What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2020-12-07 14:28:54 | Nature vs. Nurture Tip 2: Scan Frequently and Consistently (lien direct) |  In our first blog in this series, Nature vs. Nurture Tip 1: Using SAST With DAST, we discussed how this year???s State of Software Security (SOSS) report looked at how both ???nature??? and ???nurture??? contribute to the time it takes to close out a security flaw. We found that the ???nature??? of applications ??? like size or age ??? can have a negative effect on how long it takes to remediate a security flaw. But, in contrast, we found that there is some ???nurturing??? ??? like using dynamic application security testing (DAST) with static application security testing (DAST) ??? that can have a positive effect on how long it takes to remediate security flaws (even if the ???nature??? is less than ideal).
Aside from using SAST with DAST, the second most impactful way to ???nurture??? the security of applications is by scanning for security frequently. Our SOSS research found that organizations that scan their applications infrequently (less than 12 times in a year) spent about 7 months to close half their open security findings, while organization that scan their applications at least daily reduced time to remediation by more than a third, closing 50 percent of security flaws in 2 months.
And it doesn???t just pay to scan frequently, scanning consistently also reduces time to remediation. In fact, organizations that scan with a steady cadence remediate flaws ??? on average ??? 15.5 days faster.ツ?
Why does scanning frequently and consistently improve time to remediation?
Frequent, steady scanning are attributes of a DevSecOps approach. With DevSecOps, security is shifted to the beginning of the software development lifecycle (SDLC). By starting AppSec scans early in the SDLC, there is more time ??? and usually more resources ??? to remediate flaws prior to production.
Organizations following a DevSecOps approach are also more likely to integrate and automate AppSec scans. By integrating and automating scans into the developers??? existing tools and processes, you can ensure that scans are happening frequently and on a timeline that works best for your organization. Best of all, when you make it easier for developers to scan by implementing automation, developers will have more time to remediate flaws.
What are some steps you can take to improve your scan frequency and cadence?
If your organization follows a waterfall approach, chances are, you are scanning sporadically around big releases. Ideally, you want to move toward a DevSecOps approach and scan early and often, not just before a big release. But if your organization isn???t able to implement daily scans, a practical next step might be to scan weekly or bi-weekly, and ??? if you???re not already doing so ??? consider automating your scans. Just keep in mind that our research shows the more you scan, the faster you remediate flaws.
For more information on the effects of frequent, steady scanning, or for additional tips on ???nurturing??? the security of your applications, check out our recent |
★★ | ||
|
2020-12-03 09:40:55 | CI/CD With Veracode Docker Images (lien direct) |  On November 19, Veracode published new, official Docker images for use in continuous integration pipelines. The images, which provide access to Pipeline Scan, Policy (or Sandbox) scans, and the ability to access Veracode APIs via the Java API Wrapper or via HTTPie with the Veracode API Signing tool, make it easy to include the current version of Veracode tools in your automation workflow.
Why Docker?
Providing official Docker images addresses customer feedback we???ve received regarding the use of Veracode tools in a pipeline. Without using a Docker image, a customer???s script must download the tool each time to the CI/CD runner, adding time to each run, or a customer must implement their own caching mechanism to avoid redownloading the tool every time. Also, any dependencies required by the Veracode tool, including the Java runtime or Python, must be installed on the local machine, potentially raising issues of version compatibility. Last, some continuous integration pipelines, including AWS CloudStar and TravisCI, require external testing tools to be integrated via containers.
The Veracode Docker images address these concerns. Docker automatically provides caching and makes it easy to always use the latest version available. Also, the Docker image contains any dependencies required by the Veracode tool. Last, the Docker images are supported by Veracode, addressing concerns from customers about having to write their own image or rely on a community-provided one.
Securing Docker images
The Veracode Docker image was originally designed and built by Veracode???s product security team for internal use in pipelines by Veracode development teams. The team has done the following to ensure the images are secure:
The Docker images are built and published to DockerHub via continuous delivery pipelines that include the most current version of each included tool and scan the images for vulnerabilities.
Each image is run with a de-privileged local user to avoid privilege escalation.
The underlying tools are developed with a secure SDLC and are tested with Veracode Static Analysis and Veracode Software Composition Analysis in their own development pipelines.
The images are based on well-known and widely used base images.
Only the prerequisites absolutely needed for downloading the tools in the images are included.
Usage examples
Here are a few samples using the images in continuous integration workflows.
GitLab examples
These examples are drawn from a single workflow that uses all three containers in different stages. (You can see the project in which the workflow is published here.)
Pipeline Scan
Pipeline Scan Static Analysis:
image: veracode/pipeline-scan:latest
stage: Security_Scan
only:
- development
script:
|
Tool | ★★★ | |
|
2020-11-24 16:44:20 | State of Software Security v11: Key Takeaways for Developers (lien direct) |  We recently released volume 11 of our annual State of Software Security (SOSS) report, which analyzes the security activity and history of applications Veracode scanned during a one-year period. Giving us a view of the full lifecycle of applications, that data tells us which languages and vulnerabilities to keep an eye on, and how factors like scanning frequency can impact your remediation time.
This year???s report also explores the idea of nature vs. nurture when remediating flaws and improving security. In other words, which security factors do developers like you have control over, and which are completely out of your hands? You likely have no control over the size of your organization and even the size of your application (???nature???), but you can ???nurture??? factors like frequency and scanning via API to improve security efforts.
Read on for key takeaways from SOSS v11 and for more information on what you can do to give your application security (AppSec) a boost.
Using SAST through API improves remediation time
It should be no surprise that the right combination of tools and integrations with frequent scanning means more effective flaw remediation. Data from SOSS v11 backs that up; when running static analysis (SAST) scans through API, organizations can remediate flaws 17.5 days faster on average.
 ???
Efforts like more frequent scanning, pairing dynamic analysis (DAST) with SAST, implementing a steady cadence, and using Software Composition Analysis (SCA) with SAST can help you remediate more vulnerabilities faster and keep your security in check. On the flip side, higher flaw density or a larger application greatly slows the remediation process by more than 50 days ??? especially for larger legacy, applications.
Information Leakage is the most common flaw??ヲ
??ヲwith CRLF injection, cryptographic issues, and code quality close behind. These four most common flaws didn???t change between last year???s report and this year???s report, which means they???re likely not going anywhere anytime soon and important to keep an eye on. ツ?
 ???
For developers, knowing the most common flaws is critical to understanding how they???re introduced, how to prevent them, and how to fix them quickly to ???nurture??? your situation. That???s especially important for the most high-risk vulnerabilities, such as Injection flaws like CRLF and SQL that reign supreme on the list of OWASP Top 10 Web Application Security Risks.
Open source creates an expanding attack surface
You work hard and you work fast. Projects don???t slow down or wait for you to write code from scratch, which is why so many developers like you rely on open source libraries and third-party code to speed up production. But there???s a problem: open source code, though used virtually everywhere, creates a wider attack surface for threat actors. And even trickier, some languages more heavily utilize op |
Threat | ★★★ | |
|
2020-11-19 16:23:50 | Healthcare Orgs: What You Need to Know About TrickBot and Ryuk (lien direct) |  In late October, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) co-authored an advisory report on the latest tactics used by cybercriminals to target the Healthcare and Public Health (HPH) sector. In the report, CISA, FBI, and HHS noted the discovery of, ?????ヲcredible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers,??? which they shared as a warning of potential ransomware attacks.
In the report, the agencies found that threat actors are targeting the HPH Sector using TrickBot and BazarLoader malware efforts, which can result in the disruption of healthcare services, the initiation of ransomware attacks, and the theft of sensitive data. As noted in the advisory, these security issues are even more difficult to handle and remediate during the COVID-19 pandemic; something healthcare providers should take that into consideration when determining how much to invest in their cybersecurity efforts.ツ?
The FBI first began tracking TrickBot modules in early 2019 as it was used by cyberattackers to go after large corporations. According to the report, ?????ヲTrickBot now provides its operators a full suite of tools to conduct a myriad of illegal cyber activities. These activities include credential harvesting, mail exfiltration, cryptomining, point-of-sale data exfiltration, and the deployment of ransomware, such as Ryuk and Conti.???
What makes it so dangerous? Researchers found that TrickBot developers created a tool called anchor_dns which uses a single-byte X0R cipher to obfuscate communications and, once de-obfuscated, is discoverable in DNS request traffic. When the malware is successfully executed, TrickBot is copied as an executable file and the copy is placed into one of the following directories:
C:\Windows\
C:\Windows\SysWOW64\
C:\Users\[Username]\AppData\Roaming\
From there, the executable file downloads modules from command and control servers (C2s) and places them into the host???s %APPDATA% or %PROGRAMDATA% directory. Every 15 minutes, the malware runs scheduled tasks on the victim???s machine for persistence, and after successful execution, anchor_dns deploys more malicious .bat scripts and implements self-deletion techniques through commands. The report notes that an open source tracker for TrickBot C2 servers is located here.
BazarLoader and Ryuk ransomware
CISA, FBI, and HHS note in the advisory report that around early 2020, threat actors believed to be associated with TrickBot began executing BazarLoader and BazarBackdoor attacks to infect targeted networks.
???The loader and backdoor work closely together to achieve infection and communicate with the same C2 infrastructure,??? the report says. ???Campaigns using Bazar represent a new technique for cybercriminals to infect and monetize networks and have increasingly led to the deployment of ransomware, including Ryuk. BazarLoader has become one of the most commonly used vectors for ransomware deployment.???
BazarLoader malware usually comes from phishing emails, the advisory says, with a link to a Google Drive document or another file hosting service housing what looks like a PDF file but is really an executable. The emails often appear personal with recipient or employer names in the subject l |
Ransomware Malware Tool Threat Patching | ★★★ | |
|
2020-11-16 15:40:54 | Java Crypto Catchup (lien direct) |  In 2017, we started a blog series talking about how to securely implement a crypto-system in java. How to Get Started Using Java Cryptography Securely touches upon the basics of Java crypto, followed by posts around various crypto primitives Cryptographically Secure Pseudo-Random Number Generator (CSPRNG), Encryption/Decryption, and Message Digests. We also released a Java Crypto Module for easier dockerization of injectable modules exposing Crypto services via an API.
The last time we spoke about this, we were in Java 8 world. In just 3.5 years we have 7 new Java versions released! Let's revive this series by first catching up on the latest and greatest happenings in the wider cryptographic community and how that maps to newer Java versions in this post. In the following posts, we will be talking about how to securely write some of the more commonly used cryptographic schemes.
Special thanks to my awesome coworkers Jess Garrett and Andrew Shelton for contributing important sections in this post.
TL;DR
Generic to entire Java Cryptography Architecture (JCA)
Looking at what we discussed in How to Get Started Using Java Cryptography Securely post, the central theme of Java Cryptography Architecture (JCA)[11]ツ?defining abstract engine classes for different cryptographic services and having independent implementations thru different providers hasn't changed.
Highlighting the most notable changes in JCA:
1. Probably the best enhancement for lazy people like me would be that we no longer need to include the Unlimited strength jurisdiction file. Unlimited strength in algorithms (for example using 256 key sizes for symmetric algorithms) comes out of the box. It is enabled by default in theツ?java.security file, with property crypto.policy=unlimited.
2. The security configuration file (java.security) will now be found under theツ?$JAVA_HOME/Contents/Home/conf/security/ folder.
3. Third party provider jar files are now treated as libraries rather than extensions. Thus, like any other library jar files, provider jar files will be placed on $CLASSPATH, and not as extensions under $JAVA_HOME/Contents/Home/jre/lib/ext folder.
Secure Random
As we discussed in theツ?CSPRNG post, Java already provides algorithms (*PRNG) to safely generate a CSPRNG. To add support for the NIST specified[13] algorithms, Java provides a new algorithm named DRBG.
Why Should You Use DRBG?
The primary reason to use DRBG is that it is government standardized. Also, the DRBG algorithm specification provides more granular configurations of how the underlying algorithm should work. It still sources entropy from the underlying operating system, in case you were wondering.
HowTo: Design and Code It
Some of the extra algorithm-specific configurations and our recommendations are:
DRBG mechanism: Underlying mechanism being used should be either Hash or HMAC. Defaults to Hash_SHA256, which is perfectly safe. |
★★ | ||
|
2020-11-16 14:06:22 | State of Software Security v11: How to Use the Findings (lien direct) |  As a security professional reading through version 11 of our State of Software Security (SOSS) report, the first statistic that probably stands out to you is that 76 percent of applications have security flaws. It???s encouraging to see that only 24 percent of those security flaws are high-severity, but ultimately, having security flaws in more than three-fourths of applications means there is still work to be done.
How can you better secure your applications?
For this year???s SOSS report, we decided to look at the effects of ???nature?????? factors we can???t change like application size or age ??? versus ???nurture??? ??? factors we can change like scan frequency ??? to see how they impact application security. The findings, if put into practice, can significantly improve the security health of your applications.
1. Use DAST with SAST.
SOSS research shows that when using dynamic application security testing (DAST) in conjunction with static application security testing (SAST), organizations are able to find and fix flaws almost 25 days faster. Why is this? Perhaps because dynamic scanning highlights to developers that a vulnerability does, in fact, have ???real-world??? risk.
2. Scan frequently and on a regular cadence.
SOSS v11 found that organizations that scan their applications infrequently (less than 12 times in a year) spent about 7 months to close half their open findings, while organization that scan their applications at least daily reduced time to remediation by more than a third, closing 50 percent of flaws in 2 months. Likewise, organizations that scan their applications on a steady cadence reduced their time to remediation by 15.5 days. To improve scan frequency and cadence, consider automating application security (AppSec) scans into developers existing processes.
3. Integrate security testing with the API.
Those scanning via API ??? and therefore in an integrated and automated way ??? address half their security findings 17.5 days faster than those not scanning via API.
4. Use SCA with SAST.
Just as we highlighted the benefits of using DAST with SAST, it???s important to use software composition analysis (SCA) with SAST. Why? First, this year???s SOSS report found that 97 percent of the typical Java application is made up of third-party libraries and that almost one-third of applications have more security findings in third-party libraries than native codebase. If you only employ SAST, your attack surface is a lot bigger than you think. In addition, this year???s research found that those scanning with both static analysis and software composition analysis improve time to remediation by an average of 6 days.
What flaw types should you keep an eye on?
As a security professional, you???re likely familiar with the OWASP Top 10 |
Vulnerability | ||
|
2020-11-12 19:49:18 | New PCI Regulations Indicate the Need for AppSec Throughout the SDLC (lien direct) |  Last year, the PCI Security Standards Council published the PCI Secure Software Standard and the PCI Secure Software Lifecycle (Secure SLC) Standard as a part of a new PCI Software Security Framework (SSF), also referred to as PCI S3. The SSF offers objective-focused security best practices that outline what a good application security program looks like, with consideration for both traditional and modern payment platforms and evolving development practices. The framework was developed with input from industry experts within the PCI Software Security Task Force (SSTF) and PCI SSC stakeholders.
The new SSF recognizes that there is no one-size-fits-all approach to software security. Vendors need to determine which software security controls and features best serve their specific business needs. But the outlined security requirements and assessment procedures help vendors ensure that the right steps are taken to protect the integrity and confidentiality of payment transactions and customer data.ツ?
The Secure SLC Standard is an important part of the SSF because it helps organizations maintain good application security (AppSec) practices by outlining security requirements and assessment procedures for vendors to ensure that they are managing the security of their payment software throughout the software lifecycle. In order to meet the requirements of the Secure SLC Standard, and in-turn the SSF, vendors need to have AppSec as part of their development process before the first line of code until the product is released. ツ?
Previous AppSec requirements ??? like those laid out in the PCI Payment Application Data Security Standard (PA-DSS), a component of PCI Data Security Standard (PCI DSS) ??? only focused on software development and lifecycle management principles for security in traditional payment software. But modern payment software is faster and more iterative, so it needs AppSec to be integrated and automated throughout the entire development lifecycle. The new SSF regulations expanded to include the new methodology and approach for validating modern software security as well as a separate secure software lifecycle qualification framework for vendors, so the PA-DSS will be retired at the end of October 2022.
What does this mean for existing PA-DSS validated applications? Existing PA-DSS validated applications will remain on the List of Validated Payment Applications until their expiry dates. At the end of October 2022, PCI SSC will move PA-DSS validated payment applications to the ???Acceptable Only for Pre-Existing Deployments??? tab. Any new updates to PA-DSS validated payment applications must be assessed under the SSF.
A great way to start your journey to SFF compliance is by enrolling in Veracode Verified. Many of the requirements in Veracode Verified map to PCI requirements. Veracode Verified helps you improve your company???s secure software development practices and shows the maturity of your program through the completion of a three-tier process.
To learn more about the new PCI Software Security Framework, including additional details on migrating from PA-DSS to SSF, check out our recent blog post, The Migration From PA-DSS to SSF: Everything You Need to Know. |
|||
|
2020-11-10 09:10:27 | In the Financial Services Industry, 74% of Apps Have Security Flaws (lien direct) |  Over the past year, the financial services industry has been challenged with pivoting its operations to a fully digital model, putting the security of its software center stage. Despite the unanticipated pivot, our recent State of Software Security v11 (SOSS) report found that the financial services industry has the smallest proportion of applications with security flaws compared to other sectors, along with the second-lowest prevalence of severe security flaws, and the best security flaw fix rate.
But despite the impressive fix rate, the financial services industry is falling behind when it comes to the time to make those fixes. This is a troubling finding because speed matters in application security. The time it takes for attackers to come up with exploits for newly discovered vulnerabilities is measured in days, sometimes even hours. Letting known vulnerabilities linger unfixed dramatically increases your risk. For instance, it was merely days between disclosure and exploitation of the vulnerability in the Apache Struts framework that led to theツ?Equifax breach.
By looking at the data, the reason for the delay in remediation becomes more clear. In the financial services sector, applications tend to be older than those in other industry sectors and the organizations are fairly large. Combined with these challenging factors, developers and security professionals in this industry aren???t regularly employing best practices consistent with DevSecOps and known to improve fix rates, such as scanning for security both frequently and regularly and using more than one testing type.
What does this mean for the financial services industry? The data suggests that for many financial services firms, developers face a challenging environment, with the adoption of additional DevSecOps practices showing the most opportunity for improvement in addressing security flaws.
And while talking about flaws, it???s worth noting that the most common security flaws in the financial services industry are information leakage, code quality, and CRLF injection. Injection flaws are especially important to keep an eye on since they???re the top web application security risk according to OWASP Top 10. On a positive note, the industry has lower than average cryptography, input validation, Cross-Site Scripting, and credentials management flaws.
For more information on software security trends in the financial services industry, check out The State of Software Security Industry Snapshot. |
Vulnerability | Equifax | |
|
2020-10-29 13:04:48 | A Software Security Checklist Based on the Most Effective AppSec Programs (lien direct) |  Veracode???s Chris Wysopal and Chris Eng joined Enterprise Strategy Group (ESG) Senior Analyst Dave Gruber and award-winning security writer and host of the Smashing Security podcast, Graham Cluley, at Black Hat USA to unveil the findings from a new ESG research report, Modern Application Development Security. The research is based on a survey of nearly 400 developers and security professionals, which explored the dynamic between the roles, their trigger points, the extent to which security teams understand modern development, and the buying intentions of application security (AppSec) teams.
As the presenters went through the data, it led to a larger discussion about AppSec best practices and what steps organizations can take to mature their programs. Here are the best practices laid out during the presentation as an easy-to-follow checklist as well as supporting data from the ESG report.
Application security controls are highly integrated into the CI/CD toolchain.
In the ESG survey, 43 percent of organizations agreed that DevOps integration is most important to improving AppSec programs, but only 56 percent of respondents answered that they use a highly integrated set of security controls throughout their DevOps process. Integrating security measures into the CI/CD toolchain not only makes it easier for developers to run AppSec tests, but it also helps organizations discover security issues sooner, which speeds up time to deployment.
Application security best practices are formally documented.
In order to have a successful AppSec program, everyone needs to be on the same page regarding best practices. The CISO should help facilitate the formal documentation of AppSec best practices. Developers and security professionals can reference the list and use it to guide their decisions.
Application security training is included as part of the ongoing development security training program.
Developers have been increasingly tasked with implementing security measures, including writing secure code and remediating vulnerabilities. Most developers don???t receive secure code training courses in college, so it is up to organizations to offer security training. But according to the survey, more than 20 percent of organizations only provide training when developers join the team.
Developers should have multiple, at-leisure training opportunities throughout the year, like virtual or hands-on programs ??? such as Veracode Security Labs. Chris Wysopal pointed out the importance of human touchpoints as part of ongoing developer training. If someone is checking in on developers to make sure they???re completing their training, they???ll likely take it more seriously. Consider a security champions program. The security champions are developers who have an interest in learning about security. If you have at least one security champion on every scrum team, that person can help ensure that their peers are up to speed on the latest security training and best practices.
Ongoing developer security training includes formal training programs, and a high percentage of developers participate.
At-leisure security training is a great way for developers to learn on their own time. But it is also important to implement formal security training with a set completion date and a skills assessment. Without formal security training, developers may not develop the skills they need to write secure code and remediate vulnerabilities. This could lead to slower and more expensive deployments because of rework or vulnerable code being pushed to production.
Accordin |
Tool Vulnerability Guideline | Uber | |
|
2020-10-27 11:33:42 | Announcing the 11th Volume of Our State of Software Security Report (lien direct) |  Today, we released the 11th volume of our annual State of Software Security (SOSS) report. This report, based on our scan results, always offers an abundance of insights and information about software vulnerabilities ??? what they are, what???s causing them, and how to address them most effectively. This year is no different.
With last year???s SOSS Volume 10, we spent some time looking at how much things had changed in the decade spanning Volume 1 to Volume 10. With Volume 11, we are going to look forward and consider the direction software development is headed. We are not trying to decide if we are doing better or worse than before, but looking at what kind of impact the decisions developers make have on software security.
Some key takeaways:
Most applications are vulnerable. Our analysis this year found that among 130,000 apps, 76 percent had at least one security flaw. But in the good news department, most apps do not have severe vulnerabilities. Only 24 percent had high-severity security flaws. Back to the bad news: fix rate is still an issue ??? half of security findings are still open 6 months after discovery.
Open source code is expanding the attack surface. Applications increasingly include open source libraries; in fact, many now include more open source than first-party code. This year, we found that 97 percent of a typical Java application is made up of third-party code. And when we looked at our analysis of open source code through Software Composition Analysis vs. first-party code through Static Analysis, we found that almost one-third of all applications have more findings in third-party libraries than in the native code base.
There are ways to ???nurture??? software security, even if the ???nature??? of your software is less than ideal. This year, we thought about what leads to the state of software security ??? is it ???nature??? or ???nurture???? Is it the attributes of the app that the developer inherits ??? its security debt, its size ???or is it the actions of the developers ??? how frequently they are scanning for security, or how security is integrated into their processes? And if it???s ???nature,??? is there anything developers or security pros can do to improve security outcomes? This year???s research unearthed some surprising ??? and promising ??? data surrounding ways to ???nurture??? the security of your applications, even if the ???nature??? is less than ideal. For example, those who scan via API (and therefore are integrating and automating security testing) shorten the time to address half their flaws by 17.5 days.
See below for the data highlights, and check out theツ?full reportツ?for all the data details, plus our advice on how to use the story told by the numbers to improve your own application security program.
|
Guideline | ||
|
2020-10-16 12:17:40 | Watch Here: How to Build a Successful AppSec Program (lien direct) |  Cyberattackers and threat actors won???t take a break and wait for you to challenge them with your security efforts ??? you need a proactive application security (AppSec) program to get ahead of threats and remediate flaws quickly. It???s critical that you stand up an AppSec program covering all the bases, from which roles each team member will have to alignment on KPIs and goals, and even a detailed application inventory to stay on top of your code.
But it isn???t enough to simply set ground rules and define your goals; good AppSec programs succeed because they come from the top-down, with stakeholders committed at the executive level. This helps maintain accountability and ensures that developers and security professionals are aligned when it comes to targets for flaw remediation. Part of that effort involves standing up a Security Champions program, too, enabling your developers to work alongside security and take ownership over securing their code.
If you follow these and other recommendations, your AppSec program should run like a well-oiled machine with the flexibility and security you need to keep creating innovative applications. Watch this video to learn about what goes into building a successful AppSec program, andツ?check out the full How-to Series here.ツ?
ツ?
|
Threat | ||
|
2020-10-14 10:35:14 | Hot off the Press: Veracode Named a 2020 Gartner Peer Insights Customers\' Choice for AST (lien direct) |  Veracode has been officially recognized by Gartner Peer Insights as a 2020 Customers??? Choice for Application Security Testing. The report includes Veracode???s aggregate score of 4.6 out of 5 stars out of 95 independent customer reviews (as of July 31, 2020), and of the reviewers, 92 percent said that they would recommend Veracode???s AST solutions.
Veracode, the largest global provider of application security (AST) solutions. We received the Customers??? Choice distinction, just months after Veracode was named a Leader for the seventh consecutive time in the Gartner Inc. 2020 Magic Quadrant for Application Security Testing, is a true testament to our solutions.
???There is no greater endorsement than the voice and passion of our customers,??? said Sam King, CEO of Veracode. ???This Customers??? Choice distinction by Gartner Peer Insights reflects the impact of our best-in-class solutions and customer service. Veracode is committed to helping our customers navigate the ever-evolving application security landscape, with an impassioned focus on empowering developers to both find and fix code defects early in the development process. Thank you to all the Veracode customers worldwide that have made us their trusted partner in secure software delivery.???
What are our customers saying in their reviews on Gartner Peer Insights? Many tout Veracode???s SaaS-based solution as a key benefit. ???They operate a ???service-based solution??? removing many of the obstacles typical of on-premises scan solutions,??? stated a May 22, 2020 review by the director of security and risk at a manufacturing company. Our customers also talk about how Veracode empowers developers to find and fix code defects early in the development process. A director of application development for the government sector remarked in a review on July 24, 2020 ???[Veracode] was incredibly easy to implement and we had a high rate of developer adoption. We saw phenomenal results in reducing our security risk within the first six months. We are now several years into product implementation and have grown our adoption with both product and automation.???
To learn more about Gartner Peer Insights 2020 Customers??? Choice for AST and what our customers have to say about our leading application security testing solutions, download the Peer Insights Voice of the Customer report.
Disclaimer: Gartner Peer Insights Customers??? Choice constitute the subjective opinions of individual end-user reviews, ratings, and data applied against a documented methodology; they neither represent the views of, nor constitute an endorsement by, Gartner or its affiliates.
Gartner Peer Insights ???Voice of the Customer???: Application Security Testing, Peer Contributors, 9ツ? October 2020 |
Guideline | ||
|
2020-10-14 10:00:02 | Introducing Veracode\'s New Partner Training and Certification Paths (lien direct) |  We are excited to announce the launch of our new partner training and certification paths, open to all authorized Veracode partners.
Based on partner feedback, we have designed these paths to provide a deeper understanding of the Veracode story and technical details around application security (AppSec). By enlisting in our training and certification paths, we enable partners to expand their business and support customers in developing a comprehensive AppSec program.
Some of the benefits of this new program:
Free-of-charge, best-in-class trainings and certifications focused on AppSec.
On-demand, self-paced paths that enable partners to learn what they want, when they want.
Added visibility for individuals earning their certification with designated badges, showcasing the partner???s AppSec expertise.
Greater access to leads and joint opportunities for partners with certified individuals.
These new training and certification paths give partners a choice of three levels of learning. Through on-demand, self-paced courses they can advance to the level of training that best suits their role ??? ultimately growing their business through application security offerings.
With this deeper level of knowledge, partners can expand their customer base, and sales and technical teams can support their prospects and customers more effectively in building and managing their AppSec program.
As always, we remain committed to our partners who do the important work of caring for customers ??? whether across the globe or in local and regional markets. We hope these new training and certification paths inspire further collaboration, increased business growth, and an even better experience for customers and prospects. ツ?
For more information on our partner training and certification, please contact your Veracode regional channel manager or send an email to partners@veracode.com. |
Guideline | ||
|
2020-10-08 13:52:44 | 5 Lessons About Software Security for Cybersecurity Awareness Month (lien direct) |  October is cybersecurity awareness month, and this year, the overarching theme is ???Do Your Part. #BeCyberSmart.??? When considering what ???cybersmart??? means in application security, we realized we unearthed some data this year that made us a little cybersmarter and could help other security professionals and developers increase their AppSec smarts as well. We???re sharing those data gems below.
1. Lack of developer participation in and engagement with security training is a problem.
A recent research report, sponsored by Veracode and conducted by Enterprise Strategy Group (ESG), found that most organizations require their developers to consume AppSec training, but 35 percent said less than half of development teams are participating in formal training. In addition, most respondents reported that they lack programs to measure the effectiveness of developer security training. What???s the lesson here? Given that developers have been increasingly tasked with implementing security measures, including writing secure code and remediating vulnerabilities, it???s vital that they are trained to do so. But it has to be relevant, engaging training that will encourage participation.
2. It???s nearly impossible to have effective AppSec without integrating into developer workflows.
In the ESG survey, 43 percent of organizations agreed that DevOps integration is critical to improving application security (AppSec) programs. With the speed of development today, security tests that slow or block developers are simply not feasible. Lesson No. 2: AppSec should be integrated and automated. Integrating security measures into the CI/CD toolchain not only makes it easier for developers to run AppSec tests, but it also helps organizations discover security issues sooner, which speeds up time to deployment.
3. Open source code is pervasive, vulnerable, and typically not checked for security.
Our most recent State of Software Security (SOSS) report found that a typical Java application is made up of 97 percent open source and third-party libraries. In addition, our State of Software Security: Open Source Edition report published this year found that 70.5 percent of applications have a security flaw in an open source library. But ??? shockingly ??? the ESG report referenced above found that less than 50 percent of organizations scan their open source libraries for security. Why? It???s not uncommon for application developers to assume that third-party libraries were already scanned for vulnerabilities by library developers. Unfortunately, you can???t rely on library developers to keep your applications safe. The cybersmart practice is to scan third-party libraries on a regular basis.
4. You could be pulling in more open source code than you think.
Developers pull in one open source library, but that library is dependent on another library, which is dependent on another library, and so on. In fact, research for our State of Software Security: Open Source Edition report found that most applications have a large percentage of secondary (and tertiary, and more) dependencies.
Take a look at the image below taken from our Software Composition Analysis solution. The empty circle in the middle |
|||
|
2020-10-05 11:42:27 | Veracode Makes DevSecOps a Seamless Experience With GitHub Code Scanning (lien direct) |  Developers face a bevy of roadblocks in their race to meet tight deadlines, which means they often pull from risky open source libraries and prioritize security flaws on the fly. In a recent ESG survey report, Modern Application Development Security, we saw that 54% of organizations push vulnerable code just to meet critical deadlines, and while they plan for remediation on a later release, lingering flaws only add to risky security debt. With speed a critical factor in what makes or breaks the success of your application deployments, that means the health of your code ??? and your security ??? is on the line.
GitHub Actions are an intuitive way to solve the need for speed without sacrificing quality, helping your developers stay on schedule by enabling them to build, test, and deploy code directly from GitHub. And with over 50 million developers on GitHub, plus more than 200,000 automated fixes merged into GitHub repositories since May of 2019, it???s clear that GitHub is a hotspot for developers. When paired with the right application security (AppSec) scan types and SaaS-based approaches, this integration makes GitHub Actions an invaluable part of your development team???s workflow.
That???s why we???re excited to announce our new GitHub Action to help streamline your AppSec workflow for the developers on your team. The action is directly embedded within the native GitHub code scanning user interface, ensuring your DevSecOps practices are seamless, efficient, and effective. By making Veracode???s AppSec tools accessible in a familiar interface like GitHub, developers on your team can jump right into secure coding with critical testing and analysis that won???t halt projects or slow production down.
The Veracode solution to enhanced workflows
Developers can perform Veracode???s Static Policy Scan or Pipeline Scan and see the results of that scan within the GitHub Security tab. The ability to invoke Veracode???s Static Analysis (SAST) scans from within their own GitHub projects significantly expands the testing capability for developers leveraging GitHub workflows, and allows them to build security into their DevOps processes to scale development across their team.
That???s less downtime and fewer bottlenecks for faster innovation. With such a high frequency of commits flowing through GitHub (more than 2,000 direct contributors made commit contributions to TensorFlow alone in 2019), Veracode???s multi-scan and SaaS-based solutions mean that our customers have a leg-up when it comes to harnessing GitHub Actions for speed and efficiency.ツ?ツ?
This functionality comes as part of GitHub code scanning launch, with our GitHub Action available in the GitHub Marketplace. ???Veracode is a leader in application security and truly understands the importance of shifting left in the development lifecycle to enable teams to find and fix flaws at scale,??? says John Leon, VP of Business Development at GitHub. ???With software development moving at breakneck speed, this new GitHub Action further enables our joint customers to develop secure software, without compromising speed or quality ??? all within a familiar interface.???
|
Guideline | ||
|
2020-10-01 14:10:28 | 96% of Organizations Use Open Source Libraries but Less Than 50% Manage Their Library Security Flaws (lien direct) |  Most modern codebases are dependent on open source libraries. In fact, a recent research report sponsored by Veracode and conducted by Enterprise Strategy Group (ESG) found that more than 96 percent of organizations use open source libraries in their codebase. But ??? shockingly ??? less than half of these organizations have invested in specific security controls to scan for open source vulnerabilities.
Why is it important to scan open source libraries?
For our State of Software Security: Open Source Edition report, we analyzed the security of open source libraries in 85,000 applications and found that 71 percent have a flaw. The most common open source flaws identified include Cross-Site Scripting, insecure deserialization, and broken access control. By not scanning open source libraries, these flaws remain vulnerable to a cyberattack. ツ?ツ?ツ?
Equifax made headlines by not scanning its open source libraries. In 2017, Equifax suffered a massive data breach from Apache Struts which compromised the data ??? including social security numbers ??? of more than 143 million Americans. Following the breach, Equifax's stock fell over 13 percent. The unfortunate reality is that if Equifax performed AppSec scans on its open source libraries and patched the vulnerability, the breach could have been avoided. ツ?
Why aren???t more organizations scanning open source libraries?
If 96 percent of organizations use open source libraries and 71 percent of applications have a third-party vulnerability, why is it that less than 50 percent of organizations scan their open source libraries? The main reason is that when application developers add third-party libraries to their codebase, they expect that library developers have scanned the code for vulnerabilities. Unfortunately, you can???t rely on library developers to keep your application safe. Approximately 42 percent of the third-party code pulled directly by an application developer has a flaw on first scan. And even if the third-party code appears to be free of flaws, more than 47 percent of third-party code has a transitive flaw that???s pulled indirectly from another library in use.
What are your options for managing library security flaws?
First off, it???s important to note that most flaws in open source libraries are easy to fix. Close to 74 percent of the flaws can be fixed with an update like a revision or patch. Even high priority flaws are easy to fix ??? close to 91 percent can be fixed with an update.
So, when it comes to managing your library security flaws, the concentration should not just be, ???How |
Data Breach Tool Vulnerability | Equifax | |
|
2020-09-24 11:30:45 | Watch Here: Using Analytics to Measure AppSec ROI (lien direct) |  Maximizing the value of your application security (AppSec) analytics not only provides a window into whether or not you???re meeting security requirements but also it helps you prove your ROI. That can be a challenge for a lot of organizations ??? when stakeholders are not close to the data, they may miss milestones like hitting goals for reducing security debt or even how much AppSec program has matured by data.
In this episode of our How-To Series, Anne Nielsen, Principal Product Manager at Veracode, breaks down the ways analytics can help you and your team move your AppSec program forward with data-driven insights. Those insights prove your everyday security efforts to stakeholders and help you see where you may need to give your security procedures a boost, which means they???re mission-critical to your AppSec success.
Like in any industry, analytics in AppSec are critical to demonstrating progress and ensuring that your organization???s stakeholders keep the budget alive for critical AppSec tools and solutions. Veracode Analytics are unpacked in data visualizations and pre-built dashboards so that management and your team members have a clear picture of the results and can use them to guide future investments.
Your AppSec program doesn???t have to fail because you don???t have the right data, or because you???re not looking at your data in the right way and properly assessing your findings to remediate the right flaws. Watch this video to learn about Veracode Analytics and measuring your AppSec ROI, including what that means for the health for your security program, and check out the full How-to Series here.ツ?
ツ?
|
|||
|
2020-09-21 13:35:42 | Focus on Fixing, Not Just Finding, Vulnerabilities (lien direct) |  When investing in an application security (AppSec) program, you expect to see a return on your investment. But in order to recognize a return, your organization needs to determine what success looks like and find a way to measure and prove that the program is meeting your definition of success.
For those just starting on their AppSec journey, success might be eliminating OWASP Top 10 vulnerabilities or lowering flaw density. But as you begin to mature your program and work toward continuous improvements, you should start measuring your program against key performance indicators (KPIs) like fix rate. Fix rate is used to indicate how fast your organization is closing ??? or remediating ??? flaws. The formula for fix rate is the number of findings closed divided by the number of findings open. As you can see in the diagram below, of the 6,609 flaws, 2,581 flaws areツ?open and 4,028 are closed. This means that flaws are remediated at a rate of 16 percent. The faster your organization fixes flaws, the lower the chances of an exploit. For the sake of continuous improvement, you should be finding that your organization is improving its fix rate by remediating flaws faster year over year.
ツ?
Using Veracode Analytics to examine fix rate and prove AppSec success.
Using Veracode Analytics custom dashboards, you can examine your total fix rate or break it out by application, scrum team, business unit, or geographical location. These dashboards can be shared with stakeholders and executives to show areas where your fix rate is improving or areas that need additional attention and resources.
When examining fix rate across applications, you should be finding that your more critical applications have a better fix rate. If that???s not the case, you need to be examining the application security policies you have in place for fixing flaws. High-severity and highly exploitable flaws should be prioritized over low-severity flaws with a lower chance of exploitability. The same logic applies to applications: High-risk applications storing large amounts of sensitive data should be prioritized.
When examining the fix rate across scrum teams and locations, you should find that teams and geographical locations are continuously improving their fix rate. If not, you should use the data to tailor future security trainings or to ask stakeholders and executives for additional resources.
How does fix rate impact return on investment?
By remediating flaws faster, you are reducing the chance of an exploit which could cost your business thousands ??? even millions ??? to resolve. For example, Capital One had a third-party vulnerability that was not remediated, and it led to a massive data breach which exposed its customer???s social security numbers and bank account numbers. It cost Capital One approximately 150 million dollars to resolve the matter.
Faster time to remediation also means faster time to production. Once developers fix all of the flaws defined in their policy, code can be moved to production. If code is moved to production at a faster rate, an organization ??? and its customers ??? can start recognizing value from the application sooner.
ツ?
For additional methods on proving AppSec success, check out our re |
Data Breach Vulnerability | ||
|
2020-09-16 16:10:41 | 16% of Orgs Require Developers to Self-Educate on Security (lien direct) |  Theoretical physicist Stephen Hawking was spot on when he said, ???Whether you want to uncover the secrets of the universe, or you just want to pursue a career in the 21st century, basic computer programming is an essential skill to learn.??? It???s no secret that programming is a thriving career path ??? especially with the speed of software development picking up, not slowing down.
But one critical element of modern programming is missing from Hawking???s quote: security. Developers simply aren???t taught secure coding practices in school and so often graduate without the foundational security knowledge required to find and fix flaws before they???re a problem. And at the same time, now more than ever, you???re expected to code with security at top of mind and produce more secure applications without continuous training opportunities at your fingertips.
Secure coding conundrum: Spotty developer training
Recently, we sponsored Enterprise Strategy Group???s (ESG) survey of 378 North American developers and security professionals to gain more insight into the trends in modern application security (AppSec). The results? Developer training is spotty, and it???s often unclear who holds the responsibility of seeing it through.
???While most [organizations] provide developers with some level of security training, more than 50 percent only do so annually or less often.??? The report continues, ???While development managers are often responsible for this training, in many organizations, application security analysts carry the burden of performing remedial training for development teams or individual developers who have a track record of introducing too many security issues.???
 ???
There???s a clear disconnect between frequency and educational requirements when it comes to developer training, which leaves most programmers lacking opportunities to learn and grow. Breaking the data down, we see that a mere 15 percent of organizations have the majority of their developers participate in consistent, formal security training.
 ???
Even more telling about the state of developer education were the numbers that highlighted security training requirements for programmers. For example, 16 percent of organizations say developers are expected to self-educate, while 20 percent only provide training to new developers who join their teams.
If organizations aren???t putting in the effort to expand security know-how, you might (rightfully) see it as a fruitless exercise. Luckily, changing that narrative is often as simple as integrating developer training tools that are clear, engaging, and provide value.
Education that resonates: the right content in the right format
ESG lists the ten elements of the most effective application securi |
|||
|
2020-09-15 09:53:29 | Write Code That Protects Sensitive User Data (lien direct) |  Sensitive data exposure is currently at number 3 in the??ッOWASP Top 10??ッlist of the most critical application security risks.
In this blog post, we will describe common scenarios of incorrect sensitive data handling and suggest ways to protect sensitive data. We will illustrate our suggestions with code samples in C# that can be used in ASP.NET Core applications.
What is sensitive data?
OWASP lists passwords, credit card numbers, health records, personal information and business secrets as sensitive data.
Social security numbers, passwords, biometric data, trade memberships and criminal records can also be thought of at sensitive data.
What exactly sensitive data means for you will depend on:
Laws and industry regulations such as EU's General Data Protection Regulation (GDPR) or the UK's Data Protection Act (DPA) that govern the use of "personal data".
Business requirements. The law may not enforce strict measures around sensitive data that your application creates or stores for its users, but breaching that data would still hurt your users and, by extension, your business.
In software applications, we can think of sensitive data as:
Most user data (for example, names listed in public user profiles may not be sensitive).
Application data (such as session IDs and encryption keys) that helps protect user data from being exposed.
Various sources and authorities may have different definitions of sensitive data. However, if you're a business that develops an application that works with user data, it's in your best interest to use a broad interpretation of "sensitive data" and do your best to protect it.
What vulnerabilities can lead to sensitive data exposure?
Let's discuss some of the most common vulnerabilities that can expose sensitive user data.
Leaking access control that enables forced browsing to restricted content
Due to inadequate access control, users who are not expected to see sensitive data may in fact be able to access it, even though the data is not referenced by the application in any way. An attack called force browsing takes advantage of this situation.
Imagine you're a regular user of a web application, and when you look around the UI, you don't see any administrative functionality available. Still, if you manually enter a URL that you think may be available to admin users (such as??ッhttps://www.myapp.com/admin), you do see the admin UI. This is forced browsing: the application didn't guide you to a restricted resource, but neither did it prevent you from accessing it.
Improperly managed sessions
When sessions are managed improperly, session IDs of authenticated users are at risk of being exposed, and attackers can take advantage of this to impersonate legitimate users. Two common attacks that are made possible by improper session management are session hijacking and session fixation. Attacks like these can have a severe impact if targeted at privileged accounts and can cause massive leakage of sensitive data.
One major reason why sessions can be mismanaged is that developers sometimes write their custom authentication and session management schemes instead of using battlefield-tested solutions, but doing this correctly is hard.
Insecure cryptographic storage
Insecure cryptographic storage??ッrefers to unsafe practices of storing sensitive data, most prominently user passwords. This is not about not protecting data at all, which results in storing passwords as plain text. Instead, this is about applying a wrong cryptographic process or a surrogate, such as:
|
Vulnerability Guideline | ||
|
2020-09-14 15:51:05 | 43% of Orgs Think DevOps Integration Is Critical to AppSec Success (lien direct) |  It???s no secret that the rapid speed of modern software development means an increased likelihood of risky flaws and vulnerabilities in your code. Developers are working fast to hit tight deadlines and create innovative applications, but without the right security solutions integrated into your processes, it???s easy to hit security roadblocks or let flaws slip through the cracks.
We recently dug through the ESG survey report,ツ?Modern Application Development Security, which uncovers some interesting data about the state of DevOps integration in the modern software development process. As the report states, DevOps integration is critical for improving your organization???s application security (AppSec) program, as automating and integrating solutions removes some of the manual work that can slow teams down and moves security testing into critical parts of the development process.
???DevOps integration reduces friction and shifts security further left, helping organizations identify security issues sooner,??? the report says. ???While developer education and improved tools and processes will no doubt also improve programs, automation is central to modern application development practices.???
 ???
According to the survey results, nearly half of organizations agree; 43 percent believe that DevOps integration is the most important piece of the puzzle for improving their AppSec programs. The report also outlines 10 elements of the most successful AppSec programs, and topping that list is ensuring that your AppSec controls are highly integrated into the CI/CD toolchain.
Integration challenges
For some survey respondents, that???s easier said than done. Nearly a quarter (23 percent) said that one of their top challenges with current AppSec testing solutions is that they have poor integration with existing development and DevOps tools, while 26 percent said they experience difficulty with ??? or lack of ??? integration between different AppSec vendor tools.
AppSec tool proliferation is a problem too, with a sizeable 72 percent of organizations using more than 10 tools to test the security of their code. ???Many organizations are employing so many tools that they are struggling to integrate and manage them. This all too often results in a reduction in the effectiveness of the program and directs an inordinate amount of resources to managing tools,??? they explain further.
So where should organizations like yours start? By selecting a vendor with a comprehensive offering of security solutions that integrate to help you cover those bases and consolidate solutions while reducing complexity. That???s where Veracode shines. We bring the security tests and training tools you need together into one suite so that you can consolidate and keep innovating ??? securely. And your organization can scale at a lower cost, too: our range of integrations and Veracode solutions are delivered through the cloud for less downtime and more efficiency.
Simplifying AppSec
We aim to simplify your AppSec program by combining five key analysis types in one solution, all integrated into your develo |
Tool | ||
|
2020-09-14 12:10:59 | The Migration From PA-DSS to SSF: Everything You Need to Know (lien direct) |  Technology is constantly changing and advancing. Payment platforms are no exception. As these new platforms emerge, the software supporting the platform must be reliable and secure. Without secure payment platforms, payment transactions and data could be compromised.
The PCI Software Security Framework (SSF) sets standards and requirements for both traditional and modern payment software. The security standards, aimed at vendors, are in place to protect payment transactions and data, minimize vulnerabilities, and defend against cyberattacks.
To ensure that vendors are following the standards, Software Security Framework Assessors (SSF Assessors) perform evaluations of the payment software products against the Secure Software Lifecycle (Secure SLC) and Secure Software Standards. [The Secure SLC provides security requirements for payment software vendors to integrate security throughout the software development lifecycle. The Secure Software Standard provides security requirements for building secure payment software that protects the confidential data stored, processed, or transmitted using payment transactions.] Following the evaluations, the PCI Software Security Council (SSC) lists both Secure SLC Qualified Vendors and Validated Payment Software on the PCI SSC website for merchants to reference.
The SSF encompasses the same requirements as the Payment Application Data Security Standard (PA-DSS) ??? such as software development and lifecycle management principles for security in traditional payment software ??? but at a broader scale. SFF not only validates traditional payment software but also provides a methodology and approach for evaluating modern and future payment software. The methodology for new and future payment software encourages nimble developments, developer training and secure coding practices, and integration and automation of security into the software development lifecycle.
Since separate standards for PA-DSS are no longer necessary, the PCI SSC will retire PA-DSS at the end of October 2022. To help you prepare for the transition from PA-DSS to SSF, here are some need-to-know facts listed on the PCI webpage:
Existing PA-DSS validated applications will remain on the List of Validated Payment Applications until their expiry dates. At the end of October 2022,ツ?PCI SSC will move PA-DSS validated payment applications to theツ????Acceptable Only for Pre-Existing Deployments??? tab.ツ?
You can submit new payment applications for PA-DSS validation until June 30, 2021.
PCI SSC now lists both Secure SLC Qualified Vendors and Validated Payment Software on the PCI SSC website.
PCI will recognize payment software that meets the Secure Software Standard on the PCI SSC List of Validated Payment Software, which will supersede the current List of Validated Payment Applications at the end of October 2022.
If you are a PA-DSS validated vendor ??? or not yet validated by PCI ??? and need help meeting the new SSF requirements, Veracode can help. A good place to start is our three-tiered Veracode Verified??「 program, which offers a proven roadmap to a mature and comprehensive AppSec program and includes many elements required for compliance with security regulations, including PCI SSF.
Check out our Veracode Verified webpage to learn more about the program. |
|||
|
2020-09-11 15:42:17 | Why Application Security is Important to Vulnerability Management (lien direct) |  It was the day before a holiday break, and everyone was excited to have a few days off to spend with friends and family. A skeleton crew was managing the security operations center, and it seemed as though every other team left early to beat the holiday traffic. Every team other than the vulnerability management (VM) team that is. Just before it was time to leave for the day, and the holiday break, the phone rang. We were notified of a zero-day vulnerability, and our CISO requested a report on the location of the risk within the enterprise. Does this sound familiar?
This happened to me. I was part of the vulnerability management team leading the web application scanning program for a Fortune 100 company. When they announced a major struts vulnerability targeting SWIFT, my CISO wanted to know exactly where we could find it in our applications. As part of our prioritization efforts at the time, and according to our internal security policy, the VM team was only scanning our external applications dynamically. Sure, the software development lifecycle (SDLC) process included rigorous testing throughout the different stages, however, the data collected in some cases was point-in-time, and access to this data, if it persisted, was not accessible to the VM team.
One of the main reasons we continuously analyze our assets is to be aware. You don???t just want to know what vulnerabilities are present within your servers, containers, applications, and libraries. You also want to know what else is out there so when your CISO asks you where the zero-day vulnerability exists in your enterprise, you can quickly have an informed answer without having to rescan every single asset in your inventory to provide a report.
This is why the VM and security function need to be part of the development process. It???s not because security wants to be the persistent nag always asking, ???Did you scan it????, ???Did you scan it????, but it is their job to be proactive. Yes, I said it. Vulnerability Management is proactive. I can???t begin to tell you how many times I???ve heard people say, ???What???s the point of vulnerability management anyways? It???s just a reactive response to the inevitable.??? Collecting intelligence from your assets is a proactive measure that allows you to quickly assess the risk and remediate or mitigate as needed.ツ?
At Veracode, we provide you with the data from your application security program so it can be utilized as part of your vulnerability management program. Do you need to find where struts exist in your applications? No problem. With software composition analysis, we are able to identify all the libraries you are calling within your application, and we are even able to see what those libraries are calling. If Struts or any other library that poses a risk to your application is identified, we are going to let you know. Whether it be a Common Vulnerability and Exposure (CVE) finding or a Common Weakness Enumeration (CWE) category of flaw, we can identify it using static or dynamic analysis. We can then give you this intelligence so that the next time you are asked where the risk is, you can quickly pull from the data you have proactively collected and provide your CISO the risk data necessary to make quick, informed decisions.
To learn more about managing vulnerabilities, check out our comprehensive application security solutions. ツ? |
Vulnerability Guideline | ||
|
2020-09-04 11:31:55 | AppSec Tools Proliferation Is Driving Investments to Consolidate (lien direct) |  When it comes to application security (AppSec), it???s important to note that no one testing type can uncover every flaw. Each tool is designed with a different area of focus, along with various speeds and costs ??? so it???s necessary to employ a mix of testing types.
A good way to think about AppSec testing types is to compare them to health exams. You wouldn???t have a cholesterol test and assume your annual physical was complete. Similarly, you shouldn???t conduct a static analysis scan and assume you???ve covered all the bases.
In the chart below, you???ll notice that static analysis works on any type of application (web, desktop, mobile, etc.) and covers a broad range of programming languages. However, it can???t find business logic flaws or alert you to known vulnerabilities in open source components.
Penetration testing might look like it can uncover every vulnerability, but it too has its downsides. Penetration tests are manual, so not only are they time consuming and expensive but also the results are quickly outdated. And, since penetration testing is conducted in staging or production, it often creates unplanned work for the development team.
Most organizations know that they need to implement several testing types. In fact, a recent survey sponsored by Veracode and conducted by Enterprise Strategy Group (ESG), revealed that more than 71 percent of organizations use more than 10 different AppSec tools. But of these organizations surveyed, 84 percent answered that the number of AppSec tools they employ is posing a challenge.
ツ? ツ?
Multiple testing types are necessary for a mature AppSec program, but they can be challenging to manage.
Why do multiple testing types cause a challenge at many organizations? Because most AppSec vendors only offer one or two testing types. So if an organization chooses a vendor that only offers static analysis, and they want to add more testing types, they have to employ more vendors.
Multiple vendors can be challenging for an organization to manage because the scan metrics will appear on separate dashboards, which makes it difficult to assess risk across the enterprise. The ESG study confirms this challenge with over 40 percent of respondents citing AppSec metrics as an ongoing issue.
34 percent of ESG survey respondents plan to consolidate vendors to alleviate the burden of multiple testing types.
Finding one vendor that offers a comprehensive set of AppSec tools ??? like Veracode ??? can alleviate the burden of vendor management. Veracode offers static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing which, if used together, can enable your organization to drive down risk across the entire application lifetime from development to testing to production.
Veracode Analytics provides metrics for all five offerings in one central location. Having metrics in one place allows organizations to assess the value of their scan types, pinpoint where further investments are needed, and compare the success of their program to similar organizations in the industry. Organizations can share the findings from their analytics with stakeholders or exec |
Tool | ||
|
2020-09-03 12:56:18 | Gartner Summit: Balance Risk, Trust, and Opportunity in an Uncertain World (lien direct) |  In light of the current pandemic, most organizations will be working remotely for the foreseeable future. But the increase in virtual operations has led to a higher volume of cyberattacks.
Now, more than ever, it???s vital that your organization is armed with the industry???s best application security (AppSec) solutions. But how do you build and secure technology in an uncertain world? It???s a balancing act between risk, trust, and opportunity.
Chris Wysopal, Veracode Co-Founder and CTO believes that harmony between risk, trust, and opportunity is recognized when an organization shifts security to the beginning of the software development lifecycle (SDLC). By shifting security left and fully integrating into the developer???s processes, your organization can seize opportunity by deploying new, innovative software faster.
Your organization can also seize opportunity by embracing third-party services and technology. But third-party libraries carry their share of risk, so it???s important to have software composition analysis integrated into your SDLC. Another tip is to ???automate the vendor onboarding process as much as possible??? to allow the business to move faster while maintaining acceptable risk.
The final piece of the puzzle is building trust. You need consumers to trust that the software you???re providing is safe and that customer data will be protected. Veracode Verified is a three-tier program that enables organizations of all sizes to demonstrate how secure their software or services are to buyers. As organizations achieve the steps laid out in each tier of the Veracode Verified program, they receive a seal to post on their webpage.
To learn more about balancing risk, trust, and opportunity in an uncertain world, visit our virtual booth at the Gartner Security and Risk Management Summit. We will be offering product demos, meetings with executives ??? like Chris Wysopal ??? and an opportunity to win a Drinkworks Home Bar by Keurigツョ.
The script tag should live in the head of your page if at all possible -->
Put this wherever you would like your player to appear --> |
|||
|
2020-09-03 11:31:07 | Spring View Manipulation Vulnerability (lien direct) |  In this article, we explain how dangerous an unrestricted view name manipulation in Spring Framework could be. Before doing so, lets look
at the simplest Spring application that uses Thymeleaf as a templating engine:
Structure:
 HelloController.java:
@Controller
public class HelloController {
@GetMapping("/")
public String index(Model model) {
model.addAttribute("message", "happy birthday");
return "welcome";
}
}
Due to the use of @Controller and @GetMapping("/") annotations, this method will be called for every HTTP GET request for the root url ('/'). It does not have any parameters and returns a static string "welcome". Spring framework interprets "welcome" as a View name, and tries to find a file "resources/templates/welcome.html" located in the application resources. If it finds it, it renders the view from the template file and returns to the user. If the Thymeleaf view engine is in use (which is the most popular for Spring), the template may look like this:
welcome.html:
Spring Boot Web Thymeleaf Example
Thymeleaf engine also support file layouts. For example, you can specify a fragment in the template by using and then request only this fragment from the view:
@GetMapping("/main")
public String fragment() {
return "welcome :: main";
}
Thymeleaf is intelligent enough to return only the 'main' div from the welcome view, not the whole document.
From a security perspective, there may be a situation when a template name or a fragment are concatenated with untrusted data. For example, with a request parameter:
@GetMapping("/path")
public String path(@RequestParam String lang) {
return "user/" + lang + "/welcome"; //template path is tainted
}
@GetMapping("/fragment")
public String fragment(@RequestParam String section) {
return "welcome :: " + section; //fragment is tainted
}
The first case may contain a potential path traversal vulnerability, but a user is limited to the 'templates' folder on the server and cannot view any files outside it. The obvious exploitation approach would be to try to find a separate file upload and create a new template, but that's a different issue.Luckily for bad guys, before loading the template from the filesystem, Spring ThymeleafView class parses the template name as an expression:
try {
// By parsing it as a standard expression, we might profit from the expression cache
fragmentExpression = (FragmentExpression) parser.parseExpression(context, "~{" + viewTemplateName + "}");
}
So, the aforementioned controllers may be exploited not by path traversal, but by expression language inj |
Vulnerability Guideline | ||
|
2020-08-26 10:42:53 | One Veracoder\'s Tips for Setting Up a Successful Security Champions Program (lien direct) |  My name is Seb and I???m an application security (AppSec) engineer, part of the Application Security Consultant (ASC) team here at Veracode. My role is to help remediate flaws at scale and at pace, and to help you get the most out of the Veracode toolset. With a background as an engineering lead, I???ve run AppSec initiatives for government and global retailers.
I???ve found that successful AppSec is all about people. To help bring that ???people??? element to your AppSec program,ツ?a Security Champions initiative is an effective way of turning security-interested developers into security evangelistsツ?for your organization. Security Champions become a bridge and a multiplier, transferringツ?knowledge to their own team members and working with security teams to find better, faster, more secure ways of creating secure software. Having interfaced with Security Champions many times, there are some key tips for success that I???ve picked up ??? many of which we???ve implemented at Veracode.
Don???t underestimate program interest
First and foremost,ツ?ツ?more people will be interested in a Security Champions program than you think.ツ?ツ?At Veracode, we see a lot of interest and typically have two security champions per team.ツ?ツ?I???ve always been surprised by the positive response I receive when starting a Security Champions initiative. Cyber is cool; it???s relevant, it has great career opportunities, and it makes a difference. Once you explain the purpose, goals, and rewards involved, you shouldn???t have trouble finding Security Champions in your own organization.ツ?
Make it fun, engaging, and rewarding
You???ll also need to work to make it ???feel??? special. You will have just started an elite club, but you can???t simply book a room and wash your hands. To keep it interesting in the past, I???ve run capture the flag (CTF) games, competitions, brought in external speakers, ran training sessions, and even organized for Security Champions to go to training camps and conferences. Your role as the person initiating the Security Champions program is to become a great facilitator, a marketer, and an evangelist for AppSec. If you bring the party, your Security Champions will stay engaged.
Work like engineers
I also recommend that you organize like a software team. If all your engineers are using SCRUM, an agile framework for development, then run your Security Champions program like a SCRUM team. If they???re all using Azure DevOps, run your Security Champions using Azure DevOps as well. It also helps to have a backlog of potential work and groom the backlog together, run sprints, estimate work, and most importantly, run retrospectives.
Build a team identity to maximize impact
Remember: the same team-building rules apply, and your group of Security Champions are a group of individuals to begin with. If you want the maximum impact through collaboration and open discussion, then you need to invest in building that team and a sense of identity. At Veracode, we have a #security-champions Slack channel where collaboration can occur on Veracode integration projects or to ask questions about secure coding. And it doesn???t just have to be engineers. Anyone can be a Security Champion. Anyone can bang the drum, try to help influence secure practices, and be a fan of AppSec.
Let security help with developer roadblocks
Security team members in a Security Champions group can start to absorb the challenges, tooling, and complexities of what their software teams are going |
Guideline | ||
|
2020-08-18 16:08:55 | 69% Say Their AppSec Is Effective but Don\'t Have Tools to Measure It (lien direct) |  Veracode recently sponsored Enterprise Strategy Group???s (ESG) survey of 378 developers and security professionals, which explored the dynamic between the roles, their trigger points, the extent to which security teams understand modern development, and the buying intentions of application security (AppSec) teams.
The first survey question for developers and security professionals was to rate the efficacy of their organization???s AppSec program on a scale of zero to 10, zero being ???we continually have security issues,??? and 10 being ???we feel confident in the efficacy and efficiency of our program.??? Two-thirds of the organizations surveyed rated their programs as an eight or higher. And, even more surprising, of that two-thirds, one-third rated their program as a nine or 10.
Veracode???s Chris Wysopal, Chief Technology Officer and Co-Founder, and Chris Eng, Chief Research Officer, addressed this finding during an exclusive Black Hat session with ESG, New Data Reveals How AppSec Is Adapting to New Development Realities. During the session, Chris Eng pointed out that organizations are more likely to rank themselves favorably in an online survey ??? like the ESG survey ??? versus a face to face interaction. Chris Wysopal mentioned that respondents may have been answering based on their own experiences with AppSec and that they may not know what a fully mature AppSec program should look like ??? therefore, overinflating the response to their program???s effectiveness.
To further gauge the accuracy of the result, Eng and Wysopal reviewed the responses from the follow-up questions. The first follow up question was, ???What percentage of your organization???s overall application portfolio codebase is protected by application security tools???? The results unveiled that approximately 71 percent of organizations use AppSec tools on more than half their codebase. Since around 70 percent of organizations ranked their AppSec programs as effective, it makes sense that a similar number of respondents are actively testing the majority of their codebase.
But the next question confirmed Wysopal???s suspicions that the developers and security professionals may not be gauging their responses off fully mature AppSec programs. The next question asked, ???Have any of your organization???s production applications been exploited by OWASP top-10 vulnerabilities in the past 12 months???? The responses showed that 81 percent of organizations are experiencing exploits. There are several factors that could be contributing to the continuation of exploits ??ヲ and all of the factors point back to the fact that the organizations need to further mature their AppSec programs.ツ?
How can organizations make the case for AppSec budget?
From the ESG survey results, we???ve established that the respondents??? AppSec programs are likely making a positive impact on their organization, but they still need to invest in maturing their programs. Showing the return on investment can help organizations gain additional AppSec budget from stakeholders. But many organizations don???t have the tools to quantify the results from their AppSec program.
With Veracode Analytics, organizations can see how their AppSec programs are performing through pre-built dashboards and visualizations. The dashboards can be shared with stakeholders to show metrics across all our offerings, displaying the |
|||
|
2020-08-18 14:10:39 | How 80% of Orgs Can Overcome a Lack of Training for Developers (lien direct) |  Developer security training is more critical than ever, but data shows us that the industry isn???t taking it quite as seriously as it should. A recent ESG survey report, Modern Application Development Security, highlights the glaring gaps in effective developer security training. In the report, we learned that only 20 percent of surveyed organizations offer security training to new developers who join their company, and 35 percent say that less than half of their developers even participate in formal training to begin with.
More troublesome, less than half of organizations surveyed for the report require developers to participate in formal training more than once a year. While robust application security (AppSec) tools and solutions help developers learn as they code to get ahead of flaws before deployment, the need to continually remediate only slows teams down and bottlenecks innovation. So how can you get ahead of it? Consistent, engaging training that sticks.
Paired with the right scanning and testing tools, training solutions that go beyond checking boxes and watching tutorials are an effective way to embed the knowledge needed to write more secure code. That means less time spent fixing flaws and more time flexing creative muscles to improve your organization???s digital footprint.
Training techniques that count
Recently, Forrester Research published its Now Tech: Static Application Security Testing, Q3 2020, an overview of Static Application Security Testing (SAST) providers and the various benefits companies can realize with SAST. The report also discussed how SAST can integrate with developer solutions to improve engagement and knowledge. It also calls out the important role SAST plays in tandem with hands-on learning tools to reduce remediation time, enhance predictability, and teach developers about modern secure coding practices.
The Forrester report notes that firms that integrate SAST into their software development lifecycle (SDLC) will see an array of benefits, one of which includes developer education. With fast feedback in the IDE and pipeline, Veracode Static Analysis provides clear and actionable guidance on which flaws you should be fixing ??? and how you can fix them faster to improve efficiency.
SAST is undoubtedly a critical piece of the puzzle for closing knowledge gaps, but as Forrester???s report points out, it shouldn???t be viewed as a standalone tool. To drive engagement and adoption, managers leading this effort should integrate their SAST solution with engaging security training for developers to achieve a well-rounded AppSec program that developers want to participate in.
A Veracode Security Labs solution
At Veracode, we think out of the box when it comes to developer training. Veracode Security Labs closes a lot of gaps for developers looking to get a handle on modern threats and improve efficiency.
It uses real applications in contained, hands-on environments that users can practice exploiting and patching. There???s even a Community Edition, which is a forever-free version that offers some of the same Enterprise-grade tools to all developers interested in improving security knowledge on their own.
Level up without burning out on boring lessons. Veracode Security Labs brings real-world examples into the mix to build muscle memory, which means few |
Guideline | ||
|
2020-08-13 10:23:39 | Breaking Down Risky Open Source Libraries by Language (lien direct) |  You work hard to produce quality applications on tight deadlines, and like every other development team out there, that often means relying on open source code to keep projects on track. Having access to plug-and-go code is invaluable when you???re racing the clock, but the accessibility of open source libraries comes with a caveat: increased risk.
In our recent report, State of Software Security: Open Source Edition, we examined the security of open source libraries by studying data from 85,000 applications ??? including 351,000 unique external libraries. From the data, we evaluated the prevalence of flaws in open source libraries as well as how vulnerable they are, gaining insight into the risk that you might carry when you use open source code in your software development process.
While we found that a sizeable 70.5 percent of the applications had an open source flaw on initial scan, some of the most interesting drill-down data came from examining flaws in the top 50 open source libraries broken down by language. The results, highlighted in an interactive infographic, were eye-opening about a few languages in particular.
Languages to keep an eye on
As an example, JavaScript had more libraries in use than any other language, and a handful stood out as containing risky flaws. In the charts below ??? taken from our interactive infographic, which you can view in full here ??? the lighter blue dots represent libraries that have some flawed versions in use and their placement is relative to the percentage of applications that each specific library is used within. The largest light blue dot hovering around 88 percent represents Lodash, with 401 versions of that library containing a flaw ??? something to keep in mind when using Lodash in your code.ツ?ツ?
 ???
PHP also raised some alarms as we dug into the data. We found that including any given PHP library in your code increases the chance of introducing a security flaw along with that library by more than 50 percent.
The flaws it carries are dangerous, too. We uncovered that more than 40 percent of PHP libraries contained Cross-Site Scripting (XSS) flaws with Authentication and Broken Access Control vulnerabilities close behind. And as you can see in the chart below, the light blue dot towards the right of the scale represents PHPUnit libraries as a flaw offender, with about 63 versions containing a flaw.
 ???
One of the more colorful charts in our data represents Ruby, of which we uncovered three library versions in use that are known to have been exploited. Those three versions include:
Rails: Used in 47 percent of applications written in Ruby, with 337 versions containing a flaw and 133 versions exploited.
Action Pack: Used in 49 percent of applications written in Ruby, with 343 versions containing a flaw and 85 versions exploited.
Active Support |
|||
|
2020-08-11 11:31:15 | New ESG Survey Report: Modern Application Development Security (lien direct) |  As organizations continue to adopt DevSecOps, a methodology that shifts security measures to the beginning of the software development lifecycle (SDLC), roles and processes are evolving. Developers are expected to take on increased security measures ??? such as application security (AppSec) scans, flaw remediation, and secure coding ??? and security professionals are expected to take on more of a security oversight role.
Developers are taking the necessary steps to adapt to their evolving role and embrace security measures, but they???re often at odds with their other priorities, like rapid deployments. Since developers and security professionals??? priorities are frequently misaligned, it can lead to organizational challenges and security gaps.
Veracode recently sponsored Enterprise Strategy Group???s (ESG) survey of 378 developers and security professionals in North America to better understand the dynamics between these teams and to understand their application security challenges and priorities.
The report highlights five key insights:
1. Most think their application security programs are solid, though many still push vulnerable code.
Respondents were asked to rate the efficacy of their organization???s AppSec program on a scale of zero to 10, zero being ???we continually have security issues,??? and 10 being ???we feel confident in the efficacy and efficiency of our program.??? Two-thirds of the organizations surveyed rated their programs as an eight or higher. And, better yet, two-thirds are using their AppSec scans on more than half their codebase.
Despite having a solid AppSec program and leveraging scans, 81 percent of organizations are still experiencing exploits. Why? The research revealed that 48 percent of organizations regularly release vulnerable code to production when they???re under a time crunch. By pushing vulnerable code to production, organizations are putting their applications at risk for a breach.
2. Multiple security testing tools are needed to secure the potpourri of application development and deployment models in use today.
There is no single AppSec testing type that is able to identify every vulnerability. Each testing type has its strengths and cautions. For example, if you only use static analysis, you won???t be able to uncover open source flaws, business logic flaws, or configuration errors. If you only use software composition analysis, you will only identify third-party flaws.
The findings showed that most organizations do employ a mix of testing types. However, there are some gaps. For example, only 38 percent of organizations use software composition analysis. Unless those organizations are using penetration testing, they are likely not testing for third-party vulnerabilities.
3. Developer security training is spotty, and programs to improve developer security skills are lacking.
The survey uncovered that 50 percent of organizations only provide developers with security training once a year or less. Not surprisingly, the survey also uncovered that developers??? top challenge is the ability to mitigate code issues. The only way for developers to improve their knowledge of code vulnerabilities is through security training or programs, like Veracode Security Labs, or AppSec solutions that give developers real-time security feedback as |
Guideline | ||
|
2020-08-07 10:35:04 | Live from Black Hat: Breaking Brains, Solving Problems with Matt Wixey (lien direct) |  Solving Puzzles has been a very popular pastime for InfoSec professionals for decades. I couldn???t imagine a DefCon without the badge challenge. At Black Hat 2020 Matt Wixey, Research Lead at PwC UK, didn???t disappoint as he presented on parallels between puzzle-solving and addressing InfoSec problems.
Puzzle (and problem) solving can be taught
Solving a puzzle and a problem is very similar. They usually involve two primary functions, which may feed into each other in a circular fashion:
Understanding the problem
Searching for a solution
Problem-solving is always thought of as an innate ability that you cannot teach, but that???s not true. You can teach comfort level with ambiguity and feeling around the edges of the solution of a problem.
Problem-solving does not require expertise, but it can help in some circumstances. Experts tend to know more schema of problems and can more easily chunk problems into smaller, manageable parts, so they can recognize that a problem follows the same pattern as a problem they???ve solved before. However, assumptions can also lead you astray. Puzzle makers may even purposefully take you astray, playing with your assumptions.
In a test where experts and novices were pitted against each other, experts took about as much time to solve problems, but they made fewer mistakes than the novices.
The role of bias in problem-solving
Problem-solving is subject to the same kind of challenges as decision-making. Biases come in many forms, which can hinder a person from solving a problem. You should be aware of the following biases that may impact your thinking:
 ???
Problem-solving in InfoSec
Problems in InfoSec are often knowledge-rich and ill-defined. Practitioners range from experts and, because of chronic skill shortage, many novices. There are ample schemas for these problems.
Wixey asserts that even if you change the "cover story??? of the problem, the problem space remains the same. Not telling your colleague the full story may actually be useful in solving the problem in some cases. He encourages diversity in background and expertise, and of course, applying your experience in solving puzzles to real-world problems.
Designing the perfect puzzle
Designing a puzzle can be difficult and time-consuming. The perfect puzzle has an interesting premise but very little explanation. Hidden ???trap door??? functions, red herrings, and easter eggs are optional but can add variety to a puzzle. Interesting puzzles may ask something completely unconnected to the premise, but the puzzle should have internal logic, where the answer can be obtained just from the question. It should not require specialist knowledge beyond what you can get from a quick search.
A personal lesson learned after generating my first puzzle was to have it field-tested by a few people. I thought that there was a direct, linear path to the solution for a puzzle I created, but there were actually several paths that led to dead ends, which was frustrating to some puzzle solvers.
Let???s solve some puzzles!
At Veracode, we have regular puzzle challenges as part of the Veracode Hackathons. We have people from around the company provide their puzzles based on themes, an |
Guideline | ★★★ | |
|
2020-08-06 17:05:49 | Live from Black Hat: Hacking Public Opinion with Renée DiResta (lien direct) | Psychological operations, orツ?PsyOps, is a topic I???ve been interested in for a while. It???s aツ?blend of social engineering and marketing, both passions of mine. That's why I found the keynote byツ?Renテゥeツ?DiResta,ツ?Research Managerツ?at theツ?Stanford Internet Observatory, particularly interesting.ツ?
The Internet Makes Spreading Information Cheap & Easyツ?
Disinformation and propaganda areツ?oldツ?phenomenaツ?that can be traced back to the invention of the printing press ??? and arguably before then.ツ?With the advent of theツ?Internet, the cost of publishing dropped to zero. There are no hosting costs on certain platforms, butツ?especially in the beginning, theツ?blogosphere was veryツ?decentralized,ツ?and it was hard to get people to read your content.ツ?With theツ?rise of social media,ツ?you can share your content and it can become viral. At the same time, content creation becomes easier.ツ?All of thisツ?eliminates cost barriers andツ?gatekeepers.ツ?ツ?
State Actors ???Hack??? Our Opinionsツ?
As social media platforms matured, the algorithms that curate content become more and more sophisticated. They are trying to group people and deliver personalized targeting of content, which allows adversaries to analyze and game the algorithms.ツ?ツ?
State actors don???t just influence, they start hacking public opinion, which involves fake content producers and fake accounts. They can do this more effectively because they understand the ecosystem extremely well, typically applying one of four tactics, sometimes in combination:ツ?ツ?ツ?
Distract:ツ?Taki |
Hack | APT 28 | ★★★★★ |
|
2020-08-06 12:04:27 | Live from Black Hat: Practical Defenses Against Adversarial Machine Learning with Ariel Herbert-Voss (lien direct) | Adversarial machine learning (ML) is a hot new topic that I now understand much better thanks to this talk at Black Hat USA 2020. Ariel Herbert-Voss, Senior Research Scientist at OpenAI, walked us through the current attack landscape. Her talk clearly outlined how current attacks work and how you can mitigate against them. She skipped right over some of the more theoretical approaches that don???t really work in real life and went straight to real-life examples.
 ???
Bad inputs vs. model leakage
Herbert-Voss broke down attacks into two main categories:
Bad Inputs:ツ?In this category, the attacker feeds the ML algorithm bad data so that it makes its decisions based on that data. The form of the input can be varied; for example, using stickers on the road to confuse a Tesla???s autopilot, deploying Twitter bots to send messages that influence cryptocurrency trading systems, or using click farms to boost product ratings.ツ?
Model Leakage:ツ?This attack interacts with the algorithm to reverse-engineer it, which in turn provides a blueprint on how to attack the system. One example I loved involved a team of attackers who published fake apps on an Android store to observe user behavior so that it could train its own model to mimic user behavior for monetized applications, avoiding fraud detection.
Defending against adversarial machine learningツ?
The defenses against these attacks turned out to be easier than I had thought:ツ?
Use blocklists:ツ?Either explicitly allow input or block bad input. In the case of the Twitter bot influencing cryptocurrency trading, the company switched to an allow list.ツ?
Verify data accuracy with multiple signals:ツ?Two data sources are better than one. For example, Herbert-Voss saw a ~75% reduction in face recognition false positives when using two cameras. The percentage increased as cameras were placed further apart.ツ?
Resist the urge to expose raw statistics to users:ツ?The more precise the data is that you expose to users, the simpler it is for them to analyze the model. Rounding your outputs is an easy and effective way to obfuscate your model. In one example, this helped reduce the ability to reverse-engineer the model by 60%.ツ?
Based on her research, Herbert-Voss sees an ~85% reduction in attacks by following these three simple recommendations.
If you???d like to stay up to date on the latest trends in security, subscribe to our blog and follow us on Twitter, |
★★★★ | ||
|
2020-08-06 10:16:00 | Live from Black Hat: Healthscare – An Insider\'s Biopsy of Healthcare Application Security with Seth Fogie (lien direct) | Healthcare providers heavily leverage technology.ツ?In his talk, Seth Fogie,ツ?informationツ?security director at Penn Medicine takes apart different vendor systemsツ?at the ???fictitious??? Black Hat Clinic. Fogie gives a lot of examples and drives home the point that you shouldn???t just look at network security ??ヲ you have to dig deep into the applications to ensure the security of your data.
Following the patient???s journey.
Fogie followsツ?the patient???s journey of now geriatric Alice and Bob, our quintessential victims in the security realm. Taking on the perspective of Mallory, the malicious attacker, he goesツ?to town taking apart one system after another.
For example, patient entertainment systems not only let you watch television but also give access to patient data.ツ?The first system he looks at providesツ?access to patient health information without authentication and usesツ?client-side authentication for PINsツ?that are easilyツ?overcome whenツ?using a proxy server between the client and the server.ツ?ツ?
A different system, a clinical productivity system, hasツ?a backdoor with a daily password that is generated with a pre-determined algorithm.ツ?ツ?
Next, he looksツ?at the drug dispensary system, which hasツ?an unauthenticated network share. Investigating the binaries, he findsツ?the SQL decryptionツ?key.ツ?This leads to full system access of the server, which providesツ?access not only to user data but a full table of encrypted passwords that they were able to decrypt using the same decryption key.ツ?ツ?ツ?
Fogie then looksツ?at the temperature monitoring system that is used to chill blood bags, insulin, and other drugs. Usingツ?WireShark, heツ?findsツ?a few authentication codes and passwords.ツ?(Around this point my head and keyboard startツ?to smoke as Fogie speedsツ?through his results faster than I canツ?screenshot.)
In the end, he compromisesツ?all seven systems, mostly through the use of clientツ?software. No vendors areツ?harmed in this presentation as Fogie blurred out all screens.ツ?He also worked with vendors to notify them of the security issues. Where software was no longer maintained, he patched the client software himself by setting a unique and complex password for a backdoor he found.ツ?ツ?
Managing 225,000 patient records, Black Hat Clinic could have been on the hook for millions of dollars in fines. Healthcare records are particularly popular on the dark web because they often contain a lot of information that helps fraudsters steal the identity of their victims andツ?use their credit.
|
Guideline | ★★ | |
|
2020-08-05 13:33:41 | Live From Black Hat: Stress-Testing Democracy - Election Integrity During a Global Pandemic with Matt Blaze (lien direct) | Technology and elections are heavily interrelated ??? but it wasn???t always that way. We started to adopt technology once weツ?weren???t able toツ?fit everyone into a town hall. The first piece of technology was simply a piece of paper and a ballot box. We may not think of it asツ?technology,ツ?but the ballot box can be tampered with.ツ?ツ?
That technology gave us ballot secrecy, a trait that aツ?hand-raiseツ?in the town hall didn???t. This raised the barツ?to a level that is expected from other voting technologies since then, which can be tougher with voting machines and electronic evaluation of ballot boxes. Our Confidence in the outcome of an election depends on the integrity of the methodology we use to do this.
 ???ツ?ツ?
Matt Blaze, this year???sツ?Black Hat keynoteツ?speaker,ツ?is a researcher in the areas of secure systems, cryptography, and trust management. He is currently the McDevitt Chair of Computer Science and Law at Georgetown University.ツ?ツ?
Blazeツ?has been working on election security for years. He???s neverツ?encounteredツ?a problem bigger andツ?moreツ?complexツ?than democraticツ?elections. The reason for this is that the requirements are contradictory: Weツ?don???t want to be able to figure out how someone voted, but we wantツ?transparencyツ?into whether or notツ?our vote was counted as cast and that the system is not corrupted. The paper ballot box seems to do thisツ?pretty well, and other technology solutions require you to be a lotツ?more clever.ツ?Another snag is that you cannot recover from a bad election very easily. You can???t redo it easily before the term is up.ツ?ツ?
U.S.ツ?voting isツ?highlyツ?decentralized |
Hack | ★★★★★ | |
|
2020-08-03 10:57:37 | Man vs. Machine: Three-Part Virtual Series on the Human Element of AppSec (lien direct) |  In 2011 when IBM???s Watson supercomputer went up against ???Jeopardy??? icon Ken Jennings, the world watched as a battle of man vs. machine concluded in an impressive win for Watson. It wasn???t simply remarkable that Watson could complete calculations and source documents quickly; the real feat was the brainpower it took to create fine-tuned software with the ability to comprehend questions contextually and think like a human.
But Watson wasn???t without fault, struggling to understand some ???Jeopardy??? categories that were a little too specific and reminding us that human beings still play a critical role in the successes (or failures) of modern technology. In application security (AppSec), there is no single set-it-and-forget-it solution that will ensure the health and fortitude of your code. Like Watson, the software can???t operate to its fullest potential without the right brainpower behind it, requiring thoughtful minds to understand where solutions plug in and to check code in ways that software cannot. ツ?
The human element of ingenuity
Automation in AppSec testing tools is a prime example. It plays a critical role in scaling security operations and scanning for vulnerabilities to find them before they become expensive headaches. While that undoubtedly boosts efficiency and speed in the background, there???s a human element of ingenuity and adaptability that you can???t ignore: cyberattackers. They pivot quickly to crack your code whether you automate or not, which means your developers and security professionals need to be just as agile and close knowledge gaps to stay one step ahead as they leverage the right testing tools in the background.ツ?
And while having a full range of scanning solutions integrated into your software development process will help you find and fix common flaws, Manual Penetration Testing (MPT) is crucial for uncovering categories of vulnerabilities - like business logic flaws - that you can???t automate with software. The bottom line: man and machine need to work together in AppSec, because like Watson, it takes a village of brainpower to come out on top.
There???s a lot to explore in the realm of man vs. machine, which is why we???re excited to partner with HackerOne for upcoming virtual events that uncover the ways you can work with technology, not against it. In this three-part series, we???re delving into topics like crowdsourced testing and automation to examine how you can strike the balance between capable software solutions and human-powered security. Here???s the lineup:
Part One | Man with Machine: Adapting SDLC for DevSecOps
To keep pace with modern software development, DevOps must work continuously to deliver applications to various infrastructure environments, automatically pushing code changes as they arise. Traditional security practices bog down development, frustrating development teams and causing unnecessary friction. This talk will cover the ways development and security teams can work together with automation and human-powered security at the speed of innovation. Join Veracode???s Chris Kirsch and Chris Wysopal as they chat with HackerOne???s CTO and Co-Founder Alex Rice to learn:
How security and development teams can partner to create a continuous feedback loop without hampering innovation.
How security becomes a competitive advantage through balancing speed with risk.
How to engage a diverse and creative pool of talent not available in traditional firms to test business-critical applications.
When: August 19th at 1:00 PM EST.ツ?Register here.
Part Two | Hacking Remote: Leveraging Automation |
Guideline | ★★★★ | |
|
2020-08-03 10:06:32 | New Data Reveals How AppSec Is Adapting to New Development Realities (lien direct) | In today???s fast-paced world, companies are racing to bring new, innovative software to market first. In order to keep up with the speed of innovation, many organizations are shifting toward DevSecOps. DevSecOps brings security to the front of the software development lifecycle (SDLC), allowing for both fast deployments and secure applications.
Even though DevSecOps is able to meet the needs of both developers and security professionals, the teams are laser-focused on their own metrics and objectives, making it a challenge to align. This is further exacerbated by the fact that most security teams lack an understanding of modern application development practices and most developers lack secure code training.
Veracode recently sponsored Enterprise Strategy Group???s (ESG) research on modern developers and security professionals in North America to better understand the dynamic between the roles and to find ways to bridge the gap. The main objectives of the research were to: ツ?ツ?
Examine the buying intentions of application security (AppSec) teams and developers regarding application security solutions. Gauge buyer preferences for different types of vendors??? application security solutions.
Determine the extent to which security teams understand modern development and deployment practices, and where security controls are required to mitigate risk.
Understand the trigger points influencing application security investments and how decision-makers are prioritizing and timing purchasing decisions.
Gain insight into the dynamics between development teams and security teams with respect to the deployment and management of application security solutions.
The research shows that AppSec scans are widely used across organizations, and ??? in most cases ??? organizations are happy with the current state of their programs. But, the research also supports the misalignment between developers and security professionals, reinforcing the lack of security training for developers and promoting the need for security tools to be further integrated and automated into existing developer processes. Here are some of the key findings:
Most organization believe their AppSec programs are effective.
When asked to rate the efficacy of their organizations??? AppSec program on a scale of zero to 10, zero being ???we continually have security issues??? and 10 being ???we feel confident in the efficacy and efficiency of our program,??? 69 percent of organizations rated their programs as an eight or higher. And, not only are organizations pleased with the current state of their AppSec programs, but also a sizeable 71 percent are using their scans on more than half of their codebase. These numbers are reassuring; but, despite AppSec tool usage, 81 percent of organizations are still experiencing exploits.
When digging further, we found one major reason for the exploits ??ヲ more than 85 percent of respondents admitted to releasing vulnerable code to production due to time constraints. When asked who makes the decision to push code to production, the answer varied from development managers to security professionals, or both.
Developers do not have the tools and training needed to be successful. ツ?
Arguably one of the most shocking findings from the research ??? only 15 percent of organizations reported that all of their development teams are participating in formal security training. And developers??? top challenges were identified as the ability to mitigate code issues and the lack of integration between AppSec tools and vendor tools. Given that developers are involved in the decision to push code live at more than 68 p |
Tool | ★★★ | |
|
2020-07-31 16:28:12 | Why is Dynamic Analysis an Important Part of Your AppSec Mix? (lien direct) |  By now, most are familiar with the concept of DevSecOps. With DevSecOps, application security (AppSec) is moved to the beginning of the software development lifecycle (SDLC). By scanning earlier in the SDLC, you are able to find and fix flaws earlier. This can result in significant time and cost savings. Most organizations understand the importance of static analysis, which scans for flaws during development, but dynamic application security testing (DAST) is just as important.
Unlike static analysis, DAST scans for flaws during runtime. It???s able to detect configuration errors and validate vulnerabilities found through other AppSec testing techniques. It???s vital to scan your applications in runtime because the vulnerabilities found are not just theoretical, they are proven to be exploitable. This means that the likelihood of a false positive with DAST is very low.
How does DAST work?
DAST interacts with the application like an attacker. It starts by performing a crawl to understand the application???s architecture, including links, text, form fills, and other page elements that a user could potentially interact with. It also picks up on attack points that are less visible to the user, such as header values, cookies, and URL parameters. The scanner then audits the objects and attributes discovered by the crawl and sends attacks ??? like Cross-Site Scripting and SQL Injection ??? to the objects/attributes to see if they have any exploitable vulnerabilities.
What are the benefits of Veracode???s DAST solution?
Veracode???s DAST solution, dynamic analysis, can be easily automated, provides accurate and actionable results, and returns results in a timely manner. This is very beneficial for both security professionals and developers because it doesn???t add extra work for developers, and it isn???t a time-consuming scan that will significantly slow-down time to deployment. In fact, 65 percent of our dynamic analysis scans finish in five hours, and 70 percent finish in eight hours. Best of all? Our false positive rate is less than one percent, so developers can start on remediation right away.
What is an AppSec mix and why is it important?
No two scans types are created equal. They are all designed with a different area of focus, along with various speeds and costs. For example, if you only use static analysis and dynamic analysis, you won???t uncover third-party vulnerabilities. If you only use penetration testing, you won???t be able to automate the process which will slow down your time to deployment and cost a substantial amount of money. A major benefit of Veracode is that all of our solutions are on one platform. So whichever scan types you decide to add to your AppSec program, it will be cost-efficient and low maintenance, and you will have a cohesive reporting toolset that shows your security posture in one place.
ツ?
For more information on Veracode???s Dynamic Analysis, including common challenges associated with production scanning and how to find the right mix of assessment types, download our technical whitepaper. ツ?
ツ? |
★★ | ||
|
2020-07-30 10:25:39 | Announcing Veracode Security Labs Community Edition (lien direct) |  We recently partnered with Enterprise Strategy Group (ESG) to survey software development and security professionals about modern application development and how applications are tested for security. The soon-to-be-announced survey found that 53% of organizations provide security training for developers less than once a year, which is woefully inadequate for the rapid pace of change in software development. At the same time, 41% say that it???s up to security analysts to educate developers to try to prevent them from introducing significant security issues. So, where???s the disconnect?
Communication breakdowns and misaligned training priorities between security and development teams are part of the problem. As developers are being asked to ???Shift Left??? to take on more responsibility for secure code earlier in the software development lifecycle, it???s increasingly more important for developers to get the training they need to not just create world-class applications ??? ones that have security designed in from the beginning.
Enterprise-grade tools for all developers
Veracode Security Labs Enterprise Edition is perfect for engineering teams, but we wanted every individual developer to have access to the same quality of training, from casual hobbyists to professionals interested in improving their secure coding skills. I???m excited to announce Veracode Security Labs Community Edition, where developers worldwide can hack and patch real applications to learn the latest tactics and security best practices with guidance while exploring actual code on their own time; and it???s free!
With Veracode Security Labs Community Edition, you now have the tools you need to close any gaps in security knowledge that are holding you back. It???s a module that fits within the Veracode Developer Training product family, featuring tools and robust programs built with interactivity in mind so that developers can get their hands on a practical training tool at a moment???s notice.
Here are the differences between the Community Edition and Enterprise Edition:
 ???
While the Enterprise Edition has features that support the efforts of development teams with full compliance-based curricula, rollout strategies, and progress reporting, the Community Edition offers selected topics and one-off labs for individuals who are looking to strengthen their security knowledge. Though there are differences that enable scalability for organizations and teams, the benefits for individual developers remain the same:
The ability to exploit and remediate real-world vulnerabilities to learn what to look for in insecure code.
Fast and relevant remediation guidance in the context of the most popular programming languages.
Easy and fun hands-on training that provides professional growth.
Improved security knowledge while building confidence through interactive trial and error.
When you practice breaking and fixing real applications using real vulnerabilities, you become a sharper, more efficient developer ??? especially with a variety of challenges to choose from as you go. We plan to expand the number of labs and challenges over time but initially, the Community Edition will cover topics ranging from beginner to advanced, including:
|
Hack Tool Vulnerability | ★★★★ | |
|
2020-07-15 12:48:58 | The Texas Cybersecurity Act: What You Need to Know (lien direct) |  Texas passed House Bill 8 relating to cybersecurity for state agency information resources. The bill sets mandatory practices for state agencies, institutes continuous monitoring and auditing of network systems, adds protections for student data privacy, and updates the penalties for cybercrimes.
As Texas House Speaker, Joe Straus, commented, state agencies are now expected to be ???good stewards of private data.??? There is a cybersecurity council that oversees the state agencies to ensure that the agencies are following all new requirements and researching and reporting back on cybersecurity threats on a regular basis. Cybersecurity practices are now considered by the Sunset Advisory Commission, an agency of the Texas Legislature, when determining whether to reform, continue, or abolish a Texas state agency.
The bill also requires the Department of Information Resources, or DIR, to implement a five-year plan to address cybersecurity risks. The DIR will establish an information sharing and analysis center (ISAC) to share news regarding cybersecurity threats, best practices, and remediation advice. It will also provide mandatory training for state agencies.
According to Texas Government Code ツァ 2054.515(a-b), state agencies are now required to ???conduct an information security assessment of the agency???s network systems, data storage systems, data security measures, and information resources vulnerabilities at least once every two years and to report the results to the DIR.??? State agencies are also required to submit a data security plan and show proof of penetration tests of their website and mobile applications every other year. Colleges and Universities in Texas are also required to protect the confidentiality of information on their website or mobile applications. If an agency or institution experiences a data breach, they are mandated to inform all affected parties of the incident.ツ?
Lastly, the Texas secretary of state is required to test the election infrastructure for vulnerabilities and report back on findings. The findings need to be made publicly available.
For more information on the Texas Cybersecurity Act, please download House Bill 8 or read the synopsis provided by the Texas Comptroller.ツ?ツ?
Veracode can help.
If you are a state agency or educational institution operating in Texas, Veracode can provide you with the application security testing tools necessary to remain compliant with state regulations. As Nikki Veit, Director of Application Development for the State of Missouri expressed, ???When we first started scanning, there were a lot of non-compliant applications. But Veracode was really easy to use, and developers were able to go in and scan early and often. In the first eight months, we had 18,000 flaws fixed. It was just phenomenal.???
Check out our success story for the State of Missouri to see how we helped them scale an AppSec program across 365 applications and 14 state agencies. |
★★★ | ||
|
2020-07-14 11:22:25 | What Does it Take to be a Rockstar Developer? (lien direct) |  If there???s one thing you need to value as you move through your career as a modern software developer, it???s the importance of security. With application layers increasing and the shift left movement bringing security into the picture earlier on the development process, security should be top of mind for every developer working to write and compile successful code.
But many developers leave school without the security knowledge they need to write secure code ??? something nearly 80 percent of developers from our DevSecOps Global Skills Survey can attest to. As with any profession, there???s always room to learn and grow on the job, especially in software development where projects move at the speed of ???I need that fixed yesterday.??? To be a rockstar developer in today???s world, you have to be fast to fix flaws, smart about your prioritization, and quick to release secure software your customers can count on.
For most organizations, hitting tight deployment deadlines without compromising security means shifting scans left in the software development lifecycle (SDLC) by integrating security into the IDE with fast feedback that helps developers learn as they write their code. It also involves bolstering development team members who are passionate about the health of their code and focusing on educating the entire organization about the importance of security.
Treating security as an afterthought is no longer an option, and as a dynamic developer, it???s something you can help change. Shifting security left lessens the risk of needing to fix found flaws down the road (which can cost your business a pretty penny). But there???s a lot that can be done, both by developers and security leadership, to trickle knowledge down and bridge the gap that so often leaves team members siloed. ツ?ツ?
Whether you???re just starting out as a more junior-level developer or you???re wondering how you can take your established career to the next level, there are eight key things that you can do to enhance your security skills ??? from hands-on learning courses to thinking like an attacker and becoming a security champion on your team. Read on:
By arming yourself with the knowledge you need to write more secure code and becoming a security champion you???ll be a more dynamic developer who can help facilitate coding and scanning needs during production, and you???ll stand out as a leader on your team who takes the health of your applications seriously.
Ready to help your organization shift left by unifying security and development? Browse the developer resources section of the Veracode Community to gain more insight into secure coding and help improve your organization???s application security by becoming a rockstar developer.ツ? |
Guideline | ★★★★ |
To see everything:
Our RSS (filtrered)
