out The State of Software Security Industry Snapshot. |
|||
|
2021-03-29 13:04:14 | Veracode Hacker Games: The Results Are In! (lien direct) |  The first everツ?Veracode Hacker Gamesツ?competition hasツ?come to a close, but were the flaws inツ?favor of our brave competitors? Read on to find out.ツ?
Over the course of the two-weekツ?challenge, students from several universities in the U.S. and the U.K. came together to explore vulnerabilities and threatsツ?that they???ll one day face on the job.ツ?Competitorsツ?racedツ?to exploit and patch real applications inツ?Veracode Security Labs,ツ?a hands-on training platform that helps developers prepare for the threats they face daily.ツ?ツ?ツ?
The top teams earnedツ?someツ?epicツ?prizesツ?too;ツ?aツ?$10,000ツ?charitable donationツ?to theツ?first-placeツ?school andツ?aツ?$5,000ツ?donationツ?to the second-place school, along with individual prizes and complimentary Veracode software for participating universitiesツ?for a wholeツ?year,ツ?soツ?students can continue sharpening skills while in school.ツ?ツ?
In short, the stakes were high,ツ?butツ?the students did not disappoint! When all was said and done, competitors participating in the inaugural Veracode Hacker Games spentツ?51,859ツ?minutesツ?on labs in Veracode Security Labs ??? that???sツ?aboutツ?864ツ?hours orツ?36ツ?days of secure codingツ?awesomeness!ツ? |
Guideline | ★★★ | |
|
2021-03-23 11:24:22 | We\'re All WFH Too – One Year Later! (lien direct) |  Last year brought a lot of change. Companies across the globe had to pivot, ready or not, and many went fully remote just like we did here at Veracode. 2020 transformed the way we work and communicate, changed how we raise our families and celebrate holidays, and even inspired us to (often humorously) reflect on the everyday traditions that we took for granted in the ???before times.???
After our big shift to remote last year, we shared our own journey with some helpful tips from Veracoders, like using an ???ON AIR??? sign to let family know when you???re on a call or setting a firm schedule with alarms to prevent burnout.ツ?ツ?
March of 2020 was a huge change for all of us at Veracode, and certainly one we never imagined to still be in place a full year later. We had a lot of concerns about what would happen to our corporate culture that was so important to us all, or the strong relationships we nurtured with our customers and prospects, how would those fare? Here we are a year later. After countless Zoom calls and endless kitchen coffee trips, we???re looking back at our remote year and sharing some tips, some lessons, and some thoughts on how we???ve changed. But first??ヲsit up straight!
Your back really needs a decent desk chair
Some of us learned about lumbar support the hard way. For a good part of 2020 I sat on a rickety chair that I built myself, taunted by the sleek setup and high-backed desk chairs of my coworkers on Zoom. It wasn???t until the summer, around July, that I knew it was time for a change and bought myself a brand-new desk and a brand-new desk chair. See below for a before and after:
 ツ?ツ?ツ?
Lifechanging (and so much brighter)! Almost immediately, it was easier to get into the zone and my back was on the mend. It just goes to show you that no matter where or how you work, lumbar support or bust.
Check in on teammates ??? and your teenagers
Veracoder Marcus Watson found ways to ensure that the mood is light, especially in chats. ???The teams within Veracode have their own channels to communicate and we try to make sure there???s levity in the business chat,??? he says. Marcus misses the ???buzz??? you get from working in an office, including how much easier it is to pick up on things that don???t quite translate well over text, and he makes it a point to check in with others if they???ve been under-communicating.
When it comes to balancing home and work life, Marcus notes that while it has been tricky with two teenagers, he???s felt supported through his work and has even found that it helps him slow down a little. ???Schooling from home has also encouraged me to take more breaks during the dayツ????ツ?checking in with the kids, and making sure everything???s ok, and we all take breaks to hydrate, eat, and chat,??? he says.
He???s all about carving out time, too: ???Working from home is no less valuable than working from the office so I try and avoid the temptation to put in longer hours. I make an effort to have firm breaks and set personal boundaries to make sure that work doesn???t interfere with personal life.???
Don? |
|||
|
2021-03-16 10:45:23 | Automated Security Testing for Developers (lien direct) |  Today, more than ever before, development organizations are focusing their efforts on reducing the amount of time it takes to develop and deliver software applications. While this increase in velocity provides significant benefits for the end users and the business, it does complicate the process for testing and verifying the function and security of a release.
The days of long-running, waterfall-style development cycles, wherein security was manually evaluated and bolted on at the end, are gone for good. With the move towards an agile development methodology, security testing and remediation is inherently shifting to the left. And to support this, developers must adopt tools to automate security testing for easy vulnerability identification at the earliest point possible in the development lifecycle.
Below, we discuss the why and how of implementing an effective strategy for automated security testing within the development lifecycle.
Shifting security testing to the left
Through the use of automation, security testing can be executed earlier (or left) in the development pipeline. This is advantageous for a variety of reasons. For one, the earlier vulnerabilities are discovered, the less expensive they are to fix. If a security issue was introduced into the code early in the release cycle, it???s more likely that it???ll be resolved in minutes or hours. Whereas, a vulnerability discovered at the end of the release cycle could face complexity that increases the time required to remediate.
Moreover, earlier execution of security tests ensures that vulnerabilities pose less of a threat to the delivery schedule. When security tests are automated as part of the build and integration processes, there is less uncertainty as the release approaches the later stages of the development lifecycle. This reflects well on both development personnel and the organization as a whole.
Shifting security left can also help reduce security debt, which piles up over time and can only add to serious risk if left unchecked. Instead of leaving the prioritization and remediation of bugs and vulnerabilities until the very end, shifting security left encourages collaboration between security and development to tackle this issue and determine which security debt is acceptable, and which should be remediated ASAP, reducing lingering risk.
Automated security testing for developers
So with the intent being to automate and shift security testing to the earliest possible point in the development lifecycle, let???s analyze how this is done in practice.
What are we looking for when we test? What does automated security testing involve?
Automated security testing for applications is accomplished by scanning code for vulnerabilities. Static code analysis, for instance, scans a codebase while the application is not running. The code is evaluated against a set of policies to ensure that developer implementation is in compliance with the security standards set forth by the organization. Non-compliance with any standard would indicate a vulnerability. These vulnerabilities can include anything from failure to properly protect database calls from SQL injection, to non-compliance with PCI standards for processing, storing, and transmitting credit card information. Furthermore, automated security testing can be leveraged to validate the security of third-party libraries being used by the system.
Organizations that wish to shorten their development cycles and enable continuous delivery should uti |
Tool Vulnerability Threat | ★★★ | |
|
2021-03-09 16:37:31 | Veracode Wins IT Central Station\'s 2021 Peer Award for AST (lien direct) |  
Veracode was recently named the winner of IT Central Station???s 2021 Peer Award for application security testing (AST). Winners were chosen based on reviews from verified customers to help prospective buyers make well-informed, smart business decisions.
???Receiving positive feedback from our customers on the leading technology review site for cybersecurity, DevOps, and IT is a true testament to our products and services,??? said Mark Bissell, Chief Customer Officer at Veracode.
The fact that our products are SaaS-based carries a lot of weight with our customers.
As the manager of information technology at a Broadcom corporation stated, ???[Veracode] is SaaS hosted. That makes it very convenient to use. There is no initial time needed to set up an application. Scanning takes a matter of minutes. You just log in, create an application profile, associate a security configuration, and that's about it. It takes 10 minutes to start. The lack of initial lead time or initial overhead to get going is the primary advantage.???
???We were skeptical about running scans with a cloud-based solution, but then we saw the benefits,??? said a cybersecurity expert from an IT consultancy company. ???Everything is up to date without us having to lift a finger. We know we don't have to take care of maintenance.???
Our customers also appreciate that we help fix, not just find, flaws.
A senior security analyst at a wellness & fitness companyツ?remarked, ???If a scan fails to meet our standard, the build breaks and the flaws are remediated before releasing to stage and, ultimately, production where the potential impact is much more costly. We have discovered opportunities to make our code even better thanks to Veracode!???
Aside from being the first native cloud-based AppSec vendor with a best-in-class secure coding tool and expert remediation, IT Central Station recently recognized us as a leading AST vendor for being DevSecOps friendly, offering multiple testing types, and keeping false positives to a minimum.
To learn more about our recent awards, or to read customer reviews, please visit our page on IT Central Station. And for additional customer testimonials, check out our recent success stories. |
Guideline | ||
|
2021-03-09 12:50:24 | Putting the Sec in DevSecOps (lien direct) |  Whether a seasoned professional or a fresh computer science grad, every developer has his or her stressful moments of trying to dig through scanning results to mitigate or remediate a vulnerability. Since you work at the speed of ???I need this yesterday,??? it???s a hassle to slow down and fix flaws or even stop to rewrite code entirely.
Effective AppSec today is about executing essential application security (AppSec) tests as you???re writing code. When AppSec is embedded as part of the development process, you???re able to assess security on every code commit with fast and effective results that make your job ??? writing more secure code ??? much easier.ツ?
DevSecOps meets security
With a cyberattack happening every 39 seconds, and 76 percent of applications with at least one security flaw on first scan, AppSec is now a must-have for all organizations creating the apps that power the world. This is even more critical as organizations undergo technology shifts and must bolster their digital fingerprints to keep up with the competition. ツ?
Security testing early in development makes you more efficient as a developer because it improves the quality of your code from the start, meaning you???re not bogged down by bugs and dangerous vulnerabilities later on. It cuts down on risk, saving valuable time that you can then use to create more innovative applications.
With security testing built into your existing workflows, you take on the critical role of improving the security and quality of your code as you develop apps. Once you begin integrating security as part of your coding process to find and fix flaws faster, your team is on the path to an effective DevSecOps engine that produces higher quality code.ツ?ツ?
Securing the future: Integrating security into development
If security is now an essential element of your job as a developer, then security testing needs to be automated and integrated for ultimate efficiency, and you need the right tools to help you keep up with the ever-evolving threat landscape. It isn???t enough to simply check boxes once scans are complete. If you want to make sure that you???re set up for e success in the future, you and your team need:
Good developer training tools like Veracode Security Labs, which offers real-world education you can use while coding. When security training is decentralized and you???re empowered to make decisions that impact the health of your code, your know-how needs to be top-notch. By studying common vulnerabilities with hands-on learning and understanding which flaws are more predominant in certain languages, you???re better prepared when you sit down to write software. For example, we know from State of Software Security v11 (SOSS) that issues with information leakage, CRLF injection, cryptographic bugs, and code quality are the most common flaws found, and they impact popular languages like .NET, Java, PHP, and Python. Boost your knowledge on which flaws cause issues in common languages and you???ll be better prepared to write code that prevents them in the future.
Efficient communication and collaboration with security through training on existing DevOps processes, by learning workflows of security team members, and by ensuring that both teams are operating with the same goals in mind. You should also consider starting or joining a |
Threat | ★★★ | |
|
2021-03-04 15:37:03 | AppSec Bites Part 4: What Do Teams Implementing DevOps Practices Need to Know? (lien direct) |  The key to successfully implementing DevOps practices is relationships. It???s about breaking down the existing silos between different functions that deliver software, like development and operations. These functions need to work toward a common goal, efficient software delivery.
The other relationship that is key to implementing DevOps is the relationship between security professionals and developers. Developers have had a historically strained working relationship with security professionals. Developer???s performance is often linked to speed of deployments, but security professionals are more concerned with the security of the software. So, when security slows down production to conduct scans or remediate flaws, it can be stressful for developers.
The first thing you should do to help strengthen the relationship is to establish a common goal. Both security professionals and developers should be working toward fast, secure deployments. Next, since part of DevOps is shifting security left, it needs to be done in a way that won???t add too much extra work for developers. For example, automate and integrate the security scans into developers??? existing processes. ツ?
Finally, consider promoting people from within to lead the DevOps initiative. If you hire someone from outside that doesn???t know the structure of your organization, it could cause increased tension and unnecessary delays. Count on your team to work together and find ways to successfully implement the new process.
For additional information on implementing DevOps, listen to part 4 of our AppSec Bites podcast series with Threadfix.ツ? |
Guideline | ||
|
2021-03-03 13:26:24 | Veracode Named a Leader for AST on IT Central Station (lien direct) |  To keep up with the pace of the modern world, organizations are constantly looking for ways to release software faster than their competitors. This ???need for speed??? has led many organizations to adopt DevSecOps. With DevSecOps, security is moved earlier in the software lifecycle, into the realm of developers. As a result of the changing development landscape, application security testing has also been evolving. Yesterday???s application security testing tools and processes will no longer do.
Organizations need an AppSec vendor that is not only DevSecOps friendly but also offers multiple testing types, developer security training, and keeps false positives to a minimum. IT Central Station users have recently ranked AppSec vendors on these attributes and awarded Veracode the top spot for application security testing (AST) solutions.
Be DevSecOps friendly
DevSecOps, which adds security to the already merging workstreams of development (Dev) and IT operations (Ops), is now a critical piece of the application security story. IT Central Station members acknowledged the importance of having application security testing integrated into the DevSecOps workflow. For example, according to Riley B., a senior security analyst at a wellness & fitness company with over 1,000 employees, ???Veracode has improved our application security program by providing numerous integrations and tools to take our AppSec/DevSecOps to the next level.???
Being able to integrate automated scans into the DevSecOps pipeline makes applications security testing more ???DevSecOps friendly.??? For a security architect at a financial services firm with over 1,000 employees, one of Veracode???s most valuable features is its ability to submit the software and get automated scan results from it.
Divakar R., a senior solutions architect at NessPRO Italy, a small tech services company, simply stated that Veracode is ???a well-supported and valuable tool that was part of our DevSecOps process,??? while a DevSecOps consultant at a communications service provider with over 10,000 employees compared Veracode to a competitor: ???Veracode is more API and DevSecOps friendly. Veracode's scanning time is better.???
Cover all application types
Application security testing needs to cover a wide variety of application types if it???s going to contribute to positive outcomes in the modern world of DevSecOps. This means supporting testing for the web, mobile apps, microservices, and more. A senior security architect at a financial services firm with over 10,000 employees spoke to this need, saying, ???We are scanning external web applications, internal web applications, and mobile applications with various types/combinations of scanning. We use this both to improve our application security as well as achieve compliance with various compliance bodies that require code scanning.???
The communications service provider???s DevSecOps consultant echoed this approach, sharing, ???We use th |
Tool | ★★★★★ | |
|
2021-03-02 10:55:24 | Top Security Anti-Patterns in ASP.NET Core Applications (lien direct) |  Microsoft's ASP.NET Core enables users to more easily configure and secure their applications, building on the lessons learned from the original ASP.NET. The framework encourages best practices to prevent SQL injection flaws and cross-site scripting (XSS) in Razor views by default, provides a robust authentication and authorization solution, a Data Protection API that offers simplicity of configuration, and sensible defaults for session management.
What could possibly go wrong? Let's break down a few scenarios where misusing security features and improperly overriding defaults may lead to serious vulnerabilities in your applications. We'll focus on MVC-based ASP.NET Core applications; however, most of the scenarios are equally applicable to Razor Pages.
Not validating anti-forgery tokens properly
Cross-Site Request Forgery (CSRF) attacks allow an attacker to trick a user into performing an action on a trusted web application, typically through getting the user to click on a link created by the attacker that will call the vulnerable application. A vulnerable application would have no idea that the malicious request triggered by the user was not intentional, and it would perform it. If the user was logged in during this time, the web browser would likely send the cookies with the request.
To protect against this, tokens should be created by the web application that are then passed back on each request to the server. These tokens change regularly, so a link provided by an attacker would be detected due to the outdated or missing token, and subsequently discarded by the application. Because CSRF relies on a stateful, pre-existing session and that the session information will be automatically passed via cookies, it is less likely to be required for API endpoints which are typically stateless.
ASP.NET Core provides a powerful toolset to prevent attacks using anti-forgery tokens. POST, PUT, PATCH and DELETE HTTP methods are the most likely to have significant side effects if REST guidelines have been followed, because these verbs are reserved for actions that alter state or data, and therefore they will require and validate anti-forgery tokens. For the sake of brevity we???ll use POST as an example from here on.
There are multiple ways to apply attribute-based filters to configure anti-forgery token validation, and the approaches may seem overwhelming:
ValidateAntiForgeryToken??ッapplied to each POST action in the controllers that would be exposed to requests.
ValidateAntiForgeryToken??ッapplied at the Controller level, exempting specific methods (most prominently those with GET actions) from validation using IgnoreAntiforgeryToken.
AutoValidateAntiforgeryToken??ッapplied globally to validate tokens on all relevant requests by default, and using IgnoreAntiforgeryToken to opt out of validation for specific actions if necessary.
ASP.NET Core project templates and the code generation command-line interface creates controller actions that use approach (1) using the ValidateAntiForgeryToken attribute attached to every action associated with updating data - that is, ValidateAntiForgeryToken and HttpPost attributes are always used together:
[HttpPost]
[ValidateAntiForgeryToken]
public async Task CreateSomething(Something something)
While the result of the approach is valid, if the developer is writing the methods manually, they may easily forget to include the ValidateAntiForgeryToken??ッattribute alongside the attribute designating the action such as [HttpPost]. By default, neither ASP.NET Core nor the code editor wi |
Tool Guideline | ★★★ | |
|
2021-02-25 13:05:37 | Announcing the First-Ever Veracode Hacker Games (lien direct) |  ???Destroying things is much easier than making them.??? This quote from The Hunger Games rings true in software; developers spend months perfecting their innovative applications only to see it all crumble at the nimble fingers of a speedy cyberattacker. So how do you beat them? Improve your secure coding know-how early on and keep it sharp. ツ?
More than half of organizations in North America provide developers with some level of security training annually, or less often. A lack of consistent, accessible, and meaningful developer training can easily cause roadblocks as you???re asked to shift security left and write more secure code earlier in your workflow.
And as most coders graduate from college without foundational secure coding knowledge, it???s increasingly important that developers (and developers-in-training) can access effective educational platforms throughout their careers to keep up with changes in vulnerabilities and coding best practices.
That???s why, to inspire the next generation of coders, we???re excited to announce the Veracode Hacker Games!
 ???
The newly-launched competition from Veracode brings together students from top universities in the U.S. and the U.K. over the course of two weeks to test their secure coding skills. Packed with real-world challenges, the games will be hosted using Veracode Security Labs, and will challenge the teams to quickly solve as many labs as possible to rack up points for their teams.
Over the course of two weeks, contestants will explore vulnerabilities and threats that they???ll face on the job, learning how a cyberattacker might exploit an application and then discovering how to fix and prevent those flaws in the future. It???s practical training and valuable experience that they can take with them through their studies and beyond.
Because it???s no easy feat to beat a serious flaw, we didn???t skimp on the prizes. We???re giving away over $15,000 overall, including a $10,000 donation to the first-place school and a $5,000 donation to the second-place school. We???re also offering generous monetary prizes for individual contestants, and complimentary Veracode scanning software for participating universities so that students can continue refining their skills even after the games are over.ツ?
Which schools are in? Here???s a list of the universities participating in the inaugural Veracode Hacker Games:
University of Virginia
Stonehill College
Queen???s University Belfast
Northeastern University
University of Warwick
Tufts University
Indiana University
University of Birmingham
While winning students might not get to take a lap around Victor???s Village like in The Hunger Games, they???ll walk away with bragging rights and some fresh secure coding skills to take with them into their careers.
If you missed the signup for this competition, don???t worry! You can reach out to us here and let us know that you???re interested in getting your school involved. Start practicing early in the complimentary version of Veracode Security Labs.
You can also track progress during the challenge by |
Studies Guideline | ||
|
2021-02-24 13:30:31 | Dangers of Only Scanning First-Party Code (lien direct) |  When it comes to securing your applications, it???s not unusual to only consider the risks from your first-party code. But if you???re solely considering your own code, then your attack surface is likely bigger than you think.
Our recent State of Software Security report found that 97 percent of the typical Java application is made up of open source libraries. That means your attack surface is exponentially larger than just the code written in-house. Yet a study conducted by Enterprise Strategy Group (ESG) established that less than half of organizations have invested in security controls to scan for open source vulnerabilities.
If the majority of applications are made up of open source libraries, why are most organizations only scanning their first-party code? Because most organizations assume that third-party code was already scanned for vulnerabilities by the library developer. But you can???t base the safety of your applications on assumptions. Our State of Software Security: Open Source Edition report revealed that approximately 42 percent of the third-party code pulled directly by an application developer has a flaw on first scan. And even if the third-party code appears to be free of flaws, more than 47 percent of third-party code has a transitive flaw that???s pulled indirectly from another library in use.
Over the years, several organizations have learned the hard way just how dangerous it is to only scan first-party code.
In 2014, the notorious open source vulnerability ??? Heartbleed ??? occurred. Heartbleed was the result of a flaw in OpenSSL, a third-party library that implemented the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. The vulnerability enabled cyberattackers to access over 4.5 million healthcare records from Community Health Systems Inc.
In 2015, there was a critical vulnerability in Glibc, a GNU C library. The open source security vulnerability nicknamed ???Ghost,??? affected all Linux servers and web frameworks such as Python, PHP, Ruby on Rails as well as API web services that use the Glibc library. The vulnerability made it possible for hackers to compromise applications with a man-in-the-middle attack.
In 2017, Equifax suffered a massive data breach from Apache Struts which compromised the data ??? including social security numbers ??? of more than 143 million Americans. Following the breach, Equifax's stock fell over 13 percent.
On the good news front: Close to 74 percent of open source flaws can be fixed with an update like a revision or patch. Even high-priority open source flaws don???t require extensive refactoring of code ??? close to 91 percent can be fixed with an update. Equifax had to pay up to $425 million to help people affected by the data breach that the court deemed ???entirely preventable.??? In fact, it was discovered that the breach could have been avoided with a simple patch to its open source library, Apache Struts.
Don???t become a victim to the monsters lurking in your third-party libraries. Download our whitepaper Accelerating Software Development with Secure Open Source So |
Data Breach Vulnerability | Equifax Equifax | |
|
2021-02-23 09:45:03 | Message Authentication Code (MAC) Using Java (lien direct) |  This is the seventh entry in this blog series on using Java Cryptography securely. Starting from theツ?basics we began diving deeper into various basic cryptographic primitives such as Cryptographically Secure Random Number Generator, symmetric & asymmetric encryption/decryption & hashes. After taking a brief interval, we caught-up with cryptographic updates in the latest Java version.
Skip to the TL; DR
At this point, we are well equipped to discuss some of the most commonly encountered cryptographic schemes. Let???s start by looking at applications designed around symmetric cryptography, starting with Message Authentication Code in this post. Thankfully, Java provides us with rich, easy-to-use APIs for lot of these applications, relieving us to build up crypto systems from primitives.
Overview: What is MAC?
Encryption provides us with the confidentiality service of cryptography. In a lot of applications (think of any kind of secure communication), receiving parties need to be assured of the origin of the message (authenticity) and make sure the message is received untampered (integrity).
Hashing does provide us with integrity services but not authenticity. In order to get both, we would need a separate crypto-scheme that would compute authentication tags (a.k.a Message Authentication Codes or MACs). Message Authentication Code (MAC) crypto scheme, unlike hashing, involves a secret key to restrict integrity capabilities to only parties that have access to it, which is whyツ?it is also called keyed hashing or the more relevant term: cryptographic hash/checksum.
MAC can be constructed using ciphers (such as CMAC & GMAC) or hashes (HMAC). However, it is a bit tricky to get cipher-based MACs right. JDK doesn???t provide any cipher-based MAC constructions too. Rule of thumb: stay away from cipher-based MAC, even if encountered in some 3rd party providers. We already have a more trouble-free option with HMAC, so why risk it? Going ahead, we will just be focusing on HMACs.
HowTo: How Does it Work?
This crypto scheme works around a central MAC algorithm, which takes 2 pieces of information; symmetric key (k) and plain text message to be authenticated (M) and computes Message Authentication Code. Thus, MAC = HMAC(K,M).
The MAC algorithm (HMAC) takes the message (M) of arbitrary length and generates fixed size authentication tags (or MACs).
Message Authentication Steps:
A symmetric key(K) is established between sender and receiver, typically using a secure channel.
The sender computes MAC, using a secure HMAC algorithm on message M and symmetric key(K).
The message is appended with MAC and sent across to the receiver i.e., M || MAC is sent to the receiver.
Receiver pulls apart M and MAC and recomputes MAC from M using the same HMAC algorithm as sender and symmetric key(K).
If the receiver computed MAC == sender sent MAC, authenticity, and integrity of received M is verified. This implies messages have reached received untampered from the stated sender.
HowTo: Construction of HMAC
|
|||
|
2021-02-19 09:35:33 | AppSec Bites Part 3: Has the New Virtual Reality Created Opportunities for AppSec? (lien direct) |  Over the past several months, many organizations have had to shift their operations to a fully digital platform. This sudden shift was more challenging for some industries, like government, than other industries, like technology. And aside from having to adapt to fully remote operations, many organizations were also subject to tighter budgets, forcing them to become more efficient.
Many organizations, even those with higher budget scrutiny, have realized the importance of automating their processes to improve efficiency and even moving their operations from on-premises to the cloud. As Kyle Pippin, Director of Product Management at ThreadFix, mentions in the AppSec Bites podcast, there were a significant amount of organizations contemplating transitioning to the cloud prior to the pandemic. So, is it the pandemic that caused the surge in the digital transformations, or is this a trend that was already underway?
Tim Jarrett, Director of Product Management at Veracode, thinks it???s a bit of both ??? some companies were already interested in digital transformations, so the pandemic was the push they needed to take that next step, and others might not have been considering a digital transformation but are now realizing the importance.
The pandemic has also changed the way people work. There is less of a focus on team meetings and more of a push to start projects quickly and pragmatically. Organizations are looking to start digital transformations fast and efficiently and craving best practices on implementations.
Find out more about how the pandemic has affected AppSec in part 3 of our AppSec Bites podcast series with Threadfix.ツ? |
|||
|
2021-02-16 12:45:26 | Preventing CSRF Attacks (lien direct) |  Cross-site request forgery (CSRF, sometimes pronounced ???sea surf??? and not to be confused with cross-site scripting) is a simple yet invasive malicious exploit of a website. It involves a cyberattacker adding a button or link to a suspicious website that makes a request to another site you???re authenticated on. For example, a user is logged into their online banking platform which has poor security, and by clicking a ???download??? button on an untrusted site, it maliciously initiates a money transfer request on their behalf through their current online banking session. Compromised sites can reveal information or perform actions as an authorized user without your explicit permission.
CSRF attack prevention
Fortunately, CSRF attacks can be prevented. Let???s look at some of the most efficient ways to safeguard your website.
Being RESTful
Representational state transfer (REST) is a set of principles that assigns a type of activity (view, create, delete, update a resource) for each HTTP verb (GET, POST, PATCH, PUT, DELETE). Following a RESTful design will ensure that your code is clean and can scale. It also has the added benefit of reducing vulnerabilities.
A key design principle that protects you from CSRF attacks is using GET requests for only view or read-only actions. These types of requests should not transform data and must only display recorded data. This limits the number of requests that are vulnerable to CSRF attacks.
Anti-forgery tokens
Your website will also need to use POST, PUT, PATCH and DELETE requests. To safeguard these endpoints, you can introduce an anti-forgery token in every request that uniquely identifies safe origin sites.
Every response rendered by the server will contain the anti-forgery token which is then written out to a hidden HTML field. This token is used by the client side to authenticate requests sent to the server. Now, the server knows the request is from a safe origin.
Most modern web frameworks include anti-forgery token management, out-of-the-box. For example, Ruby on Rails has a method called ???protect_from_forgery??? that authenticates requests on the server side. It also manages token generation and rendering out to HTML elements.
Set cookies with the SameSite Attribute
Cookies are a way to add persistent state to websites. This is usually used to authorize users, store session data, and more. However, it???s also an easy way to expose vulnerabilities. To address this, cookies contain a number of attributes that govern their behavior.
A commonly used attribute is Max-Age. The Chrome team recently introduced the SameSite attribute (now available across most major browsers). It is exceptionally useful in thwarting CSRF attacks.
The SameSite attribute allows you to declare if your cookie should be restricted to a first-party or same-site context. It gives you greater control over how much a client can access server-side code.
Setting a Same-Site attribute to a cookie is quite simple:
Set-Cookie: CookieName=CookieValue; SameSite=Lax;
Set-Cookie: CookieName=CookieValue; SameSite=Strict;
If the value is set to Strict, it means that any request originating from a third-party site to your site will have all cookies removed by the browser. It is the most secure setting and helps in preventing untrusted authorized requests from being rendered.
Setting the value to Lax does not remove the cookies for any GET requests. This provides a seamless experience for your user when they fo |
|||
|
2021-02-10 12:58:21 | 75% of Apps in the Healthcare Industry Have a Security Vulnerability (lien direct) |  In light of the current pandemic, our healthcare industry has been challenged like never before. Healthcare workers heroically stepped up to the plate, caring for those in need, while the industry itself digitally transformed to keep up with the influx of patient data and virtual wellness appointments.
The increase of digital activity has brought about new security threats with cyberattackers targeting patient data. In fact, according to a recent article in Modern Healthcare, ???the FBI and two federal agencies warned cybercriminals were ramping up efforts to steal data and disrupt services across the healthcare sector.??? In September, a ransomware attack affected over 250 U.S. hospitals and clinics, preventing the use of critical emergency room equipment that relies on ethernet cabling.
The increase in cyberattacks in the healthcare industry is important to note because, according to our recent State of Software Security (SOSS) report, 75 percent of applications in the healthcare industry have a security vulnerability and 26 percent have high-severity security vulnerabilities.
Our SOSS data shows that the healthcare industry has a fix rate of 70 percent, a lower rate than average when compared to other industries. But, on a positive note, the industry ranks second in the median time it takes to remediate flaws. This suggests that healthcare organizations move quickly to address security flaws in order to keep security debt from getting too out of hand.
The SOSS report also examines how ???nature??? and ???nurture??? influence applications. We found that the ???nature??? of applications ??? like organization or application size, application age, or flaw density ??? can affect how long it takes to remediate a security flaw. But, ???nurturing??? applications ??? like using multiple application security (AppSec) testing types, scanning frequently and steadily, and utilizing APIs to scan for security ??? can also influence how long it takes to remediate security flaws.
In terms of nature, healthcare organizations may be a little on the large side, but applications are fairly new and reasonably sized. The applications also have a low flaw density, which means flaws are present only in certain parts of the application.
In terms of nature, the healthcare industry is average compared to others for API usage and excels at scanning on a steady cadence and using dynamic application security testing. To improve its fix rate and median time to remediation, the healthcare industry needs to follow more DevSecOps best practices by improving its scan frequency and implementing software composition analysis. As Chris Eng, Chief Research Officer at Veracode notes, ???the healthcare industry scans on steady cadence, like clockwork, but they aren???t scanning frequently enough. By increasing the frequency of scans, we could start to see improved fix rates.???
The healthcare industry should be proud of its developers for doing a good job handing issues related to CRLF injection and cryptography. Injection flaws are considered by OWASP Top 10 to be the number one most critical security risk to web applic |
Ransomware Vulnerability | ||
|
2021-02-05 09:59:35 | AppSec Bites Part 2: Top 3 Things to Consider When Maturing Your AppSec Programs (lien direct) |  A joint blog post from Veracode andツ?ThreadFix
When it comes to maturing an AppSec program, there are several best practices that can help you get started. In part two of our AppSec podcast series, Tim Jarrett, Director of Product Management at Veracode, and Kyle Pippin, Director of Product Management at ThreadFix, share the top 3 things they???ve learned from organizations that have successfully matured and scaled their AppSec programs.
1. Know your anchor points.
The first thing you need to think about when maturing your AppSec program is the current landscape of your organization. What are the things you can???t change? It could be that you can???t find more AppSec resources (supply and demand) or that there is no budget for additional scan types. Whatever the constraints are at your organization, you need to acknowledge them so that you can find acceptable workarounds.
2. Automate.
Next, if you are not doing so already, you need to automate as much as possible. If application security scans are automated into the developers??? existing tools and processes, there will likely be an increase in scan activity and developers will have more free time to work on securing their code and remediating flaws. Automation can also be used for other purposes, like onboarding. Since security professionals are hard to come by, they are often stretched thin for time. Because of this, security professionals can become a bottleneck when it comes to software deployments. If you automate some of their tasks, like onboarding developers in security best practices, it can free up some of their time and improve speed to market.
3. Focus on outcomes.
Last, but certainly not least, it???s important to focus not just on finding, but fixing flaws. You can help developers improve fix rates through training measures. For example, Veracode Security Labs is a great tool to help developers practice writing and remediating code in their chosen language. Implementing a security champions program is also a useful way to help make security top of mind for developers. Most developers don???t take security courses in college, so unless they are learning about security at their organization, chances are it???s not a strong skillset. If you find developers who are interested in learning more about security, you can train them to be security champions and they can take those skills back to other developers.
To learn more about the best practices for maturing your AppSec program, check out part 2 of our AppSec Bites podcast series with Threadfix. |
Tool | ||
|
2021-02-02 09:50:55 | Embracing the Digital Shift: Implementing DevSecOps in the Cloud with AWS (lien direct) |  To keep up with increasing time and productivity demands in software development, it???s important that organizations are staying on top of their digital shifts through rapid technology adoption and the prevention of common snags in application security (AppSec). Developers must be enabled to create quality, secure code from the start of a project through to deployment of the application, which is why automation and integration are must-haves in your DevSecOps program as you make that shift to digital.
The scalability and flexibility that software-as-a-service (SaaS) products provide only help to leap over hurdles that arise during that digital shift. Veracode made the switch to Amazon Web Services (AWS) when it became clear that our customers needed greater flexibility and scalability, and today, we function as an AWS Advanced Technology Partner with DevOps Competency that enables our customers to keep their code secure without disrupting the development process.
With this tech at their fingertips, we???ve seen our customers adopting optimized Static Analysis (SAST) and Software Composition Analysis (SCA) testing within their CI/CD pipelines, integrated through AWS CodeBuild and AWS CodePipeline. Developers are also able to configure scans in the pipeline for quick pass/fail tests on critical security issues once they push their code to a new feature, while also running other vital unit and integration testing processes in CodeBuild, such as policy scans that can guide remediation.
Additionally, with the cloud set up and the right integrations in place, organizations have more room to leverage new technologies that they otherwise wouldn???t have the right environment to integrate. As an example, AWS permits Veracode to architect new solutions using services like AWS Lambda and AWS Key Management Service (AWS KMS); flexibility made possible by the cloud.
To learn more about how Veracode works with AWS to build security into cloud-native developer workflows, read our blog. |
|||
|
2021-02-01 12:07:49 | Customer Q and A: Advantasure Developers Talk AppSec (lien direct) |  Before selecting Veracode, Advantasure, a leader in the healthcare technology industry, was on the hunt for an AppSec program that would not only protect them against cyberattacks, but also prove compliance with laws and regulations in several states. After integrating Veracode???s solutions and methodologies into their software development process, Advantasure reduced its time to remediation for high-severity flaws, sped up deployment, alleviated training burdens with Veracode eLearning, and enabled compliance with state and federal regulations.
To dig into some of these successes, we recently sat down with members of the Advantasure development team to discuss how our AppSec solutions and methodologies have helped them improve their development processes, reduce risk, and foster a more collaborative environment. Those team members included Sue McTaggart, Senior Application Security Architect; Bindiya Pradhan, DevOps/Release Engineer II; Vladimir Shuklin, Senior Software Engineer; Yuri Shcherbakov, Senior Software Developer/Software Engineer III; and Clay Corrello, Lead Software Engineer. Read on to read about the current state of AppSec from developers who face it every day.
What does your role look like at Advantasure?
Sue: I???m a Senior Application Security Architect at Advantasure and the product owner of Veracode. We use Static Analysis (including IDE Scan), Dynamic Analysis, Software Composition Analysis, and eLearning as well in our day-to-day work. When it comes to the several hundred developers I work with, it???s important for me to empower them through training while coaching them to be successful. I???m passionate every day about making sure my program is successful while empowering the ???doer.???
Bindiya: I???m a DevOps/Release Engineer II working as a Lead Configuration Engineer and Admin for the Veracode platform at Advantasure. I???ve been with this company for 12 years now, and I have been in software development and engineering for 20 years. I???ve had all sorts of experience in this company from design to development, and I worked on the initial development of all the software. I was first involved with Client Implementation before I moved to Client Operations, then I shifted to a DevOps team for all of our automations and CI/CD pipeline implementation.
I???m currently leading the Veracode configuration where I???m integrating Veracode with our CI/CD pipeline from development to integration of the scans. I can see how important security is. It used to be that developers thought security wasn???t their problem and the security team would say the developers are coding so it should fall on them, but now with this shift to DevSecOps I can see both sides, so it???s a great opportunity for me.ツ?
???It used to be that developers thought security wasn???t their problem and the security team would say the developers are coding so it should fall on them, but now with this shift to DevSecOps I can see both sides, so it???s a great opportunity for me.???
Clay: I???ve been with Advantasure for a year, and the current role I have is Lead Software Engineer. I???ve been in the field for about 27 years. As a developer and as an architect, I spent a lot of time designing cloud-based microservices the past several years. Security is a big part of that, especially in the healthcare field given the sensitive nature. As a developer, we feel a lot of pressure to get things done, especially with the SAFe Agile model, and I???ve had experiences where security runs the risk of being overlooked ??? which it shouldn???t be. So, I try to bring the focus on security to the work I do for Enrollment, and previously Billing, here at Adva |
Vulnerability Guideline | ||
|
2021-01-26 12:06:18 | Did You Read Our Most Popular 2020 Blog Posts? (lien direct) |  What was top of mind for your peers regarding AppSec in 2020?
Yes, we realize no one really wants a 2020 retrospective ??? who wants to look back at that mess? But we are going to carry on with our annual look-back at our most popular blogs from the previous year. We always gain a lot of insight with this exercise ??? we find out what resonated with security professionals and developers, uncover trends, and learn what people have questions or concerns about. We hope you find this valuable too.
So what were the hot AppSec topics in 2020? Topping the list: Developer security training, best practices made practical, open source security, technical details on vulnerabilities, and, of course, the sudden shift to remote work and a digital world last March. Did you catch all these popular blog posts?
Developer security training
Our new Security Labs offering was a hot topic last year. Clearly, training developers on secure coding is a requirement and a concern for many. If you want to see what Security Labs is all about, check out the Community Edition. Developers can use it to learn to code securely by hacking and patching real apps, at no cost.
Announcing Veracode Security Labs Community Edition
Stay Sharp and Squash Security Debt With Veracode Security Labs
Our survey report with ESG covered some of the pain points organizations are facing regarding security training, and blogs on that topic were in our most-viewed list as well.
16% of Orgs Require Developers to Self-Educate on Security
How 80% of Orgs Can Overcome a Lack of Training for Developers
Best practices for the rest of us
Our guide on AppSec best practices vs. practicalities and its associated blog were among our most-read content pieces last year. Highlighting not only what to strive for, but also where to start, with application security seemed to resonate with many.
Best Practices and Practical Steps to Guide Your AppSec Journey
Securing open source code
As with the past several years, open source security was one of the most popular topics. The first open source edition of our annual State of Software Security report got a lot of attention in 2020. Take a look at the report to get the results of our analysis of 351,000 external libraries in 85,000 apps. We unearthed some really interesting data about the number of dependencies in open source libraries, and about challenges and best practices in securing them.
Announcing Our State of Software Security: Open Source Edition
Breaking Down Risky Open Source Libraries by Language
Details on vulnerabilities and secure coding
Blogs that take a technical deep dive into particular vulnerabilities typically resonate with our audience, and last year was no exception. Our blog posts on spring view manipulation vulnerability and preventing sensitive data exposure got a lot of attention in 2020.
Write Code That Protects Sensit |
Vulnerability Patching | ||
|
2021-01-26 11:37:41 | Which AppSec Testing Type Should You Deploy First? (lien direct) |  The gold standard for creating an application security (AppSec) program is ??? and always will be ??? to follow best practices. By following preestablished and proven methods, you can ensure that you are maximizing the benefits of your AppSec program.
Unfortunately, time, budget, culture, expertise, and executive buy-in often restrict organizations from following best practices. But that doesn???t mean that you can???t create an impactful AppSec program. You should aim to follow best practices but ??? when you can???t ??? there are practical first steps you can take to position your program for future improvements.
Ideally, you should be using every testing type ??? static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing.
Each AppSec test has its own strengths and weaknesses, with no one tool able to do it all. If you choose not to employ a specific test, you could be leaving your application vulnerable. For example, if you don???t employ software composition analysis, you may miss vulnerabilities in your third-party code. And if you don???t employ dynamic analysis, you could miss configuration errors. But by using all of the testing types together, you can drive down risk across the entire application lifetime from development to testing to production.
If you don???t have the funds or support to employ every AppSec testing type, you should always begin with the test(s) that will have the most impact, in the shortest amount of time, for the least amount of money. This will depend on factors like your release cadence, risk tolerance, and budget.
For organizations releasing software less than four times a year, manual AppSec scans will probably suffice. But if you release software daily or weekly ??? likely in a CI/CD fashion ??? you will need to automate your AppSec scans with each code commit.
You also need to consider the speed of different scan types. Static analysis can provide immediate feedback with each commit. Penetration tests, on the other hand, are much slower because they rely on a human pen-tester to review the code.
But speed isn???t the only concern. You also need to consider the risk of your applications. An application housing sensitive data ??? like banking information ??? needs to undergo more in-depth AppSec tests than a lower-risk application. In-depth AppSec tests, like penetration testing, may take longer but they are critical in preventing cyberattacks. It really comes down to weighing the risk vs. time to market. In some instances, it may be okay to release software with low- or medium-severity risks. But for high-severity risks, you should break the build until the vulnerability is remediated.
Budget is also a major factor. Penetration tests are considerably more expensive than other testing types. So, if you???re on a tight budget, frequent pen tests may not be feasible. You might be better off pen-testing on an annual or bi-annual basis.
Once you???ve successfully implemented the AppSec testing type(s) that provides the most value to your organization, it???s time to start making the case for additional scans. As always, consider your budget, risk tolerance, and technology when adding to your AppSec mix.ツ?
To learn more about AppSec best practices and practical first steps, check out our guide, Application Security Best Practices vs. Practicalities: What to Strive for and Where to Start, and keep an eye out for our upcomin |
Tool Vulnerability | ||
|
2021-01-22 13:46:24 | AppSec Bites Part 1: Balancing Speed and Thorough AppSec Coverage (lien direct) |  In today???s world, speed wins. Just take Amazon for example. You can place an order with the click of a button and have it delivered to your door in under twenty-four hours. Retailers that can???t compete with Amazon???s speed are falling behind. The same level of speed and efficiency is expected with technology. Companies are in a race to deliver new and innovative technology first. But aside from speed, companies are also concerned about the security of their software. It does you no good to release new software first only to have it compromised.
So therein lies the dilemma ??ヲ How do you release software fast while still implementing a comprehensive application security (AppSec) program? One of the most widely recognized solutions is moving security practices left. What that means is that instead of implementing AppSec scans right before production, which can be time-consuming, many organizations are starting their scans during the development phase.
But not every scan type can be conducted early in the software development lifecycle. Scans like penetration tests or dynamic analysis are best performed in runtime. Does that mean you should neglect dynamic analysis or penetration tests? In part 1 of the AppSec Bites podcast series, Tim Jarrett, Director of Product Management at Veracode, argues ???no.??? Dynamic analysis and penetration tests find flaws that earlier scans ??? like static analysis ??? can???t find. So, it???s worth taking a little extra time to run those scans.
What are some ways you can save time on AppSec scans? If you have scans that can be effectively implemented early, implement them early. If you don???t currently automate your AppSec scans, automate them. And lastly, consider leveraging Veracode???s sandbox capabilities for developers. As Kyle Pippin, Director of Product Management at ThreadFix states, ???The sandbox allows developers to get hands-on with risks before they get promoted to the security team. It enables developers to fix the low-hanging fruit.???
So, the overall takeaway is that speed and security are a balancing act. You need to consider the risks involved with your application, set expectations with the developers on what flaws should be prioritized, and decide on what scan types make sense. Weigh the tradeoff of time and security for each application and follow best practices for speed to market, like shifting security left as much as possible, automating scans, and leveraging developer sandboxes.
For more information on finding the balance between speed and AppSec coverage, check out part 1 of our recent podcast series with ThreadFix. |
★★ | ||
|
2021-01-19 13:02:38 | Retail and Hospitality Sector Has Impressive Fix Rate, but Room to Improve (lien direct) |  Over the past year, the retail and hospitality industries have been forced to adapt to the ???new normal.??? Since lockdowns and health concerns have prevented or dissuaded in-person shopping or dining, the new normal has been e-commerce. Smaller businesses not equipped for the increase in e-commerce have had to undergo rapid digital transformation in order to stay afloat. But, unfortunately, e-commerce was not the only thing to increase in 2020. Cyberattackers have been taking advantage of the influx of digital activity.
This is especially concerning because, according to our recent State of Software Security (SOSS) report, 76 percent of applications in the retail and hospitality sector have a security vulnerability and 26 percent have high-severity security vulnerabilities.
But, on a positive note, our SOSS findings also revealed that when compared to other industries, retail and hospitality have the second-best fix rate and the best median time to remediate security flaws. This means that even though the industries might have a higher than usual number of flaws, they are quick to act and remediate those flaws. As Chris Eng, Chief Research Officer at Veracode explains, ???If retailers are constantly having to push out code containing business logic to support new promotions, that might account for the fix times.???
The SOSS report also examined how the ???nature??? of applications and how we ???nurture??? them contribute to the time it takes to close out a security flaw. We found that the ???nature??? of applications ??? like organization or application size, application age, or flaw density ??? can affect how long it takes to remediate a security flaw. But, taking steps to ???nurture??? the security of applications ??? like using multiple application security (AppSec) testing types, scanning frequently and steadily, and utilizing APIs ??? can also influence how long it takes to remediate security flaws.
For the retail and hospitality industries, we found that they have a low flaw density relative to other sectors, but the applications tend to be old and larger. We also found that the sector is not consistently using DevSecOps best practices like scanning frequently in an automated way. If developers start following the best practices regularly, the retail and hospitality industries can remediate flaws and chip away at security debt faster.
Flaws that the retail and hospitality sector should keep a close eye on include encapsulation, SQL injection, and credential management issues. These flaw types seem to be more prevalent in the retail and hospitality sector compared to other industries, and they can lead to a serious breach. In fact, injection flaws are considered by OWASP Top 10 to be the number one, most critical security risk to web applications.
For more information on software security trends in the retail and hospitality industries, check out The State of Software Security Industry Snapshot.
ツ? |
Vulnerability Guideline | ||
|
2021-01-15 13:48:45 | Security as Code: Why It\'s Important and What You Need to Know (lien direct) |  Software is becoming an increasingly pivotal part of modern business and society. In turn, consumers have come to expect instant gratification. This has driven businesses to concentrate on innovation and speed to market. Businesses that can???t keep up with the hyper-competitive market of speed-to-value are falling behind.
But with rapid software deliveries comes increased risk. Businesses are shortening time to market, which, for many, has meant moving from a waterfall approach to a DevOps approach. Security in this model can???t be a gate at the end of the development process, but rather needs to be part of the development process, or ???security as code.??? Security as code is when you move security into the development stage and automate security scans at every code commit. It helps to ensure that security scans aren???t missed, and it shortens deployment times. As the world continues to prioritize speed, security as code will be increasingly critical.
What are the implications of security in the development phase?
By moving security to the development phase and making security scans the responsibility of the developers, it???s not uncommon for developers to raise concerns. They are oftentimes concerned that security scans will add extra work and slow down deployments. But with security as code, you can ease those concerns because the security scans are integrated and automated into the developer???s existing tools and processes. This means there is no interruption to the developer???s day-to-day activities.
That said, it???s still important to provide developers with security training to prevent flaws and aid remediation. According to the Modern Application and Development Security report by Enterprise Strategy Group, 35 percent of organizations reported that less than half of their development teams participate in formal security training. Without this knowledge, flaws will be identified from scans, but they will not be properly remediated, leaving applications vulnerable to attack.
At Veracode, we offer in-person, virtual, and hands-on training to get developers up to speed on securing code and remediating security flaws. With our hands-on training, Veracode Security Labs, developers can work on securing real-world code vulnerabilities in the language of their choice while receiving real-time feedback.
We also encourage organizations to implement a security champions program. Security champions are elected or self-nominated developers with an interest in learning more about security. They receive a higher level of security training than other developers so that they can be the voice of security on their scrum team. They???re essentially the conduit between security professionals and developers.
For a security champions program to be successful, the ???champions??? need to be invited to security meetings ??? including sprint planning ??? on a consistent basis. By including them in these meetings, they can help get their scrum team on board with security initiatives. The program should also be engaging and rewarding for participants. If developers feel like the program is a waste of time, they won???t attend security meetings and they won???t e |
|||
|
2021-01-12 15:14:33 | Veracode Named a Leader in The Forrester Wave: Static Application Security Testing, Q1 2021 (lien direct) |  If you???re looking to start or optimize an AppSec program in 2021, the Forrester WaveTM report is a good place to begin your research. The report not only details essential elements of AppSec solutions, but also ranks 12 static application security testing (SAST) vendors based on their current offering, strategy, and market presence.
Development speeds and methods are changing and the requirements for a SAST solution are evolving as well. Forrester notes that SAST providers need to build their security solutions into the software development lifecycle (SDLC); integrate them into the CI/CD pipeline; protect new architectures like containers; and provide accurate, actionable results.
To help development teams and security and risk professionals identify the industry???s foremost SAST providers, Forrester conducted a 28-criterion evaluation. The research and analysis identified Veracode as a leader among SAST providers. The Forrester report noted, ???For firms looking for an enterprise-grade SAST tool, Veracode remains a top choice.???
The Forrester report specifically mentions, ???Veracode has invested in the developer experience.??? Veracode???s SAST offering is fully cloud-based and offers three different levels of scans that aid developers:
IDE Scan provides focused, real-time security feedback while the developer codes. It also helps developers remediate faster and learn on the job through positive reinforcement, remediation guidance, code examples, and links to Veracode application security (AppSec) tutorials.
Pipeline Scan happens in the build phase. It directly embeds into teams??? CI tooling and provides fast feedback on flaws being introduced on new commits. It helps answer the question, ???is the code my team is writing secure????
Policy Scan reviews code before production to ensure that applications are meeting policy compliance and industry standards. It helps answer the question, ???are my organization's applications secure????
Veracode also offers Security Labs, which trains developers to tackle evolving security threats by exploiting and patching real code. Through hands-on labs that use modern web apps, developers learn the skills and strategies that are directly applicable to their organization's code. Detailed progress reporting, email assignments, and a leaderboard encourage developers to continuously level up their secure coding skills.
We believe prioritization is another important strength for Veracode. As the Forrester report states, ?????ヲVeracode???s graphical representation of code flaws according to risk and ease of fix [are] unmatched in the market.??? In addition, the report states, ???References complimented Veracode's premium support,??? and Veracode is highly rated by customers for remediation guidance. As one customer stated, ???the relationship [with Veracode] really stands out.???
Learn more
Download The Forrester WaveTM: Static Application Security Testing, Q1 2021 report to learn more on what to look for in a SAST vendor and for more information on Veracode???s position as a Leader. |
Patching Guideline | ★★★★★ | |
|
2021-01-11 09:56:57 | Veracode Wins Best AppSec Feature Set and Customer Support Awards From TrustRadius (lien direct) |  TrustRadius recently awarded Veracode with a 2021 Best Application Security Feature Set Award and Best Application Security Customer Support Award. These honors are given to companies that have gone above and beyond to delight their users.
To win the Best Feature Set Award, each nominated organization had to receive 10 TrustRadius reviews in the past year that featured specific mention of their product???s feature set. Winners also had to rank in the top three positions of their category in terms of what percentage of positive responses they earned this year. Additional vetting via textual review analysis was also performed by the TrustRadius research team ??ヲ And Veracode came out on top!
 ???
Veracode offers a comprehensive selection of SaaS-based application security (AppSec) analysis methods and supports over 24 programming languages as well as a wide array of frameworks. We also provide visibility into the application status across all common testing types in a single view. By having visibility into the health of your applications, you are able to focus on fixing ??? not just finding ??? vulnerabilities.
The Best Application Security Feature Set Award is a great honor and a true testament to our products and services. ???At Veracode, we strive to provide our customers with the latest and most innovative tools and technology,??? said Elana Anderson, CMO of Veracode.
Veracode also won the 2021 Best Application Security Customer Support Award. This award was given to Veracode for its ability to provide efficient and effective support for a wide variety of projects. Since Veracode AppSec is SaaS-based, it needs to be able to support a more robust set of code functionalities than on-premises platforms ??? and it does so with ease.
???We are committed to providing developers and security teams with a comprehensive SaaS application security platform that integrates into their workflows along with highly responsive customer support. Receiving these awards is a testament to our effort to provide unparalleled software security solutions and support,??? said Elana Anderson.
By reviewing the recipients of TrustRadius awards and learning more about their products and services, AppSec buyers can make more informed decisions.
As the CEO of TrustRadius, Vinay Bhagat, stated, ???We are excited to announce our first-ever ???Best of??? Award winners. Let???s face it: not all products are created equal, and neither are all technology buyers. That???s why at TrustRadius we???re always looking for new ways to help buyers make great decisions. By highlighting products that have first-class feature sets, we can help more buyers navigate to products that will meet their unique needs.???
To learn more about the winners of the TrustRadius awards, and for more information on Veracode???s AppSec feature set and customer support, check out the TrustRadius blog,ツ?Best of Security Software 2021. |
|||
|
2021-01-07 09:18:28 | How to Communicate Application Security Success to Your Executive Leadership (lien direct) |  Over the past several years, there have been many changes to software development and software security, including new and enhanced application security (AppSec) scans and architectural shifts like serverless functions and microservices. But despite these advancements, our recent State of Software Security (SOSS) report found that 76 percent of applications have security flaws. Yet CISOs and application security program owners still find themselves having to justify and defend application security initiatives.
Members of the Veracode Customer Advisory Board (CAB), a group of AppSec professionals in several industries, faced this challenge as well. In response, a working group subset of the CAB collaborated to establish a set of metrics that security professionals can use to establish, drive adoption, and operationalize their application security program. These data points should help inform decisions at different stages of program maturity while answering the basic question: is the application security program effective or not?
How to determine and justify the required resources for an application security program
AppSec managers need a justi?ャ?able AppSec approach and dataset that set parameters around the program, give a starting point, and set up how the program will grow over time. That approach starts with providing evidence that an application security program is necessary and that it will reduce risk.
To show that an AppSec program is necessary, call attention to data points around flaw prevalence in applications (76 percent) or the average cost of a data breach ($3.86 million).
To show that AppSec programs reduce risk, consider stats like the one from our SOSS report that found that organizations scanning for security the most (more than 300 times per year) fix flaws 11.5x faster than organizations scanning the least.
How to determine and prove that development teams are adopting software security practices
AppSec success hinges on development buy-in and engagement. Therefore, proving that your AppSec program is effective requires evidence of developer adoption.
Consider highlighting the rate at which development teams are taking advantage of APIs to integrate security into their processes Then prove that developers are taking the time to fix the identified flaws by showing your developer???s fix rate (the # of findings closed / the # of findings open).
By examining the fix rate, you can see if developers are actively adopting AppSec practices by fixing ??? not just finding ??? vulnerabilities. The fix rate also shows you where additional training or resourcing investment is needed.
How to determine if the application security program is operating efficiently
AppSec programs are meant to be ongoing ??? not a one-off project with an end date. An effective AppSec program is ultimately a component of the software development process, just like QA, and the measures of success need to reflect that.
A key metric here is the correlation between security activities early in the development process and the number of security flaws found in a release candidate or in production. For example, the figure below shows the relationship between security test |
Data Breach Guideline | ||
|
2021-01-05 13:25:00 | Nature vs. Nurture Tip 3: Employ SCA With SAST (lien direct) |  For this year???s State of Software Security v11 (SOSS) report, we examined how both the ???nature??? of applications and how we ???nurture??? them contribute to the time it takes to close out a security flaw. We found that the ???nature??? of applications ??? like size or age ??? can have a negative effect on how long it takes to remediate a security flaw. But, taking steps to ???nurture??? the security of applications ??? like using multiple application security (AppSec) testing types ??? can have a positive effect on how long it takes to remediate security flaws.
In our first blog, Nature vs. Nurture Tip 1: Use DAST With SAST, we explored how organizations that combine DAST with SAST address 50 percent of their open security findings almost 25 days faster than organizations that only use SAST. In our second blog, Nature vs. Nurture Tip 2: Scan Frequently and Consistently, we addressed the benefits of frequent and consistent scanning by highlighting the SOSS finding that organization that scan their applications at least daily reduced time to remediation by more than a third, closing 50 percent of security flaws in 2 months.
For our third tip, we will explore the importance of software composition analysis (SCA) and how ??? when used in conjunction with static application security testing (SAST) ??? it can shorten the time it takes to address security flaws.
What is SCA and why is it important?
SCA inspects open source code for vulnerabilities. Some assume that open source code is more secure than first-party code because there are ???more eyes on it,??? but that is often not the case. In fact, according to our SOSS report, almost one-third of applications have more security findings in their third-party libraries than in primary code. Given that a typical Java application is 97 percent third-party code, this is a concerning statistic.
Since SCA is the only AppSec testing type that can identify vulnerabilities in open source code, if you don???t employ SCA, you could find yourself victim of a costly breach. In fact, in 2017, Equifax suffered a massive data breach from Apache Struts that compromised the data ??? including Social Security numbers ??? of more than 143 million Americans. Following the breach, Equifax's stock fell over 13 percent.
How can SCA with SAST shorten time to remediation?
If you are only using static analysis to assess the security of your code, your attack surface is likely bigger than you think. You need to consider third-party code as part of your attack surface, which is only uncovered by using SCA.
By incorporating software composition analysis into your security testing mix, you can find and address more flaws. According to SOSS, organizations that employ ???good??? scanning practices (like SCA with SAST), tend to be more mature and further along in their AppSec journey. And organizations with mature AppSec programs tend to remediate flaws faster. For example, employing SCA with SAST cuts ti |
Data Breach | Equifax | |
|
2021-01-05 11:05:58 | Announcing Veracode in AWS Marketplace: Streamlining Secure Software Development for AWS Customers (lien direct) |  Digital transformation continues to accelerate, and with it, businesses continue to modernize their technological environments, leveraging developer-first cloud-native solutions to build, host, and secure their software. At Veracode, we continue to see customers leveraging large cloud providers, such as AWS, as a central platform to conduct these activities. Customers can take advantage of the many native services available from AWS as well as procure and manage relationships with AWS-certified partner solutions, such as Veracode, through the AWS Marketplace.
Which is why we are pleased to announce the launch of our public listing of Veracode Security Labs on the AWS Marketplace. This listing also enables us to sell our full portfolio of solutions through AWS Marketplace Private Offers. Buying through Marketplace creates more buying options for customers and enables AWS customers to quickly purchase and deploy Veracode???s leading SaaS software security solutions while centralizing billing through AWS. For AWS customers participating in AWS??? Enterprise Discount Program (EDP), purchasing Veracode through the marketplace can drive additional benefits and potential savings with AWS as a portion of the cost of Veracode can be applied towards the [your] overall annual spending obligations with AWS.
Since launch, several large customers in North America and Europe were successful in purchasing Veracode???s solutions via the AWS Marketplace, and are recognizing the variety of benefits offered to them by AWS.
Why Veracode?
When it comes to building effective and secure applications on a tight schedule, security tools need to be flexible enough to integrate and automate seamlessly into existing processes and workflows, but capable enough to get the job done. Through Veracode???s cloud-native application security (AppSec) solutions we aim to enable the speed, automation, and top-level scanning tools needed to write more secure code and continue hitting deadlines.
With Veracode???s solutions integrated into established processes, AppSec quickly becomes a competitive edge. In addition to the right scanning and testing tools embedded into critical stages of the software development lifecycle, Veracode enables organizations like yours to improve customer confidence through enhanced security, reduced risk, and proven compliance.
AppSec management and measurement is simplified through reliable metrics, progress demonstration, and clear goals. In addition, Veracode???s 1% false-positive rate means less time spent chasing the wrong flaws and more time ensuring your DevSecOps efforts stay on track to keep projects on schedule. It also means a shortened sales cycle that keeps businesses one step ahead of the competition.
There???s no need for lengthy security questionnaires with an established and functioning AppSec program, and sales are not lost due to security concerns from prospects. When Veracode???s cloud-native SaaS platform is in place, it???s possible to start scanning on day one to begin proving compliance and ensuring the quality of your code without missing a beat.
Secure software from the start
Having critical flexibility in the cloud with robust testing at your fingertips means that the security of your software is easier to manage to deployment and beyond. Through our integrations with AWS CodeStar and other developer tools, we deliver the critical functionality that developers need to initiate security scans ??? including right from AWS CodePipeline and AWS CodeBuild, saving vital remediation time. We also offer support for AWS Software Development Kits in Python, Node.js, and JavaScript, as well as support for Lambda functions.
Re |
Guideline | ||
|
2020-12-21 13:32:11 | Veracode CEO on the Relationship Between Security and Business Functions: Security Can\'t Be Effective in a Silo (lien direct) |  Veracode CEO Sam King says that security can???t be successful, and in fact will become a blocker, if it operates in a silo. She recently sat down for a fireside chat with Mahi Dontamsetti, State Street CTRO, and Jim Routh, MassMutual CISO, to share her thoughts and observations on communicating about security to the Boardツ?and the overall connection between the security function and business functions.
She notes that even though there are often designated technical experts on the Board, there is now an increased awareness around cybersecurity, even among the traditionally business-oriented members. So, it???s important to tailor messages to the business functions so that they too can understand the organizations??? risk posture. This doesn???t mean that you should try to make everyone on the Board a cybersecurity expert, but King remarks that there should be a ???baseline knowledge that all Board members have around cybersecurity.??? ツ?
Mahi Dontamsetti agrees with King that cybersecurity should be communicated to all members of the Board in an easy-to-understand manner. Dontamsetti goes on to say that sometimes it???s the non-technical experts who ask the best questions or have important insights into cybersecurity. They???re sometimes able to fill in the ???known unknowns.???
Jim Routh adds that Board members are actively seeking out cybersecurity knowledge. ???Board members today go to classes to improve their skill through NACD or other associations,??? he said. ???They're re-skilling and retooling themselves at a pretty significant pace, so that will give us more Board members with cybersecurity expertise.???
Routh also mentions the importance of level setting cybersecurity expectations with the Board. It shouldn???t be about eliminating all cybersecurity incidents because that???s unrealistic. The goal should be to ???recover quickly when you have security incidents and minimize the business impact.??? And the whole organization needs to work toward that goal. ???Every enterprise at any level of maturity today has to recognize that incident response for cybersecurity has to be a fabric for the entire enterprise. It's not just a siloed function in IT or in cybersecurity.???
How can you ensure that cybersecurity isn???t siloed? Routh recommends identifying your top 10 cybersecurity risks and making sure that they are well known throughout the company, especially with senior leaders. Resources should be allocated to the top 10 risks and projects and initiatives around those risks should be prioritized.
Not only should you come up with your top 10 cybersecurity risks, but it???s also worth identifying your top 10 business strategies. King makes the point that ???when you're looking at the top 10 of your business strategies as a company, regardless of whether you're a cybersecurity company like Veracode or you're a financial services company, or whatever industry you're in, cybersecurity has to be in that top 10.??? By making cybersecurity a top 10 business strategy, you ensure that executives and senior leaders are prioritizing risk mitigation strategies and, hopefully, integrating the strategies company-wide.
If cybersecurity is siloed, departments may try to ignore security best practices for the sake of speed. King remarks that without cybersecurity integration, you may hear a lot of, ???We're super excited about this project, but once we go to the security person there's going to be all of these different things that we have to be concerned about. And, will we be able to get it done or not????
But cybersecurity integration doesn???t have to slow down processes. If you start your project with security best practices in mind from the very beginning, there won???t be time-consuming or expensive rework down the line.
And how about obtaining cybersecurity resources a |
Guideline | ||
|
2020-12-21 13:30:38 | Fixing CRLF Injection Logging Issues in Python (lien direct) |  It can sometimes be a little challenging to figure out specifically how to address different vulnerability classes in Python. This article addresses one of the top finding categories found in Python, CWE 117 (also known as CRLF Injection), and shows how to use a custom log formatter to address the issue. We???ll use this project, which deactivates or deletes user accounts from the Veracode platform, to illustrate the functionality.
The vulnerability
CWE 117 (sometimes classified as CWE 93) is (normally, see note below) a medium severity finding that compromises the integrity of logging information by allowing an attacker to insert extra log statements, corrupt the logs so that they become unreadable, or even inject malicious code into the logs (useful if the log will be read through a web user interface). The attacker does this by inserting data containing carriage return and line feed (CRLF) characters, causing the appearance of a new logging statement.
Note on classification: CWE 93 refers to a broader set of weaknesses with handling content containing CRLF characters. It applies to logs and also to HTTP headers (CWE 113), sending email messages, or any output format where carriage returns and line feeds are significant characters; CWE 117 is the log-specific version of it. This article focuses specifically on issues where CRLF injection occurs in a logging context (CWE 117).
Example
This code snippet is vulnerable to CRLF injection:
import logging
import sys
import anticrlf
logger = logging.getLogger(__name__)
logging.basicConfig(level=logging.DEBUG, stream=sys.stderr)
... # additional logger setup
dangerous_value = "This line splits\r\nthe log entry by including CRLF"
logger.warn("The value of dangerous_value is {}".format(dangerous_value))
# WARNING:__main__:The value of dangerous_value is This line splits
# the log entry by including CRLF
# Note how the above ^ makes two lines, messing up log integrityThe fix
Before we get into the fix, it???s worth noting that not every application has a strong requirement for log integrity ??? a local command line script may not require as much attention to this vulnerability category as a system where auditing is a requirement and that takes input from multiple users. See also the note on severity below.
Assuming that log integrity is important for your application (and in most cases it probably is), the strategy for fixing CRLF injection vulnerabilities is to sanitize all user inputs, ensure that you use a consistent character encoding throughout the application (to avoid problems from canonicalization), and escape output. Dealing with the first two issues is beyond the scope of this article, but applying an output escaping strategy is pretty straightforward by using a logging formatter. For the purposes of this blog, we???ll use logging-formatter-anticrlf from Veracode Research; see the Alternatives section for some other approaches you could take.
The logging-formatter-anticrlf library functions as a drop-in logging formatter, but it escapes carriage returns and line feeds in the output. Darren???s readme shows how to use the library for stream-based logging; the project above shows an example of using it with logging to a file. Here???s how:
First, we install logging-formatter-anticrlf using pip install logging-formatter-anticrlf.
|
Vulnerability | ||
|
2020-12-16 10:41:10 | Defense in Depth: Why You Need DAST, SAST, SCA, and Pen Testing (lien direct) |  When it comes toツ?applicationツ?security (AppSec),ツ?most experts recommend usingツ?Dynamic Application Security Testingツ?(DAST)ツ?andツ?Static Application Security Testingツ?(SAST)ツ?as ???complementary??? approaches for robust AppSec. However, these experts rarely specifyツ?howツ?to run them in a complementary fashion.ツ?
At Veracode, we use SAST, DAST,ツ?SCA,ツ?andツ?penツ?testing as theツ?fourツ?pillars of ourツ?defenseツ?in-depthツ?strategy to deliver a ???secure-by-design??? AppSec methodology across the entireツ?softwareツ?developmentツ?lifeツ?cycle.ツ?ツ?
Manualツ?penetrationツ?testingツ?
Most organizations start their AppSec journey by runningツ?manualツ?penetrationツ?testsツ?(MPT).ツ?Penetration testing is necessary to catch vulnerability classes,ツ?such as authorization issues and business logic flaws,ツ?that cannot be found through automated assessments alone. Expertly trained pen testersツ?canツ?reviewツ?an entireツ?environment,ツ?rather than just the application,ツ?and canツ?follow or break the workflows in a way that is difficult forツ?automation to replicate.ツ?Additionally, pen testing is requiredツ?to comply with regulations such asツ?PCI DSS, HIPAA, GLBA, FISMA, and NERC CIP.ツ?
However,ツ?penツ?testing is only one assessment type and can bottleneck developmentツ?velocityツ?because it is a manual process.ツ?ツ?
How does Dynamic Analysis work?ツ?
Dynamicツ?applicationツ?securityツ?testingツ?(DAST)ツ?isツ?an AppSec assessment thatツ?scans all applications and interconnected structures in a running environment without looking deeply into source code. The results of ???outside-in???ツ?dynamicツ?scanningツ?help prioritizeツ?the remediation ofツ?exploitable vulnerabilitiesツ?and immediately reduce AppSec risk as they are fixed. However, it can be challenging to pinpoint theツ?exactツ?line of code toツ?work onツ?using only DAST.ツ?This assessment on its own is limited by the configuration of your scanner and what you choose to test. If you don???t properly configure your scans,ツ?you may miss vulnerabilities and have a false sense of security.ツ?
Additionally, since theツ?applicationツ?isツ?scannedツ?towards the end of theツ?SDLC,ツ?there???s more pressure on development teams to remediate the difficult-to-find vulnerabilities quickly.ツ?This is usuallyツ?whereツ?frictionツ?between development and security increases,ツ?often resulting in unmitigated risk.ツ?ツ?
How does Static Analysis work?ツ?
Staticツ?applicationツ?securityツ?testingツ?(SAST)ツ?is an AppSec assess |
Vulnerability Threat | ||
|
2020-12-15 15:47:40 | State of Software Security v11: The Most Common Security Flaws in Apps (lien direct) |  For our annual State of Software Security report, we always look at the most common types of security flaws found in applications. It???s important to look at the various types of flaws present in applications so that application security (AppSec) teams can make decisions about how to address and fix flaws. For example, high-severity flaws, like those listed in OWASP Top 10 or SANS 25, or highly prevalent flaws can be detrimental to an application.
Injection flaws make up the first item in the OWASP Top 10 Web Application Security Risks. By looking back at our list of common security flaws over the past decade, you???ll notice that injection flaws are always listed. This year???s report shows that CRLF injection was found in more than 65 percent of applications with a flaw, and SQL injection was among the top 10 list of most common flaws found. Since these flaws are high-severity and present in a large portion of applications, AppSec teams should prioritize fixing these flaws.
But CRLF injection flaws are not the only security flaws to keep an eye on. As you???ll see in Figure 3 from the State of Software report volume 11, information leakage and cryptographic issues are also highly prevalent, each found in almost two out of three applications with flaws. And these three flaws ??? CRLF injection, information leakage, and cryptographic issues ??? have remained the top security flaws, in this same order, for a few years. In fact, the top 10 most common security flaws have remained fairly consistent over the past 10 years.
Luckily, there are proven methods for preventing and fixing the most common security flaws. For example, you can prevent CRLF injection flaws by properly encoding output in HTTP headers or logging entries that are otherwise visible to administrators and users. And you can prevent SQL injection flaws by implementing parameterized queries. ツ?
But given the fact that the same flaws keep appearing year-over-year, it???s evident that developer security training is needed. Developers can???t fix or prevent flaws if they don???t have the necessary skills or tools. At Veracode, we offer Veracode Security Labs community edition to give developers free, real-world practice securing OWASP Top 10 vulnerabilities. Once developers have secure-code training, we encourage them to take proactive steps to avoid common security flaws.
To learn more about the top 10 security flaws, including how prevalent they are in applications, languages most affected, and ways to fix the flaws, check out our Vulnerability Hall of Fame webpage. |
★★★★ | ||
|
2020-12-11 11:15:19 | How Password Hashing Algorithms Work and Why You Never Ever Write Your Own (lien direct) |  Are you fascinated with cryptography? You're not alone: a lot of engineers are. Occasionally, some of them decide to go as far as to write their own custom cryptographic hash functions and use them in real-world applications. While understandably enticing, doing so breaks the number 1 rule of the security community:??ッdon't write your own crypto.ツ?
How do hashing algorithms work and what's special about password hashing? What does it take for an algorithm to get ready for widespread production use? Is security through obscurity a good idea? Let's see.ツ?
How does password hashing work?ツ?
Before storing a user's password in your application's database, you're supposed to apply a cryptographic hash function to it. (You're not storing passwords in plain text, right? Good. Just asking.)ツ?
Any cryptographic hash function converts an arbitrary-length input (a.k.a. "message") into a fixed-length output (a.k.a. "hash", "message digest"). A??ッsecure cryptographic hash function??ッmust be:ツ?
Deterministic: hashing the same input should always render the same output.ツ?
One-way: generating an input message based on a given output should be infeasible.ツ?
Collision-resistant: finding two input messages that hash to the same output should also be infeasible.ツ?
Highly randomized: a small change in input should lead to a significant and uncorrelated change in output (a.k.a. "the avalanche effect"). Without this property, applying cryptoanalysis methods will allow making predictions about the input based on the |
Vulnerability Guideline | ★★★ | |
|
2020-12-09 16:34:28 | Is Your Language of Choice a Major Flaw Offender? (lien direct) |  In volume 11 of our annual State of Software Security (SOSS) report, we uncovered some valuable nuggets of information about how you, the innovative developers of our world, can craft more secure code. For example, did you know that scanning via API improves the time to remediate 50 percent of security flaws by about 17 days, or that C++ and PHP languages have an alarmingly high number of severe security flaws and need greater attention?
It???s not enough to simply stay on top of the biggest flaw offenders and the latest trends. If you want to improve the quality of your code, you need to take that information and apply it to the tools, processes, and languages that you use every day. Knowing these trends in application security before you sit down to code means you???re prepared to fix them quickly or ??? even better ??? prevent them altogether.
This year???s edition of SOSS comes equipped with a standalone report and an interactive heat map to help you do just that; our Flaw Frequency by Language infosheet explores vulnerability trends in various common languages to highlight everyday risks so that you can get ahead of them. This breakdown of the data, which includes information from 130,000 application scans, tells us which languages tend to house the most critical flaws:
 ???
If C++, PHP, .Net, or Java are your languages of choice, take note ??? they???re prone to some of the riskiest vulnerabilities around. In fact, a whopping 59 percent of C++ applications have high and very high-severity flaws, with PHP coming in at a close second place.
 ???
The worm map above is a visual representation of just how prevalent certain flaws are in the languages they impact the most. You can see that (despite being in second place) PHP has a high frequency of risky flaws like Cross-Site Scripting (XSS), cryptographic issues, directory traversal, and information leakage exploits. Another interesting note; you can tell from this worm map that Python and JavaScript are quite similar when it comes to flaw frequency, with fewer occurrences of those high-risk flaws.
 ???
Further breaking down flaw frequency by language, our interactive heat map is a helpful tool for understanding just how risky some of these exploits can be in your languages of choice. Simply click through the vulnerabilities to see the data, gain insight into why these flaws are so dangerous, and learn how to prepare yourself for tackling |
Tool Vulnerability | ★★★ | |
|
2020-12-08 15:02:20 | Government and Education Have the Highest Percentage of Apps With Security Flaws (lien direct) |  It???s been a stressful year, to say the least, for the government and education sector. Government organizations were challenged with pivoting their operations to a digital model while schools were forced to decide between hybrid or remote learning programs for their students.
The rise of digital operations has made application security (AppSec) more important than ever. But, in our recent State of Software Security v11 (SOSS) report, we found that compared to other industries, the government and education sector has the highest percentage of applications with security flaws, the second-slowest fix rate, and the second-longest median time to fix flaws.
How can the government and education sector improve its fix rate and half-life?
For this year???s SOSS report, we looked at how ???nature??? and ???nurture??? contribute to the time it takes to close out a security flaw. We found that the ???nature??? of applications ??? size, age, and flaw density ??? can have a negative effect on how long it takes to remediate a security flaw. But we also found that ???nurturing??? the security of applications ??? using DAST with SAST, frequent scanning, using SAST through API???s, steady scan cadence, and using SCA with SAST ??? can have a positive effect on how long it takes to remediate security flaws.
When looking at the ???nature??? of government and education applications, it???s a bit of a mixed bag. Compared to other industries, government and education have the youngest applications and the smallest organizations ??? both of which are positive attributes. But, on the other hand, government and education applications are fairly large and have the highest flaw density.
In terms of ???nurturing,??? the government and education sector scan more frequently and use APIs more often than other industries. But the sector has the lowest ranking for use of DAST and scan cadence and a middle-of-the-road ranking for SCA.
In order to improve its median time to flaw remediation and increase its fix rate, the government and education sector needs to start using DAST and SCA more frequently and improve its scan cadence (which should help eliminate security debt). Just using some DevSecOps best practices will not move the needle.
Which flaws should the government and education sector keep an eye on?
In the government and education sector, 80 percent of applications have security flaws. Of those flaws, we found that Cross-Site Scripting (XSS) and input validation are especially high in the government and education sector when compared to other industries. On a positive note, we found the sector to have a lower-than-average prevalence of CRLF injection flaws. It???s important to understand the flaw types affecting your organization and to set rules regarding which flaws should be remediated first.
To learn more about the security trends in the government and education sector, download |
★★ |
To see everything:
Our RSS (filtrered)
