SEC News

What's new arround internet

Last one

Src	Date (GMT)	Titre	Description	Tags	Stories	Notes
	2024-02-05 10:45:38	Un guide de démarrage pour Veracode Dast Essentials A Getting Started Guide to Veracode DAST Essentials (lien direct)	La critique du rôle des tests de sécurité des applications dynamiques (DAST) Les applications Web sont l'un des vecteurs les plus courants pour les attaques, représentant plus de 40% des violations, selon le rapport de violation de données de Verizon \\.Les tests de sécurité des applications dynamiques (DAST) sont une technique cruciale utilisée par les équipes de développement et les professionnels de la sécurité pour sécuriser les applications Web dans le cycle de vie du développement logiciel. En fait, le rapport sur l'état de la sécurité des logiciels de Veracode \\ révèle que 80% des applications Web ont des vulnérabilités critiques qui ne peuvent être trouvées qu'avec une solution de test de sécurité des applications dynamiques.Mais les pratiques de développement de logiciels modernes hiérarchisent les délais serrés.La demande est des versions plus rapides sans introduire de vulnérabilités, ce qui rend difficile pour les équipes de hiérarchiser la sécurité.Les tests de sécurité doivent fonctionner et évoluer dans la fréquence de votre vitesse et de libération de DevOps. Début avec Veracode Dast Essentials Veracode Dast Essentials est une application dynamique… The Critical of Role of Dynamic Application Security Testing (DAST) Web applications are one of the most common vectors for attacks, accounting for over 40% of breaches, according to Verizon\'s Data Breach Report. Dynamic application security testing (DAST) is a crucial technique used by development teams and security professionals to secure web applications in the software development lifecycle. In fact, Veracode\'s State of Software Security Report reveals that 80% of web applications have critical vulnerabilities that can only be found with a dynamic application security testing solution. But modern software development practices prioritize tight deadlines. The demand is for faster releases without introducing vulnerabilities, making it difficult for teams to prioritize security. Security testing needs to work and scale within your DevOps speed and release frequency. Getting Started with Veracode DAST Essentials Veracode DAST Essentials is a dynamic application…	Data Breach Vulnerability		★★
	2024-01-22 05:10:56	Outils de sécurité cloud essentiels pour les devsecops efficaces Essential Cloud Security Tools for Effective DevSecOps (lien direct)	La mise en œuvre d'une approche DevSecops est le facteur clé le plus impactant dans le coût total d'une violation de données.Les DevseCops réussis dans un monde natif du cloud sont aidés par les bons outils.Voici une poignée des outils de sécurité du cloud les plus essentiels et ce qu'il faut rechercher pour aider DevseCops. Top outil de sécurité du cloud essentiel pour DevSecops: analyse de composition logicielle L'analyse de la composition logicielle (SCA) est le pain et le beurre des outils de sécurité du cloud pour des Devsecops efficaces et la sécurisation de la chaîne d'approvisionnement des logiciels. Pourquoi cela compte: les logiciels open source (OSS) sont pratiques, mais il est livré avec quelques captures.Il y a des vulnérabilités, des mises à jour manquées et un risque de licence pour s'inquiéter.C'est là où SCA entre en jeu. SCA adopte une approche proactive pour trouver ces risques tôt.Quelques choses que vous souhaitez rechercher lorsque vous choisissez le bon outil SCA pour vous: Contrôle continu Rapports et analyses avec référence par les pairs Guide de remédiation et suggestions Dépendance… Implementation of a DevSecOps approach is the most impactful key factor in the total cost of a data breach. Successful DevSecOps in a cloud-native world is aided by the right tools. Here are a handful of the most essential cloud security tools and what to look for in them to aid DevSecOps. Top Essential Cloud Security Tool for DevSecOps: Software Composition Analysis Software Composition Analysis (SCA) is the bread and butter of cloud security tools for effective DevSecOps and securing the software supply chain. Why it matters: open-source software (OSS) is handy, but it comes with a few catches. There are vulnerabilities, missed updates, and license risk to be worried about. That\'s where SCA comes in. SCA takes a proactive approach to finding these risks early. A few things you want to look out for when picking the right SCA tool for you: Continuous Monitoring Reporting & Analytics with Peer Benchmarking Remediation Guidance & Fix Suggestions Dependency…	Data Breach Tool Vulnerability Cloud		★★★
	2023-11-12 22:55:15	Sécuriser vos applications Web et vos API avec Veracode Dast Essentials Securing Your Web Applications and APIs with Veracode DAST Essentials (lien direct)	Les applications Web sont l'un des vecteurs les plus courants pour les violations, représentant plus de 40% des violations selon le rapport de violation de données de Verizon \'s 2022.S'assurer que vos applications Web sont suffisamment protégées et continuent d'être surveillées une fois qu'elles sont en production est essentielle à la sécurité de vos clients et de votre organisation. Rester en avance sur la menace Les attaquants recherchent constamment de nouvelles façons d'exploiter les vulnérabilités et de violer les applications Web, ce qui signifie que à mesure que leurs méthodes mûrissent et deviennent plus agressives, même les applications les plus développées peuvent devenir vulnérables.Les organisations qui effectuent uniquement des tests de pénétration annuelle sur leurs applications Web peuvent se laisser ouvertes à une violation qui pourrait être facilement empêchée par une analyse de production régulière. La sécurité des applications décrit une collection de processus et d'outils axés sur l'identification, la correction et la prévention des vulnérabilités au niveau des applications tout au long du développement logiciel… Web applications are one of the most common vector for breaches, accounting for over 40% of breaches according to Verizon\'s 2022 Data Breach Report. Ensuring that your web applications are sufficiently protected and continue to be monitored once they are in production is vital to the security of your customers and your organization. Staying Ahead of the Threat Attackers are constantly looking for new ways to exploit vulnerabilities and to breach web applications, which means that as their methods mature and they become more aggressive, even the most securely developed applications can become vulnerable. Organizations that only perform annual penetration tests on their web applications may be leaving themselves open to a breach that could be easily prevented with regular production scanning. Application security outlines a collection of processes and tools focused on identifying, remediating, and preventing application-level vulnerabilities throughout the entire software development…	Data Breach Tool Vulnerability Threat		★★
	2023-10-18 11:21:23	Sécuriser les applications Web: la liste de contrôle d'une CISO \\ pour les leaders technologiques Securing Web Applications: A CISO\\'s Checklist for Tech Leaders (lien direct)	En tant que CISO, sécuriser les applications Web et assurer leur résilience contre l'évolution des cyber-menaces est une priorité non négociable.Le rapport sur les enquêtes sur les violations de données de Verizon \\ cite les applications Web comme le vecteur d'attaque supérieur par un tir à long terme (en violation et en incidents).Voici une liste de contrôle simplifiée pour sécuriser les applications Web qui vous aideront à améliorer la posture de sécurité de votre organisation et l'intégrité de votre technologie. Évaluation des risques et menaces d'application Web Une première étape puissante dans la sécurisation des applications Web est la découverte.Vous ne pouvez pas sécuriser ce que vous ne savez pas!Commencez par un inventaire de votre logiciel ou de votre portefeuille d'applications pour comprendre les sources de risque et ce que vous souhaitez hiérarchiser. Pour certains, cela peut être simple.Pour d'autres, ce sera un inventaire essentiel de ce qui constitue votre processus logiciel et de développement.Voici quelques questions à considérer dans votre évaluation de votre portefeuille: Combien d'applications avez-vous? Où résident-ils? OMS… As a CISO, securing web applications and ensuring their resilience against evolving cyber threats is a non-negotiable priority. Verizon\'s Data Breach Investigations Report 2023 cites web applications as the top attack vector by a long shot (in both breaches and incidents). Here\'s a simplified checklist for securing web applications that will help you improve your organization\'s security posture and the integrity of your technology. Assessing Web Application Risk and Threats A powerful first step in securing web applications is discovery. You can\'t secure what you don\'t know about! Start with an inventory of your software or application portfolio to understand sources of risk and what you want to prioritize. For some this may be simple. For others it will be an essential inventory of what makes up your software and development process. Here are some questions to consider in your assessment of your portfolio: How many applications do you have? Where do they reside? Who…	Data Breach		★★
	2022-10-04 11:20:28	How to See Yourself in Cyber: Top Tips from Industry Leaders (lien direct)	It's 2022 and as we all know, the world is a very different place. However, one thing that has not changed is the importance of cybersecurity. In fact, it's more important now than ever before, as the SolarWinds hack and Executive Order prove. That's why for Cybersecurity Awareness Month this year, we asked cybersecurity pioneers and leaders to get their insights on staying cyber safe. Here are their thoughts on CISA's 4 Things You Can Do to See Yourself in Cyber. Enable Multi-Factor Authentication “With the continued rise in cybercrime, there are a few simple steps every person should take to protect themselves, if they aren't already. CISA's first recommended step to stay 'cyber-safe' is to implement multi-factor authentication. It significantly lessens the likelihood of being hacked via unauthorized access and compromised credentials, which, according to Verizon's 2021 Data Breach Investigations Report, were the gateway for 61% of data breaches. Enabling multi-factor…	Data Breach Hack Guideline		★★
	2021-07-26 09:56:06	Announcing the Veracode Security Labs FREE Trial (lien direct)	We're excited to announce a new free trial option of Veracode Security Labs that allows new users to try the full Enterprise Edition for 14 days. Why is this hands-on training solution so critical? Developers are the backbone of the software that powers our world today, but when they lack security skills, it's harder for them to keep up with the rapid pace of modern software development while still producing secure code. Veracode Security Labs helps close these skill gaps by giving developers that inimitable hands-on experience, and now with this two-week trial, you'll have plenty of time to try out these hands-on-keyboard labs with your developers and see just how effective it is in real-time. “Veracode Security Labs engages and actively teaches developers by giving them a containerized space to work with real code and demonstrates how to avoid flaws that have led to some of the headline-making vulnerabilities of the last few years,” says Ian McLeod, Chief Product Officer at Veracode. “With this approach, in as little as five to 10 minutes, developers can learn new skills and deliver secure code on time.” Developer training with tools like Security Labs is critical as vulnerabilities in code are easily weaponized-and they're not going away anytime soon. Verizon's 2021 Data Breach Investigations Report (DBIR) showed that web applications make up 39 percent of all breaches today. And with the recent cybersecurity executive order from the United States government, it's more important than ever that organizations pay attention to the security of their code. Data from a survey by the Enterprise Strategy Group (ESG) shows that a sizeable 53 percent of organizations provide security training to their developers less than once a year. With the responsibility falling on the shoulders of software engineers to keep up with the latest threats and secure coding skills on their own time, Veracode Security Labs can help check those critical training boxes. Training for teams large and small Veracode Security labs Enterprise Edition is great for engineering teams that need hundreds of short labs on a wider range of topics, with included features like a leaderboard and reporting. The Veracode Security Labs Community Edition is a complimentary version with select topics for individual developers who want to start learning on their own. The most inexpensive bug to fix is the one that never gets created. Veracode Security Labs helps developers shift critical security knowledge “left,” or sooner in the software development lifecycle (SDLC) so that their code is checked early and often. In doing so, they're able to leverage those critical nuggets of security knowledge into each step of the development process. Over time, the code developers produce is more secure with fewer flaws and potential exploits, with DevSecOps principles sticking with developers from project to project. That means your team can: Grow essential skills that will help them patch real-world vulnerabilities while coding Maintain an understanding of what cyber attackers like to exploit, and how they go about doing so Quickly apply remediation guidance to the popular programming languages they use most Improve their security knowledge overall while gaining more confidence in their coding skills With features like assignments, progress reports, LinkedIn certification badges, and a leaderboard, the platform fosters healthy competition that encourages developers to level-up alongside their peers. Veracode Security Labs helps satisfy compliance requirements, too, enabling development and security teams to meet ongoing security training requirements and adjust course as industry needs change. If you're ready to get started, sign up for your free two-week trial of Veracode Security Labs here.	Data Breach Guideline
	2021-07-23 15:50:53	What Will Cybersecurity Look Like Over the Next Five Years? (lien direct)	As a result of the Covid-19 pandemic, organizations in all industries ramped up their digital transformation efforts to make online operations easier for their employees and customers. But with more and more organizations online, the digital attack surface is growing at a record pace. The more applications with vulnerable code, the more opportunities for a cyberattack. In fact, our research found that 76 percent of applications have at least one security vulnerability. So how will this shape the future of cybersecurity, and software security? There are three key technology trends that we believe will impact cybersecurity, and software security, the most over the next several years. The first trend is ubiquitous connectivity. Think about how quickly the world – and everyone and everything in it – is becoming interconnected. Did you ever think you'd see a day where you can search the Internet from your refrigerator or turn on your television with a simple voice command? By the end of 2019, there were already 7.6 billion active IoT devices – and this number is expected to climb to 24.1 billion by 2030. And on top of the growing number of IoT devices, businesses are increasingly shifting their applications to the cloud. But IoT devices and cloud-connected software bring increased risk. According to the Verizon 2021 Data Breach Investigations Report (DBIR), web applications were the source of over 39 percent of breaches, which is double the amount in 2019. Executive vice president and CEO of Verizon Business, Tami Erwin, cites the pandemic and the sudden shift to the cloud as the cause of increased web application risk. Additionally, wireless and 5G add to the connectivity. Think of the number of people with smartphones checking their emails or shopping online without a firewall. These interfaces rely on APIs. But without the right security, APIs are a prime target for cybercriminals. These trends point to an increased focus on API security, zero-trust models, and a shared responsibility model where organizations focus on application security, while the cloud provider focuses on infrastructure and physical security. The second trend to keep an eye on is abstraction and componentization. Think about how fast companies release new software or technology. It feels like every time you turn around Apple has a new software update. But the speed of software deployments is no longer shocking … it's expected. Companies need to release software rapidly in order to be competitive. To move faster, many development teams are turning not only to the cloud but to microservices. With microservices, development teams can break down comprehensive applications into the smallest possible reusable blocks of logic in order to stitch them together into business processes or workflows. APIs are used to integrate the components, which drives an API-first development approach. In fact, in SmartBear's 2019 State of API Survey, 75 percent of respondents answered that adoption of microservice architecture will drive the biggest growth in API adoption in the next two years. Open source libraries are also used as a way to speed up development. In fact, our State of Software Security report found that 97 percent of the typical Java application is made up of open source libraries. And 46.6 percent of insecure open source libraries in applications are transitive, meaning the library is pulled in indirectly by another library in use. This means that the attack surface doesn't just include the open source libraries that your developer added, it also includes indirect libraries that your open source code is pulling. Going forward, we envision a trusted third-party review authority that manages all public APIs and third-party code in order to make software publishers accountable for independent audits. There's an awareness component here as well. Developers need to be aware of the risk in both the libraries they are pulling in directly and the transitive dependencies of those libraries. Finally, automation will play a big role. For inst	Data Breach Threat
	2021-05-14 10:33:26	2021 Verizon Data Breach Investigations Report Proves That Cybercrime Continued to Thrive During the Pandemic (lien direct)	Verizon recently published its 2021 Data Breach Investigations Report (DBIR). This year, Verizon analyzed 79,635 incidents, of which 29,207 met their quality standards and 5,258 were confirmed data breaches, from 88 countries around the world. Despite the global pandemic, the DBIR uncovered that cybercrime continued to thrive. Like previous years, the majority of breaches were financially motivated, and most were caused by external actors illegally accessing data. Phishing, ransomware, and web app attacks ??ｦ Oh my! Phishing and ransomware attacks, along with the continued high number of web application attacks, dominated the data breaches for 2021. Phishing attacks were present in a whopping 36 percent of breaches in this year???s dataset, representing an 11 percent increase from last year. Ransomware attacks increased by 6 percent, accounting for 10 percent of breaches. This increase can likely be attributed to new tactics where ransomware now steals the data as it encrypts it. Ransomware has also proven to be very efficient for cybercriminals. It doesn???t take a lot of hands on keyboards and it???s a relatively easy way for cybercriminals to make a quick buck. Web applications made up 39 percent of all data breaches. Most of the web applications attacked were cloud-based, which isn???t surprising giving the increased shift to digital during the pandemic. The majority of web application attacks were through stolen credentials or brute-force attacks. 95 percent of organizations that suffered a credentials management attack experienced between 637 to 3.3 billion malicious login attempts throughout the year. If you look at breaches by region, EMEA ??? comprised of Europe, the Middle East, and Africa ??? had the highest proportion of web application attacks. This is the second year in a row that web applications accounted for the majority (54 percent) of breaches in EMEA. Not surprisingly, the most commonly breached data type in EMEA was credentials ??? which goes hand-in-hand with web attacks.ﾂ? In Asia, web application attacks fell second to social engineering attacks and in North America, web application attacks fell third ??? behind social engineering and system intrusion. Web application threats were also prevalent across the 11 examined industries, especially in the information industry. The retail industry, which has notoriously been susceptible to web application attacks, has decreased its proportion of web application breaches. What can organizations do to prevent web application attacks?	Ransomware Data Breach
	2021-04-23 09:34:12	Reporting Live From Collision Conference 2021: Part Two! (lien direct)	If you caught part one of our recap series on this year???s Collision conference, you know we covered a roundtable talk hosted by Veracode???s own Chris Wysopal. The talk focused on the risks of AI and machine learning, delving into discussions of how to manage the security aspects of these future-ready technologies ???ﾂ?especially when it comes down to consumer privacy.ﾂ? Chris also had the opportunity to host a session of his own, covering the critical aspects of modern application security and the reasons that organizations need to get serious about security-minded approaches to their code. Here???s what we learned.ﾂ? Secure from the top down Chris began his session Secure From the Top Down by noting that, today, it???s important to think about application and product security through the eyes of the developer or the builder. With so many applications running in the cloud and so many devices connected to the Internet of Things (IoT), Chris pointed out that the attack surface for threat actors is growing exponentially and that everyone building and deploying technology needs to consider the risks moving forward. Connected devices are everywhere, Chris said, but they???re not typically behind a firewall. Normally, these devices are connected to 5G or Wi-Fi. According to Chris, this means devices essentially need to secure themselves and all of the connection points where they talk to other devices or they pose a security risk.ﾂ? Further, everything is connected through APIs today. ???We used to have big, monolithic software packages with one big block of code,??? Chris said. ???Today, we have a lot of small devices; even with applications running in the cloud, they???re built with microservices and are talking to each other through APIs.??? This is a way an attacker can exploit a device or an application, and means the builders of today need to improve the security around their APIs for a more secure tomorrow. It???s already a problem; Chris pointed out in his session that, according to the 2020 Verizon Data Breach Investigations Report, 43 percent of breaches come from single page applications. Developers working on building these single page apps need to be more considerate with their security.ﾂ? Looking ahead at trends Time is the biggest competitor for most organizations, according to Chris, and there are three main trends that are going to impact product security moving forward: ubiquitous connectivity, abstraction and componentization, and hyperautomation of software delivery.ﾂ? Ubiquitous connectivity While this involves the rise of APIs and IoT devices, what it really comes down to is that each piece of software connected through the network and APIs must think about securing itself. ???Each code that is exposing an API needs to think about how it will authenticate, encrypt, and secure itself from all	Data Breach Threat Patching
	2021-02-24 13:30:31	Dangers of Only Scanning First-Party Code (lien direct)	When it comes to securing your applications, it???s not unusual to only consider the risks from your first-party code. But if you???re solely considering your own code, then your attack surface is likely bigger than you think. Our recent State of Software Security report found that 97 percent of the typical Java application is made up of open source libraries. That means your attack surface is exponentially larger than just the code written in-house. Yet a study conducted by Enterprise Strategy Group (ESG) established that less than half of organizations have invested in security controls to scan for open source vulnerabilities. If the majority of applications are made up of open source libraries, why are most organizations only scanning their first-party code? Because most organizations assume that third-party code was already scanned for vulnerabilities by the library developer. But you can???t base the safety of your applications on assumptions. Our State of Software Security: Open Source Edition report revealed that approximately 42 percent of the third-party code pulled directly by an application developer has a flaw on first scan. And even if the third-party code appears to be free of flaws, more than 47 percent of third-party code has a transitive flaw that???s pulled indirectly from another library in use. Over the years, several organizations have learned the hard way just how dangerous it is to only scan first-party code. In 2014, the notorious open source vulnerability ??? Heartbleed ??? occurred. Heartbleed was the result of a flaw in OpenSSL, a third-party library that implemented the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. The vulnerability enabled cyberattackers to access over 4.5 million healthcare records from Community Health Systems Inc. In 2015, there was a critical vulnerability in Glibc, a GNU C library. The open source security vulnerability nicknamed ???Ghost,??? affected all Linux servers and web frameworks such as Python, PHP, Ruby on Rails as well as API web services that use the Glibc library. The vulnerability made it possible for hackers to compromise applications with a man-in-the-middle attack. In 2017, Equifax suffered a massive data breach from Apache Struts which compromised the data ??? including social security numbers ??? of more than 143 million Americans. Following the breach, Equifax's stock fell over 13 percent. On the good news front: Close to 74 percent of open source flaws can be fixed with an update like a revision or patch. Even high-priority open source flaws don???t require extensive refactoring of code ??? close to 91 percent can be fixed with an update. Equifax had to pay up to $425 million to help people affected by the data breach that the court deemed ???entirely preventable.??? In fact, it was discovered that the breach could have been avoided with a simple patch to its open source library, Apache Struts. Don???t become a victim to the monsters lurking in your third-party libraries. Download our whitepaper Accelerating Software Development with Secure Open Source So	Data Breach Vulnerability	Equifax Equifax
	2021-01-07 09:18:28	How to Communicate Application Security Success to Your Executive Leadership (lien direct)	Over the past several years, there have been many changes to software development and software security, including new and enhanced application security (AppSec) scans and architectural shifts like serverless functions and microservices. But despite these advancements, our recent State of Software Security (SOSS) report found that 76 percent of applications have security flaws. Yet CISOs and application security program owners still find themselves having to justify and defend application security initiatives. Members of the Veracode Customer Advisory Board (CAB), a group of AppSec professionals in several industries, faced this challenge as well. In response, a working group subset of the CAB collaborated to establish a set of metrics that security professionals can use to establish, drive adoption, and operationalize their application security program. These data points should help inform decisions at different stages of program maturity while answering the basic question: is the application security program effective or not? How to determine and justify the required resources for an application security program AppSec managers need a justi?ｬ?able AppSec approach and dataset that set parameters around the program, give a starting point, and set up how the program will grow over time. That approach starts with providing evidence that an application security program is necessary and that it will reduce risk. To show that an AppSec program is necessary, call attention to data points around flaw prevalence in applications (76 percent) or the average cost of a data breach ($3.86 million). To show that AppSec programs reduce risk, consider stats like the one from our SOSS report that found that organizations scanning for security the most (more than 300 times per year) fix flaws 11.5x faster than organizations scanning the least. How to determine and prove that development teams are adopting software security practices AppSec success hinges on development buy-in and engagement. Therefore, proving that your AppSec program is effective requires evidence of developer adoption. Consider highlighting the rate at which development teams are taking advantage of APIs to integrate security into their processes Then prove that developers are taking the time to fix the identified flaws by showing your developer???s fix rate (the # of findings closed / the # of findings open). By examining the fix rate, you can see if developers are actively adopting AppSec practices by fixing ??? not just finding ??? vulnerabilities. The fix rate also shows you where additional training or resourcing investment is needed. How to determine if the application security program is operating efficiently AppSec programs are meant to be ongoing ??? not a one-off project with an end date. An effective AppSec program is ultimately a component of the software development process, just like QA, and the measures of success need to reflect that. A key metric here is the correlation between security activities early in the development process and the number of security flaws found in a release candidate or in production. For example, the figure below shows the relationship between security test	Data Breach Guideline
	2021-01-05 13:25:00	Nature vs. Nurture Tip 3: Employ SCA With SAST (lien direct)	For this year???s State of Software Security v11 (SOSS) report, we examined how both the ???nature??? of applications and how we ???nurture??? them contribute to the time it takes to close out a security flaw. We found that the ???nature??? of applications ??? like size or age ??? can have a negative effect on how long it takes to remediate a security flaw. But, taking steps to ???nurture??? the security of applications ??? like using multiple application security (AppSec) testing types ??? can have a positive effect on how long it takes to remediate security flaws. In our first blog, Nature vs. Nurture Tip 1: Use DAST With SAST, we explored how organizations that combine DAST with SAST address 50 percent of their open security findings almost 25 days faster than organizations that only use SAST. In our second blog, Nature vs. Nurture Tip 2: Scan Frequently and Consistently, we addressed the benefits of frequent and consistent scanning by highlighting the SOSS finding that organization that scan their applications at least daily reduced time to remediation by more than a third, closing 50 percent of security flaws in 2 months. For our third tip, we will explore the importance of software composition analysis (SCA) and how ??? when used in conjunction with static application security testing (SAST) ??? it can shorten the time it takes to address security flaws. What is SCA and why is it important? SCA inspects open source code for vulnerabilities. Some assume that open source code is more secure than first-party code because there are ???more eyes on it,??? but that is often not the case. In fact, according to our SOSS report, almost one-third of applications have more security findings in their third-party libraries than in primary code. Given that a typical Java application is 97 percent third-party code, this is a concerning statistic. Since SCA is the only AppSec testing type that can identify vulnerabilities in open source code, if you don???t employ SCA, you could find yourself victim of a costly breach. In fact, in 2017, Equifax suffered a massive data breach from Apache Struts that compromised the data ??? including Social Security numbers ??? of more than 143 million Americans. Following the breach, Equifax's stock fell over 13 percent. How can SCA with SAST shorten time to remediation? If you are only using static analysis to assess the security of your code, your attack surface is likely bigger than you think. You need to consider third-party code as part of your attack surface, which is only uncovered by using SCA. By incorporating software composition analysis into your security testing mix, you can find and address more flaws. According to SOSS, organizations that employ ???good??? scanning practices (like SCA with SAST), tend to be more mature and further along in their AppSec journey. And organizations with mature AppSec programs tend to remediate flaws faster. For example, employing SCA with SAST cuts ti	Data Breach	Equifax
	2020-10-01 14:10:28	96% of Organizations Use Open Source Libraries but Less Than 50% Manage Their Library Security Flaws (lien direct)	Most modern codebases are dependent on open source libraries. In fact, a recent research report sponsored by Veracode and conducted by Enterprise Strategy Group (ESG) found that more than 96 percent of organizations use open source libraries in their codebase. But ??? shockingly ??? less than half of these organizations have invested in specific security controls to scan for open source vulnerabilities. Why is it important to scan open source libraries? For our State of Software Security: Open Source Edition report, we analyzed the security of open source libraries in 85,000 applications and found that 71 percent have a flaw. The most common open source flaws identified include Cross-Site Scripting, insecure deserialization, and broken access control. By not scanning open source libraries, these flaws remain vulnerable to a cyberattack. ﾂ?ﾂ?ﾂ? Equifax made headlines by not scanning its open source libraries. In 2017, Equifax suffered a massive data breach from Apache Struts which compromised the data ??? including social security numbers ??? of more than 143 million Americans. Following the breach, Equifax's stock fell over 13 percent. The unfortunate reality is that if Equifax performed AppSec scans on its open source libraries and patched the vulnerability, the breach could have been avoided. ﾂ? Why aren???t more organizations scanning open source libraries? If 96 percent of organizations use open source libraries and 71 percent of applications have a third-party vulnerability, why is it that less than 50 percent of organizations scan their open source libraries? The main reason is that when application developers add third-party libraries to their codebase, they expect that library developers have scanned the code for vulnerabilities. Unfortunately, you can???t rely on library developers to keep your application safe. Approximately 42 percent of the third-party code pulled directly by an application developer has a flaw on first scan. And even if the third-party code appears to be free of flaws, more than 47 percent of third-party code has a transitive flaw that???s pulled indirectly from another library in use. What are your options for managing library security flaws? First off, it???s important to note that most flaws in open source libraries are easy to fix. Close to 74 percent of the flaws can be fixed with an update like a revision or patch. Even high priority flaws are easy to fix ??? close to 91 percent can be fixed with an update. So, when it comes to managing your library security flaws, the concentration should not just be, ???How	Data Breach Tool Vulnerability	Equifax
	2020-09-21 13:35:42	Focus on Fixing, Not Just Finding, Vulnerabilities (lien direct)	When investing in an application security (AppSec) program, you expect to see a return on your investment. But in order to recognize a return, your organization needs to determine what success looks like and find a way to measure and prove that the program is meeting your definition of success. For those just starting on their AppSec journey, success might be eliminating OWASP Top 10 vulnerabilities or lowering flaw density. But as you begin to mature your program and work toward continuous improvements, you should start measuring your program against key performance indicators (KPIs) like fix rate. Fix rate is used to indicate how fast your organization is closing ??? or remediating ??? flaws. The formula for fix rate is the number of findings closed divided by the number of findings open. As you can see in the diagram below, of the 6,609 flaws, 2,581 flaws areﾂ?open and 4,028 are closed. This means that flaws are remediated at a rate of 16 percent. The faster your organization fixes flaws, the lower the chances of an exploit. For the sake of continuous improvement, you should be finding that your organization is improving its fix rate by remediating flaws faster year over year. ﾂ? Using Veracode Analytics to examine fix rate and prove AppSec success. Using Veracode Analytics custom dashboards, you can examine your total fix rate or break it out by application, scrum team, business unit, or geographical location. These dashboards can be shared with stakeholders and executives to show areas where your fix rate is improving or areas that need additional attention and resources. When examining fix rate across applications, you should be finding that your more critical applications have a better fix rate. If that???s not the case, you need to be examining the application security policies you have in place for fixing flaws. High-severity and highly exploitable flaws should be prioritized over low-severity flaws with a lower chance of exploitability. The same logic applies to applications: High-risk applications storing large amounts of sensitive data should be prioritized. When examining the fix rate across scrum teams and locations, you should find that teams and geographical locations are continuously improving their fix rate. If not, you should use the data to tailor future security trainings or to ask stakeholders and executives for additional resources. How does fix rate impact return on investment? By remediating flaws faster, you are reducing the chance of an exploit which could cost your business thousands ??? even millions ??? to resolve. For example, Capital One had a third-party vulnerability that was not remediated, and it led to a massive data breach which exposed its customer???s social security numbers and bank account numbers. It cost Capital One approximately 150 million dollars to resolve the matter. Faster time to remediation also means faster time to production. Once developers fix all of the flaws defined in their policy, code can be moved to production. If code is moved to production at a faster rate, an organization ??? and its customers ??? can start recognizing value from the application sooner. ﾂ? For additional methods on proving AppSec success, check out our re	Data Breach Vulnerability

Last update at: 2024-05-16 21:08:40
See our sources.

To see everything: Our RSS (filtrered)