What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2024-05-14 13:58:40 | Échelle DevSecops avec des tests de sécurité des applications dynamiques (DAST) Scaling DevSecOps with Dynamic Application Security Testing (DAST) (lien direct) |
Le rôle du DAST dans les pratiques de DevseCops modernes
Dans le paysage rapide en évolution du développement de logiciels dirigés par l'IA, DevSecops aide à renforcer la sécurité et la qualité des applications.Les tests de sécurité des applications dynamiques (DAST) sont un outil clé qui aide à mettre à l'échelle votre programme DevSecops en facilitant des tests de sécurité continus et précis sur les applications en cours d'exécution.
Dast simule les attaques du monde réel, vous permettant d'identifier les faiblesses de sécurité et d'évaluer les défenses de votre application en réponse aux attaques réelles.Laissez \\ explorer certaines meilleures pratiques exploitables pour tirer parti de la DAST efficacement et renforcer vos initiatives DevSecops.
Intégration transparente dans les pipelines CI / CD
L'incorporation de scans DAST directement dans vos pipelines d'intégration et de livraison continue (CI / CD) aide à détecter les vulnérabilités d'exécution plus tôt dans votre processus de développement.Cette intégration permet des tests de sécurité automatique, avec chaque mise à jour de code, donnant aux développeurs des commentaires immédiats.Attraper des vulnérabilités tôt signifie moins…
The Role of DAST in Modern DevSecOps Practices In the swiftly evolving landscape of AI-driven software development, DevSecOps helps strengthen application security and quality. Dynamic Application Security Testing (DAST) is a key tool that helps scale your DevSecOps program by facilitating continuous and accurate security tests on running applications. DAST simulates real-world attacks, enabling you to identify security weaknesses and evaluate your application\'s defenses in response to actual attacks. Let\'s explore some actionable best practices to leverage DAST effectively and strengthen your DevSecOps initiatives. Seamless Integration into CI/CD Pipelines Incorporating DAST scans right into your continuous integration and delivery (CI/CD) pipelines helps detect runtime vulnerabilities earlier in your development process. This integration allows for automatic security testing, with every code update, giving developers immediate feedback. Catching vulnerabilities early means less… |
Tool Vulnerability | ||
|
2024-04-25 14:54:20 | Nouveau dans le correctif Veracode: support linguistique supplémentaire et correctif de lots New in Veracode Fix: Additional Language Support and Batch Fix (lien direct) |
Nous sommes ravis de vous apporter deux mises à jour significatives à Veracode Fix: notre outil de remédiation de faille de sécurité alimentée par l'IA.Depuis que nous avons lancé Fix il y a près d'un an, deux demandes ont dominé les commentaires de nos clients:
Pouvons-nous l'avoir?
Pouvez-vous le faire fonctionner?
Nous avons récemment lancé une nouvelle version de Veracode Scan pour le code VS qui comprenait FIX (avec plus d'ides à suivre), qui a répondu à certaines de ces demandes, et maintenant nous mettons à jour le correctif pour couvrir plus de langues et un nouveauMode qui appliquera automatiquement le correctif le mieux classé.
Correction par lots Veracode
En utilisant Fix dans l'outil Veracode CLI avec le nouveau drapeau & # 8211; -apply, vous pourrez appliquer la suggestion de correction supérieure au code source dans l'un des deux modes:
Appliquer une seule recherche à un seul fichier
En fournissant une correction de Veracode avec le fichier JSON des résultats, le fichier de code source à mettre à jour et l'ID de problème pertinent (contenu dans le fichier de résultats), vous pouvez appliquer le correctif recommandé le plus recommandé au fichier de code source.
./…
We\'re excited to bring you two significant updates to Veracode Fix: our AI-powered security flaw remediation tool. Since we launched Fix nearly a year ago, two requests have dominated our customer feedback: Can we have it for ? Can you make it work for ? We recently launched a new version of Veracode Scan for VS Code that included Fix (with more IDE\'s to follow), which answered some of those requests, and now we\'re updating Fix to cover more languages and a new mode that will automatically apply the top-ranked fix. Veracode Batch Fix Using Fix in the Veracode CLI tool with the new –-apply flag, you will be able to apply the top fix suggestion to the source code in one of two modes: Apply Single Finding to a Single File By supplying Veracode Fix with the results JSON file, the source code file to update, and the relevant issue ID (contained in the results file) you can apply the top-recommended fix to the source code file. ./… |
Tool | ||
|
2024-04-23 10:54:54 | Amélioration de l'efficacité des développeurs avec une correction alimentée par l'IA Enhancing Developer Efficiency With AI-Powered Remediation (lien direct) |
Les méthodes traditionnelles d'assainissement des défauts ne sont pas équipées de la technologie pour suivre le rythme de l'évolution rapide des pratiques de génération de code, laissant les développeurs incapables de gérer des dettes de sécurité lourdes et écrasantes.La sécurité du code est toujours une préoccupation critique dans le développement de logiciels.Par exemple, lorsque GitHub Copilot a généré 435 extraits de code, près de 36% d'entre eux avaient des faiblesses de sécurité, quel que soit le langage de programmation.En l'état, de nombreux développeurs ne sont toujours pas équipés d'une méthode automatisée qui peut résoudre les problèmes en toute sécurité dans le code.
Ce blog se plonge dans le changement de paradigme provoqué par Veracode Fix, une solution d'IA innovante conçue pour révolutionner l'assainissement automatisé des défauts.
Les principaux risques de sécurité dans le code automatisé
L'émergence d'outils automatisés de génération de code a provoqué une nouvelle ère d'efficacité et d'innovation.Cependant, ces progrès s'accompagnent d'une variété de risques de sécurité qui menacent l'intégrité et la sécurité des applications.…
Traditional methods of flaw remediation are not equipped with the technology to keep pace with the rapid evolution of code generation practices, leaving developers incapable of managing burdensome and overwhelming security debt. Code security is still a critical concern in software development. For instance, when GitHub Copilot generated 435 code snippets, almost 36% of them had security weaknesses, regardless of the programming language. As it is, many developers are still unequipped with an automated method that can securely remediate issues in code. This blog delves into the paradigm shift brought about by Veracode Fix, an innovative AI solution designed to revolutionize automated flaw remediation. The Main Security Risks in Automated Code The emergence of automated code-generation tools has brought in a new era of efficiency and innovation. However, this progress comes with a variety of security risks that threaten the integrity and safety of applications.… |
Tool | ★★★ | |
|
2024-04-01 11:00:00 | Veracode avance la sécurité des applications natives dans le cloud avec l'acquisition de l'arc long Veracode Advances Cloud-Native Application Security with Longbow Acquisition (lien direct) |
Alors que je voyage dans le monde entier pour rencontrer des clients et des prospects, nous discutons souvent des changements tectoniques qui se produisent dans l'industrie.Au cœur de leurs initiatives stratégiques, les organisations s'efforcent d'innover rapidement et d'offrir de la valeur client avec une qualité et une sécurité sans compromis, tout en obtenant un avantage concurrentiel sur le marché.Ils adoptent les méthodologies DevOps et tirent parti des technologies open source, accélèrent les déploiements dans des environnements multi-clouds pour améliorer l'agilité et la réactivité.Le plus grand défi auquel ils sont confrontés est d'acquérir une vue complète de tous les actifs de leur portefeuille lorsqu'ils sont déployés sur des points finaux multi-cloud.
Les équipes de sécurité sont submergées par une fatigue alerte provenant parfois de 20 outils qui fournissent chacun une vision différente du risque.Le plus grand défi consiste à agréger ce risque à partir de sources disparates, à la prioriser et à identifier la prochaine meilleure action à prendre pour sécuriser leurs actifs logiciels.Composer ces…
As I travel around the world meeting with customers and prospects, we often discuss the tectonic shifts happening in the industry. At the heart of their strategic initiatives, organizations are striving to innovate rapidly and deliver customer value with uncompromising quality and security, while gaining a competitive edge in the market. They are embracing DevOps methodologies and leveraging open-source technologies, accelerating deployments across multi-cloud environments to enhance agility and responsiveness. The biggest challenge they face is acquiring a comprehensive view of all the assets in their portfolio as they are deployed across multi cloud end points. Security teams are overwhelmed by alert fatigue coming from sometimes 20+ tools that each provide a different view of risk. The biggest challenge is aggregating this risk from disparate sources, prioritizing it and identifying the next best action to take to secure their software assets. Compounding these… |
Tool Cloud | ★★ | |
|
2024-03-04 12:48:36 | Les risques de génération de code automatisés et la nécessité d'une correction alimentée par l'IA The Risks of Automated Code Generation and the Necessity of AI-Powered Remediation (lien direct) |
Les techniques de développement de logiciels modernes créent des défauts plus rapidement qu'ils ne peuvent être fixés.Bien que l'utilisation de bibliothèques tierces, de microservices, de générateurs de code, de modèles de langage grand (LLM), etc., a une productivité et une flexibilité remarquablement accrues dans le développement, il a également augmenté le taux de génération de code non sécurisé.Une solution automatisée et intelligente est nécessaire pour combler l'écart d'élargissement entre l'introduction et l'assainissement des défauts.
Soit \\ explorer les dangers potentiels des méthodes modernes de génération de code automatisées et la nécessité d'un mode sécurisé et automatisé de correction des défauts.
Méthodes automatisées qui produisent du code sans sécurité
Générateurs de code
Ces outils peuvent générer du code basé sur des entrées ou des modèles spécifiques que les développeurs fournissent, tels que les spécifications des fonctionnalités, les modèles de conception ou d'autres paramètres.Cela accélère les cycles de développement, réduit les erreurs et maintient la cohérence dans une application.Les exemples incluent Swagger…
Modern software development techniques are creating flaws faster than they can be fixed. While using third-party libraries, microservices, code generators, large language models (LLMs), etc., has remarkably increased productivity and flexibility in development, it has also increased the rate of generating insecure code. An automated and intelligent solution is needed to bridge the widening gap between the introduction and remediation of flaws. Let\'s explore the potential dangers of modern methods of automated code generation and the need for a secure and automated mode of flaw remediation. Automated Methods That Produce Insecure Code Code Generators These tools can generate code based on specific inputs or templates that developers provide, such as feature specifications, design patterns, or other parameters. This accelerates development cycles, reduces errors, and maintains consistency across an application. Examples include Swagger… |
Tool | ★★ | |
|
2024-02-27 14:58:43 | Veracode scan pour le code vs: maintenant avec Veracode Corre Veracode Scan for VS Code: Now with Veracode Fix (lien direct) |
Veracode est heureux d'annoncer la disponibilité de la capacité de correction de Veracode dans Veracode Scan pour le code VS.Les développeurs peuvent désormais découvrir et résoudre les défauts de sécurité en utilisant des outils génératifs alimentés par Veracode \\ directement directement à partir de leur environnement de développement intégré (IDE).
Selon l'état de Veracode de la sécurité des logiciels, 45,9% des organisations ont une dette de sécurité critique.Le fait que ces données proviennent d'organisations qui testent activement leur logiciel avec une solution de haute qualité implique qu'il ne trouve pas de défauts qui sont le problème: il les répare.
L'année dernière, nous avons introduit Veracode Fix & # 8211;Un assistant AI qui peut prendre les résultats d'un scan statique Veracode et permettre aux développeurs d'appliquer des correctifs suggérés directement à leur code.Veracode Fix réduit le temps de recherche et de mise en œuvre d'un correctif pour une découverte donnée à quelques minutes, tout en gardant le développeur en contrôle.FIX a été implémenté dans le cadre de l'utilitaire CLI Veracode, qui est disponible pour Linux, Windows et MacOS.
UN…
Veracode is pleased to announce the availability of Veracode Fix capability in Veracode Scan for VS Code. Now developers can discover and remediate security flaws using Veracode\'s Generative AI-powered tools directly from their Integrated Development Environment (IDE). According to the Veracode State of Software Security, 45.9% of organizations have critical security debt. The fact that this data comes from organizations who are actively testing their software with a high-quality solution implies that it\'s not finding flaws that is the problem: it\'s fixing them. Last year we introduced Veracode Fix – an AI assistant that can take the results of a Veracode Static scan and allow developers to apply suggested fixes directly to their code. Veracode Fix cuts the time to research and implement a fix for a given finding to minutes, while still keeping the developer in control. Fix was implemented as part of the Veracode CLI utility, which is available for Linux, Windows, and MacOS. A… |
Tool | ★★★ | |
|
2024-01-22 05:10:56 | Outils de sécurité cloud essentiels pour les devsecops efficaces Essential Cloud Security Tools for Effective DevSecOps (lien direct) |
La mise en œuvre d'une approche DevSecops est le facteur clé le plus impactant dans le coût total d'une violation de données.Les DevseCops réussis dans un monde natif du cloud sont aidés par les bons outils.Voici une poignée des outils de sécurité du cloud les plus essentiels et ce qu'il faut rechercher pour aider DevseCops.
Top outil de sécurité du cloud essentiel pour DevSecops: analyse de composition logicielle
L'analyse de la composition logicielle (SCA) est le pain et le beurre des outils de sécurité du cloud pour des Devsecops efficaces et la sécurisation de la chaîne d'approvisionnement des logiciels.
Pourquoi cela compte: les logiciels open source (OSS) sont pratiques, mais il est livré avec quelques captures.Il y a des vulnérabilités, des mises à jour manquées et un risque de licence pour s'inquiéter.C'est là où SCA entre en jeu.
SCA adopte une approche proactive pour trouver ces risques tôt.Quelques choses que vous souhaitez rechercher lorsque vous choisissez le bon outil SCA pour vous:
Contrôle continu
Rapports et analyses avec référence par les pairs
Guide de remédiation et suggestions
Dépendance…
Implementation of a DevSecOps approach is the most impactful key factor in the total cost of a data breach. Successful DevSecOps in a cloud-native world is aided by the right tools. Here are a handful of the most essential cloud security tools and what to look for in them to aid DevSecOps. Top Essential Cloud Security Tool for DevSecOps: Software Composition Analysis Software Composition Analysis (SCA) is the bread and butter of cloud security tools for effective DevSecOps and securing the software supply chain. Why it matters: open-source software (OSS) is handy, but it comes with a few catches. There are vulnerabilities, missed updates, and license risk to be worried about. That\'s where SCA comes in. SCA takes a proactive approach to finding these risks early. A few things you want to look out for when picking the right SCA tool for you: Continuous Monitoring Reporting & Analytics with Peer Benchmarking Remediation Guidance & Fix Suggestions Dependency… |
Data Breach Tool Vulnerability Cloud | ★★★ | |
|
2024-01-18 17:51:52 | Annonce de Veracode Scan: un plugin unifié Sast et SCA IDE Announcing Veracode Scan: A Unified SAST and SCA IDE Plugin (lien direct) |
Veracode est heureux d'annoncer la disponibilité d'une nouvelle numérisation de plugin-veracode de l'environnement de développement intégré (IDE).Le scan Veracode combine à la fois l'analyse statique Veracode (SAST) et l'analyse de composition logicielle (SCA) en un seul plugin.Cela permet aux développeurs de scanner rapidement des projets pour les faiblesses et les risques de sécurité dans les bibliothèques de code et de tiers.
Les avantages d'un plugin combiné et SCA
La numérisation des projets avec SCA et Sast est importante pour s'assurer que le code et les bibliothèques sont aussi sûrs que possible.La mise à disposition de ces outils dans l'IDE dans un seul plugin rend les vérifications de sécurité à la fois plus rapides et plus faciles à effectuer.Le code de numérisation au début du processus de développement de logiciels réduit à la fois le coût des défauts de réparation et les chances de défauts de la production.
Comment fonctionne le scan veracode
Le scan veracode s'occupe de l'emballage et de l'envoi d'artefacts au scanner statique Veracode, puis renvoie les résultats des analyses…
Veracode is pleased to announce the availability of a new Integrated Development Environment (IDE) Plugin-Veracode Scan. Veracode Scan combines both Veracode Static Analysis (SAST) and Software Composition Analysis (SCA) into a single plugin. This allows developers to quickly scan projects for security weaknesses and risks in both first-party code and third-party libraries. The Benefits of a Combined SAST and SCA Plugin Scanning projects with SCA and SAST is important to make sure that both the code and libraries are as safe as possible. Making these tools available natively in the IDE in a single plugin makes performing security checks both faster and easier to perform. Scanning code early in the software development process reduces both the cost of remediating flaws and the chances of flaws making it into production. How Veracode Scan Works Veracode Scan takes care of packaging and sending of artifacts to the Veracode static scanner, and then returns the results of scans… |
Tool | ★★★ | |
|
2024-01-16 12:16:39 | Mise en œuvre de l'IA: équilibrer les objectifs commerciaux et les exigences de sécurité Implementing AI: Balancing Business Objectives and Security Requirements (lien direct) |
L'intelligence artificielle (IA) et l'apprentissage automatique sont devenus des outils intégrés pour les organisations dans diverses industries.Cependant, l'adoption réussie de ces technologies nécessite un équilibre minutieux entre les objectifs commerciaux et les exigences de sécurité.Je me suis assis avec Glenn Schmitz, le directeur de la sécurité de l'information du Département de la santé comportementale et des services de développement en Virginie, alors qu'il partageait des informations précieuses sur la mise en œuvre de l'IA tout en garantissant la sécurité, la sécurité et les considérations éthiques.Voici quelques-uns des principaux plats à retenir.
Comprendre les objectifs commerciaux et les exigences de sécurité commence par les fondamentaux
Lorsque Schmitz a rejoint l'organisation, il a reconnu la nécessité de comprendre le niveau global de maturité de la sécurité.En alignant les objectifs de l'entreprise sur les exigences de sécurité, il visait à permettre à l'entreprise d'atteindre ses objectifs de manière sûre et sécurisée.
Schmitz a partagé: "J'ai commencé à un niveau très fondamental. La sécurité est là pour protéger l'entreprise et…
Artificial Intelligence (AI) and machine learning have become integral tools for organizations across various industries. However, the successful adoption of these technologies requires a careful balance between business objectives and security requirements. I sat down with Glenn Schmitz, the Chief Information Security Officer of the Department of Behavioral Health and Developmental Services in Virginia, as he shared valuable insights on implementing AI while ensuring safety, security, and ethical considerations. Here are some of the key takeaways. Understanding Business Objectives and Security Requirements Starts with Fundamentals When Schmitz joined the organization, he recognized the need to understand the overall security maturity level. By aligning business objectives with security requirements, he aimed to enable the business to achieve its goals in a safe and secure manner. Schmitz shared: "I started at a very fundamental level. Security is here to protect the business and… |
Tool | ★★ | |
|
2024-01-08 10:54:45 | Présentation de l'analyse dynamique MFA: prise en charge automatisée pour les configurations MFA Introducing Dynamic Analysis MFA: Automated Support for MFA Setups (lien direct) |
Veracode a récemment introduit une nouvelle fonctionnalité appelée Dynamic Analysis MFA, qui fournit une prise en charge automatisée des configurations d'authentification multi-facteurs (MFA) lors des analyses d'analyse dynamique.Cela élimine la nécessité de désactiver ou de prendre en charge manuellement vos configurations MFA lors de la réalisation de tests de sécurité.
Comprendre l'analyse dynamique MFA
Lorsque nous nous connectons aux applications, nous utilisons généralement un nom d'utilisateur et un mot de passe, qui est considéré comme une authentification à un facteur.Cependant, pour améliorer la sécurité et réduire le risque que les mots de passe sont perdus ou volés, l'authentification multi-facteurs (MFA) a été introduite.MFA ajoute une couche de sécurité supplémentaire en nécessitant une étape supplémentaire, comme l'utilisation d'une clé matérielle, la réception d'un SMS ou la saisie d'un code à partir d'une application Authenticator.
Le MFA est devenu plus courant pour les applications Web car la sécurité Web devient une priorité plus élevée, mais certains outils de test de sécurité obligent les utilisateurs à désactiver ou à prendre en charge manuellement leurs configurations de MFA lors des tests de sécurité des applications.Cela peut être…
Veracode has recently introduced a new feature called Dynamic Analysis MFA, which provides automated support for multi-factor authentication (MFA) setups during dynamic analysis scans. This eliminates the need for you to disable or manually support your MFA configurations when conducting security testing. Understanding Dynamic Analysis MFA When we log into applications, we usually use a username and password, which is considered one-factor authentication. However, to enhance security and reduce the risk of passwords being lost or stolen, multi-factor authentication (MFA) was introduced. MFA adds an extra layer of security by requiring an additional step, such as using a hardware key, receiving a text message, or entering a code from an authenticator app. MFA has become more common for web applications as web security becomes a higher priority, but some security testing tools require users to disable or manually support their MFA setups during application security testing. This can be… |
Tool | ★★ | |
|
2024-01-08 09:39:09 | Sécuriser JavaScript: meilleures pratiques et vulnérabilités communes Securing JavaScript: Best Practices and Common Vulnerabilities (lien direct) |
JavaScript est le langage de programmation le plus utilisé, selon la plus récente enquête sur les développeurs Stackoverflow.Bien que JavaScript offre une grande flexibilité et une grande facilité d'utilisation, il présente également des risques de sécurité qui peuvent être exploités par les attaquants.Dans ce blog, nous explorerons les vulnérabilités en JavaScript, les meilleures pratiques pour sécuriser votre code et les outils pour empêcher les attaques.
Comprendre les vulnérabilités JavaScript
Cet article explore les vulnérabilités communes liées à la sécurité JavaScript et fournit les meilleures pratiques pour sécuriser votre code.
Si vous manquez de temps, vous pouvez commencer par utiliser Veracode Dast Essentials, un scanner de sécurité JavaScript, pour identifier les vulnérabilités potentielles.L'exécution de cet outil générera rapidement des rapports, mettra en évidence vos vulnérabilités spécifiques et fournira des instructions claires sur la façon de les résoudre.
Vulnérabilités de code source javascript
Les développeurs JavaScript s'appuient généralement sur l'intégration de nombreux packages et bibliothèques publiques ou open source contenant…
JavaScript is the most commonly-used programing language, according to the most recent StackOverflow developer survey. While JavaScript offers great flexibility and ease of use, it also introduces security risks that can be exploited by attackers. In this blog, we will explore vulnerabilities in JavaScript, best practices to secure your code, and tools to prevent attacks. Understanding JavaScript Vulnerabilities This article explores the common vulnerabilities related to JavaScript security and provides best practices to secure your code. If you\'re short on time, you can begin by using Veracode DAST Essentials, a JavaScript security scanner, to identify potential vulnerabilities. Running this tool will quickly generate reports, highlight your specific vulnerabilities, and provide clear instructions on how to remediate them. JavaScript Source Code Vulnerabilities JavaScript developers typically rely on integrating numerous public or open-source packages and libraries containing… |
Tool Vulnerability | ★★ | |
|
2024-01-04 13:35:17 | Que rechercher dans un scanner de vulnérabilité open source What To Look For in an Open Source Vulnerability Scanner (lien direct) |
L'une des principales préoccupations de sécurité que nous entendons des leaders de la technologie concerne la sécurité des logiciels open source (OSS) et le développement de logiciels cloud.Un scanner de vulnérabilité open source (pour la numérisation OSS) vous aide à découvrir le risque dans le code tiers que vous utilisez.Cependant, ce n'est pas parce qu'une solution scanne l'open source que vous réduisez finalement le risque de sécurité.Voici ce qu'il faut rechercher dans un scanner de vulnérabilité open source et une solution de test de sécurité pour trouver et corriger les vulnérabilités dans l'OSS.
Contexte sur les vulnérabilités en open source et à quoi ressemble le risque
Avant de pouvoir parler de ce qu'il faut rechercher dans une solution de numérisation, nous devons parler des vulnérabilités que les outils recherchent.Né en 1999, la base de données nationale de vulnérabilité (NVD) était un produit de l'Institut national des normes et de la technologie (NIST) conçu pour être «le référentiel du gouvernement américain des données de gestion de la vulnérabilité basées sur les normes».Il représente un indice des vulnérabilités connues…
One of the top security concerns we hear from technology leaders is about the security of open source software (OSS) and cloud software development. An open source vulnerability scanner (for scanning OSS) helps you discover risk in the third-party code you use. However, just because a solution scans open source does not mean you are ultimately reducing security risk with it. Here is what to look for in an open source vulnerability scanner and security testing solution to find and fix vulnerabilities in OSS. Background on Vulnerabilities in Open Source and What the Risk Looks Like Before we can talk about what to look for in a scanning solution, we need to talk about the vulnerabilities the tools are looking for. Born in 1999, the National Vulnerability Database (NVD) was a product of the National Institute of Standards and Technology (NIST) made to be “the U.S. government repository of standards based vulnerability management data.” It represents an index of known vulnerabilities… |
Tool Vulnerability Cloud | ★★★ | |
|
2023-12-20 14:21:01 | 4 façons dont le correctif Veracode change la donne pour DevSecops 4 Ways Veracode Fix Is a Game Changer for DevSecOps (lien direct) |
Dans le monde en évolution rapide du développement de logiciels, trop souvent la sécurité prend le siège arrière pour respecter des délais stricts et fournir de nouvelles fonctionnalités.La découverte du logiciel a accumulé une dette de sécurité substantielle qui prendra des mois à réparer peut arnaquer les horaires des meilleures équipes de développement.
Un outil propulsé par l'IA qui aide les développeurs à résoudre les défauts devient un atout inestimable dans ce contexte.Dans Veracode Fix, nous avons exploité les capacités de l'IA générative pour construire un outil spécialisé qui permet aux développeurs de remédier aux défauts en quelques minutes sans écrire manuellement une seule ligne de code.
Regardez cette démo de 3 minutes de la façon dont vous pouvez facilement prendre du code défectueux et utiliser la correction de Veracode pour générer des suggestions de correction facilement implémentées.
4 avantages majeurs de la correction du Veracode dans DevSecops
Voici quatre façons dont Veracode corrige les suraliments de DevseCops et votre SDLC avec l'assainissement rapide des défauts de sécurité.
1. Abattre la dette de sécurité avec une réparation rapide des défauts
L'un des plus importants…
In the fast-paced world of software development, too often security takes a backseat to meeting strict deadlines and delivering new features. Discovering software has accrued substantial security debt that will take months to fix can rip up the schedules of even the best development teams. An AI-powered tool that assists developers in remediating flaws becomes an invaluable asset in this context. In Veracode Fix, we\'ve harnessed the capabilities of generative AI to build a specialized tool that allows developers to remediate flaws within minutes without manually writing a single line of code. Watch this 3-minute demo of how you can easily take flawed code and use Veracode Fix to generate easily-implemented remediation suggestions. 4 Major Benefits of Veracode Fix in DevSecOps Here are four ways that Veracode Fix supercharges DevSecOps and your SDLC with the swift remediation of security flaws. 1. Tackle Security Debt with Rapid Flaw Remediation One of the most significant… |
Tool | ★★★ | |
|
2023-12-14 12:07:06 | Ce que nos experts en sécurité ont discuté chez AWS RE: Invent 2023 What Our Security Experts Discussed at AWS re:Invent 2023 (lien direct) |
Le paysage du codage change alors que les développeurs adoptent l'IA, l'automatisation, les microservices et les bibliothèques tierces pour stimuler la productivité.Bien que chaque nouvelle approche améliore l'efficacité, comme une épée à double tranchant, les défauts et les vulnérabilités sont également introduits plus rapidement que les équipes ne peuvent les réparer.Découvrez l'une des dernières innovations qui résolvent cela dans un récapitulatif de ce que nos experts en sécurité ont discuté chez AWS RE: Invent 2023.
Veracode Fix: un changeur de jeu en régime pour les développeurs pour les développeurs
Au cours de leur segment AWS on Air, nos experts, vice-président de la gestion stratégique des produits, Tim Jarrett, et l'architecte des solutions seniors, Eric Kim, ont partagé comment Veracode Fix est un nouvel outil de changement de jeu qui aide les développeurs à réduire le processus de rétablissement des défauts depuis des moisà quelques minutes.
Tirant la puissance de l'IA, l'outil permet aux développeurs de réduire facilement les problèmes de sécurité en générant des correctifs suggérés pour le code existant qui est défectueux et vulnérable.
Alors que de nombreux outils de codage alimentés par l'IA sont conçus pour aider à écrire…
The landscape of coding is changing as developers embrace AI, automation, microservices, and third-party libraries to boost productivity. While each new approach enhances efficiency, like a double-edged sword, flaws and vulnerabilities are also introduced faster than teams can fix them. Learn about one of the latest innovations solving this in a recap of what our security experts discussed at AWS re:Invent 2023. Veracode Fix: A Game Changer in Flaw Remediation for Developers During their AWS on Air segment, our experts, Vice President of Strategic Product Management, Tim Jarrett, and Senior Solutions Architect, Eric Kim, shared how Veracode Fix is a new game-changing tool that helps developers cut down the flaw remediation process from months to minutes. Leveraging the power of AI, the tool allows developers to easily reduce security issues by generating suggested fixes for existing code that is flawed and vulnerable. While many AI-powered coding tools are designed to help write… |
Tool Vulnerability | ★★★ | |
|
2023-12-04 10:39:37 | Comment l'analyse dynamique vous aide à améliorer l'automatisation des DevSecops How Dynamic Analysis Helps You Enhance Automation for DevSecOps (lien direct) |
DevSecops, également connu sous le nom de DevOps sécurisé, représente un état d'esprit dans le développement de logiciels qui maintient tout le monde responsable de la sécurité des applications.En favorisant la collaboration entre les développeurs et les opérations informatiques et en dirigeant les efforts collectifs vers une meilleure prise de décision de sécurité, les équipes de développement peuvent fournir des logiciels plus sûrs avec une plus grande vitesse et une plus grande efficacité.
Malgré ses avantages, la mise en œuvre de DevSecops peut introduire des frictions dans le processus de développement.Les outils traditionnels pour tester le code et évaluer le risque de sécurité des applications n'ont tout simplement pas été conçu pour la vitesse dont les tests DevOps ont besoin.
Pour naviguer dans ces défis, les équipes de développement doivent commencer avec des outils de test automatisés, car le fait de s'appuyer sur les processus manuels ne peut pas suivre le rythme des délais de développement accélérés.L'automatisation est considérée comme clé pour l'intégration continue de l'analyse de la sécurité et l'atténuation des menaces des flux de travail dynamiques.En tant qu'extension des principes DevOps, DevSecops Automation aide à intégrer les tests de sécurité…
DevSecOps, also known as secure DevOps, represents a mindset in software development that holds everyone accountable for application security. By fostering collaboration between developers and IT operations and directing collective efforts towards better security decision-making, development teams can deliver safer software with greater speed and efficiency. Despite its merits, implementing DevSecOps can introduce friction into the development process. Traditional tools for testing code and assessing application security risk simply weren\'t built for the speed that DevOps testing requires. To navigate these challenges, development teams need to start with automated testing tools, as relying on manual processes can\'t possibly keep pace with accelerated development timelines. Automation is considered key to continuous integration of security analysis and threat mitigation of dynamic workflows. As an extension of DevOps principles, DevSecOps automation helps integrate security testing… |
Tool Threat | ★★★ | |
|
2023-11-12 22:55:15 | Sécuriser vos applications Web et vos API avec Veracode Dast Essentials Securing Your Web Applications and APIs with Veracode DAST Essentials (lien direct) |
Les applications Web sont l'un des vecteurs les plus courants pour les violations, représentant plus de 40% des violations selon le rapport de violation de données de Verizon \'s 2022.S'assurer que vos applications Web sont suffisamment protégées et continuent d'être surveillées une fois qu'elles sont en production est essentielle à la sécurité de vos clients et de votre organisation.
Rester en avance sur la menace
Les attaquants recherchent constamment de nouvelles façons d'exploiter les vulnérabilités et de violer les applications Web, ce qui signifie que à mesure que leurs méthodes mûrissent et deviennent plus agressives, même les applications les plus développées peuvent devenir vulnérables.Les organisations qui effectuent uniquement des tests de pénétration annuelle sur leurs applications Web peuvent se laisser ouvertes à une violation qui pourrait être facilement empêchée par une analyse de production régulière.
La sécurité des applications décrit une collection de processus et d'outils axés sur l'identification, la correction et la prévention des vulnérabilités au niveau des applications tout au long du développement logiciel…
Web applications are one of the most common vector for breaches, accounting for over 40% of breaches according to Verizon\'s 2022 Data Breach Report. Ensuring that your web applications are sufficiently protected and continue to be monitored once they are in production is vital to the security of your customers and your organization. Staying Ahead of the Threat Attackers are constantly looking for new ways to exploit vulnerabilities and to breach web applications, which means that as their methods mature and they become more aggressive, even the most securely developed applications can become vulnerable. Organizations that only perform annual penetration tests on their web applications may be leaving themselves open to a breach that could be easily prevented with regular production scanning. Application security outlines a collection of processes and tools focused on identifying, remediating, and preventing application-level vulnerabilities throughout the entire software development… |
Data Breach Tool Vulnerability Threat | ★★ | |
|
2023-11-07 17:37:50 | Sécuriser les API: étapes pratiques pour protéger votre logiciel Securing APIs: Practical Steps to Protecting Your Software (lien direct) |
Dans le monde dynamique du développement de logiciels, les interfaces de programmation d'applications (API) servent de conduits essentiels, facilitant l'interaction transparente entre les composants logiciels.Cette interface intermédiaire rationalise non seulement le développement, mais permet également aux équipes logicielles de réutiliser le code.Cependant, la prévalence croissante des API dans les affaires modernes est accompagnée de défis de sécurité.C'est pourquoi nous avons créé ce billet de blog - pour vous fournir des étapes exploitables pour améliorer la sécurité de vos API aujourd'hui.
Comprendre la sécurité de l'API
La sécurité de l'API s'étend au-delà de la protection des services backend d'une application, y compris des éléments tels que des bases de données, des systèmes de gestion des utilisateurs et des composants interagissant avec les magasins de données.Il s'agit d'adopter divers outils et pratiques pour renforcer l'intégrité de votre pile technologique.Une forte stratégie de sécurité des API réduit le risque d'accès non autorisé et d'actions malveillantes, assurant la protection des informations sensibles.
Explorer les vulnérabilités API
Malgré la…
In the dynamic world of software development, Application Programming Interfaces (APIs) serve as essential conduits, facilitating seamless interaction between software components. This intermediary interface not only streamlines development but also empowers software teams to reuse code. However, the increasing prevalence of APIs in modern business comes with security challenges. That\'s why we\'ve created this blog post - to provide you with actionable steps to enhance the security of your APIs today. Understanding API Security API Security extends beyond protecting an application\'s backend services, including elements such as databases, user management systems, and components interacting with data stores. It involves adopting diverse tools and practices to strengthen the integrity of your tech stack. A strong API security strategy reduces the risk of unauthorized access and malicious actions, ensuring the protection of sensitive information. Exploring API Vulnerabilities Despite the… |
Tool Guideline | ★★ | |
|
2023-11-02 13:45:06 | SAST vs. DAST for Security Testing: Unveiling the Differences (lien direct) | Les tests de sécurité des applications (AST) comprennent divers outils, processus et approches pour scanner des applications pour découvrir des problèmes de sécurité potentiels.Les tests de sécurité des applications statiques (SAST) et les tests de sécurité des applications dynamiques (DAST) sont des approches de test de sécurité populairement utilisées qui suivent différentes méthodologies de codes d'application de numérisation à différentes étapes d'un cycle de vie de développement logiciel.
Sast suit une approche de test de boîte blanche pour analyser le code source, le code d'octets et les binaires pour identifier les vulnérabilités exploitables et les erreurs de codage.D'un autre côté, DAST met en œuvre une méthode de test de la boîte noire, où les ingénieurs de sécurité analysent les charges utiles simulées d'attaque via le frontal de l'application sans exposer des informations internes sur la construction interne de l'application \\.
Dans ce blog, nous discuterons des approches de tests de Sast et de Dast, comment ils aident à détecter les vulnérabilités et les défaillances des applications, leurs différences et les meilleurs cas d'utilisation.
Application statique…
Application Security Testing (AST) encompasses various tools, processes, and approaches to scanning applications to uncover potential security issues. Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) are popularly used security testing approaches that follow different methodologies of scanning application codes across different stages of a software development lifecycle. SAST follows a white-box testing approach to analyze the source code, byte code, and binaries to identify exploitable vulnerabilities and coding errors. On the other hand, DAST implements a black-box testing method, where security engineers parse simulated attack payloads through the application\'s front end without exposing internal information on the application\'s internal construct. In this blog, we will discuss SAST and DAST testing approaches, how they help detect vulnerabilities and application failures, their differences, and best use cases. Static Application… |
Tool Vulnerability | ★★ | |
|
2023-09-14 17:46:27 | Activer facilement le cryptage: séries de développement du cloud-natif sécurisé Easily Enable Encryption: Secure Cloud-native Development Series (lien direct) |
Créez des applications sécurisées dans le cloud-natives en évitant les cinq premiers pièges de sécurité que nous présentons dans notre série de développement Secure Cloud-Native.Ce blog est la quatrième partie de la série, et il vous apprendra pourquoi et comment activer facilement le cryptage et vous sauver les maux de tête.
Voici une nouvelle devise: crypter tout!Lorsque vous vous déplacez en toute sécurité vers des technologies natives dans le cloud, la construction de chiffrement dès le début nous fera économiser beaucoup de maux de tête plus tard.Et c'est en fait tout sauf un mal de tête pour activer le chiffrement tout en configurant vos workflows de développement natif du cloud.Ici, je vais expliquer pourquoi l'activation du cryptage sera si pratique et quels outils vous aideront à le faire avec la plus grande facilité.
Un scénario sur les raisons pour lesquelles vous devez activer le cryptage
Imaginez le scénario suivant: vous avez été chargé d'un POC rapide et sale pour une prochaine version de service.Vous le concevez et construisez quelque chose qui fonctionne, mais pour des raisons pour lesquelles nous n'avons pas besoin d'entrer, la version a été poussée, et maintenant nous…
Build secure cloud-native applications by avoiding the top five security pitfalls we lay out in our Secure Cloud-native Development Series. This blog is the fourth part of the series, and it will teach you why and how to easily enable encryption and save yourself headaches down the road. Here\'s a new motto: encrypt everything! When securely moving to cloud-native technologies, building encryption in from the start will save us a lot of headaches later. And it\'s actually anything but a headache to enable encryption while setting up your cloud-native development workflows. Here I\'ll explain why enabling encryption will come in so handy, and what tools will help you do this with the greatest ease. A Scenario on Why You Need to Enable Encryption Imagine the following scenario: you have been tasked with a quick and dirty POC for an upcoming service release. You design it and build something that works, but for reasons we don\'t need to go into, the release has been pushed up, and now we… |
Tool | ★★ | |
|
2023-09-12 14:07:47 | Pourquoi réduire les risques de la chaîne d'approvisionnement des logiciels avec la sécurité des logiciels intelligents Why Reduce Software Supply Chain Risks with Intelligent Software Security (lien direct) |
Il y a un éventail croissant de risques qui se cachent dans la chaîne d'approvisionnement des solutions numériques dont nous dépendons de plus en plus.Laisser les lacunes dans la sécurité de votre chaîne d'approvisionnement logicielle (SSCS) pourrait épeler une catastrophe pour votre organisation.Soit \\ explorer comment une nouvelle analyse définit une solution de bout en bout et pourquoi Veracode a été classé en tant que leader global, chef de produit, leader de l'innovation et leader du marché dans le leadership de la sécurité de la chaîne d'approvisionnement logicielle Compass 2023 par KuppingerCole Analysts AG.
Diriger la charge: Sécurité de la chaîne d'approvisionnement du logiciel
Imaginez un monde où votre sécurité n'est aussi forte que votre lien le plus faible, et ce lien pourrait être une seule ligne de code enterrée profondément dans les logiciels open source d'un contributeur inconnu.C'est la réalité de la chaîne d'approvisionnement des logiciels d'aujourd'hui.Chaque composant, qu'il s'agisse de code personnalisé, de bibliothèques tierces ou de configuration des outils et d'infrastructure CI / CD, présente un point d'entrée potentiel pour un attaquant.
De nombreux joueurs travaillent à fournir des solutions pour…
There\'s a growing array of risks lurking within the supply chain of the digital solutions we increasingly depend upon. Leaving gaps in your software supply chain security (SSCS) could spell disaster for your organization. Let\'s explore how new analysis defines an end-to-end solution and why Veracode was ranked as an Overall Leader, Product Leader, Innovation Leader, and Market Leader in the Software Supply Chain Security Leadership Compass 2023 by KuppingerCole Analysts AG. Leading the Charge: Software Supply Chain Security Picture a world where your security is only as strong as your weakest link, and that link could be a single line of code buried deep within open-source software from an unknown contributor. This is the reality of today\'s software supply chain. Each component, whether it\'s custom code, third-party libraries, or the configuration of CI/CD tools and infrastructure, presents a potential entry point for an attacker. Many players are working to provide solutions for… |
Tool | ★★ | |
|
2023-09-05 15:20:59 | Gestion de l'accès au stockage: séries de développement du cloud-natif sécurisé Managing Storage Access: Secure Cloud-native Development Series (lien direct) |
Créez des applications sécurisées dans le cloud-natives en évitant les cinq premiers pièges de sécurité que nous présentons dans notre série de développement Secure Cloud-Native.Ce blog est la troisième partie de la série, et il vous apprendra comment sécuriser le stockage cloud et gérer les contrôles d'accès sur les seaux S3.
Chaque fournisseur de cloud a géré les services de stockage que votre organisation utilise probablement probablement.Le stockage cloud tel que Amazon Simple Storage Service (Amazon S3) ou Azure Storage Tools sont étroitement intégrés dans les autres services gérés, ce qui le rend simple à gérer.Nous discuterons spécifiquement du service de stockage S3 d'Amazon \\ et de la façon dont il se rapporte au développement sécurisé du cloud-natif.
Une introduction à la configuration du stockage et du contrôle d'accès en cloud sécurisé
Amazon a récemment affronté le cryptage par défaut du serveur (SSE) pour tous les utilisateurs utilisant AES-256.Bien que très probablement, nous (ou du moins aurions du moins dû) avait un cryptage allumé, c'est maintenant une chose de moins à s'inquiéter.De plus, des outils tels que Terraform peuvent…
Build secure cloud-native applications by avoiding the top five security pitfalls we lay out in our Secure Cloud-native Development Series. This blog is the third part of the series, and it will teach you how to secure cloud storage and handle access controls on S3 buckets. Each cloud provider has managed storage services that your organization is already probably utilizing. Cloud storage such as Amazon Simple Storage Service (Amazon S3) or Azure storage tools are tightly integrated into the other managed services which makes it simple to manage. We will discuss specifically Amazon\'s S3 storage service and how it relates to secure cloud-native development. An Introduction to Secure Cloud Storage and Access Control Configuration Amazon recently turned-on default server-side encryption (SSE) for all users using AES-256. Though most likely we already (or at least should have) had encryption turned on, it\'s now one less thing to worry about. Additionally, tools such as Terraform can… |
Tool Cloud | ★★ | |
|
2023-08-28 14:07:53 | Comment activer la journalisation : série de développement sécurisé cloud-native How to Enable Logging: Secure Cloud-native Development Series (lien direct) |
Créez des applications cloud natives sécurisées en évitant les cinq principaux pièges de sécurité que nous décrivons dans notre série de développement sécurisé cloud natif.Ce blog est la deuxième partie de la série et il vous apprendra comment et pourquoi activer la journalisation dès le début.
Nous allons parler de l'activation de la journalisation (cloud logging, pour être précis).Quelle est la différence?Pas grand chose, à part le fait qu'il s'agit d'un autre service géré intégré aux outils que nous devrions déjà utiliser.
Pourquoi activer la journalisation ?
Tous les développeurs/ingénieurs savent que nous avons besoin de journalisation.Mais d'autres priorités contradictoires et contraintes de temps font parfois obstacle, et cela devient un « nous ferons cela lors du prochain sprint ».J'ai travaillé sur le côté ingénierie ainsi que sur le côté sécurité, où je devais traquer les problèmes de réseau/d'application ou les incidents de sécurité, pour découvrir que nous n'avions pas de journaux ou de journalisation activés sur des services spécifiques.
L'activation de la journalisation peut être comparée à notre propre santé.Même quand nous sommes jeunes, nous…
Build secure cloud-native applications by avoiding the top five security pitfalls we lay out in our Secure Cloud-native Development Series. This blog is the second part of the series, and it will teach you how and why to enable logging from the start. We\'re going to talk about enabling logging (cloud logging, to be specific). What\'s the difference? Not much, other than the fact that it\'s another managed service integrated with the tools we should already be utilizing. Why Enable Logging? All developers/engineers know we need logging. But other conflicting priorities and time constraints get in the way sometimes, and it becomes a “we\'ll do that on the next sprint”. I have worked on the engineering side of things as well as the security side, where I needed to track down network/application issues, or security incidents, only to find that we didn\'t have logs or logging enabled on specific services. Enabling logging can be compared to our own health. Even when we are young, we… |
Tool | ★★ | |
|
2023-08-17 13:01:00 | Amélioration de la sécurité du code avec une AI générative: Utilisation de la correction de Veracode pour sécuriser le code généré par Chatgpt Enhancing Code Security with Generative AI: Using Veracode Fix to Secure Code Generated by ChatGPT (lien direct) |
L'intelligence artificielle (IA) et le codage compagnon peuvent aider les développeurs à écrire des logiciels plus rapidement que jamais.Cependant, alors que les entreprises cherchent à adopter un codage compagnon propulsé par l'IA, elles doivent être conscientes des forces et des limites des différentes approches & # 8211;en particulier en ce qui concerne la sécurité du code.
Regardez cette vidéo de 4 minutes pour voir un développeur générer du code non sécurisé avec ChatGpt, trouvez la faille avec une analyse statique et sécurisez-la avec Veracode Fix pour développer rapidement une fonction sans écrire de code.
La vidéo ci-dessus expose les nuances de la sécurité générative du code AI.Alors que les outils de codage compagnon généraliste comme ChatGpt Excel dans la création de code fonctionnel, la qualité et la sécurité du code sont souvent insuffisantes.Des solutions spécialisées comme le correctif Veracode construit pour exceller dans le code d'insécurité de remédiation apportent une compétence de sécurité vitale à une IA générative.En utilisant des outils généralistes et spécialisés en collaboration, les organisations peuvent permettre à leurs équipes d'accélérer le développement de logiciels qui rencontre fonctionnellement et…
Artificial Intelligence (AI) and companion coding can help developers write software faster than ever. However, as companies look to adopt AI-powered companion coding, they must be aware of the strengths and limitations of different approaches – especially regarding code security. Watch this 4-minute video to see a developer generate insecure code with ChatGPT, find the flaw with static analysis, and secure it with Veracode Fix to quickly develop a function without writing any code. The video above exposes the nuances of generative AI code security. While generalist companion coding tools like ChatGPT excel at creating functional code, the quality and security of the code often falls short. Specialized solutions like Veracode Fix built to excel at remediation insecure code bring a vital security skillset to generative AI. By using generalist and specialist AI tools in collaboration, organizations can empower their teams to accelerate software development that meets functional and… |
Tool | ChatGPT ChatGPT | ★★ |
|
2023-07-20 11:35:59 | SBOM a expliqué: comment SBOMS améliore la sécurité des applications natives dans le cloud SBOM Explained: How SBOMs Improve Cloud-native Application Security (lien direct) |
Un stupéfiant 96% des organisations utilisent des bibliothèques open source, mais moins de 50% gèrent activement les vulnérabilités de sécurité au sein de ces bibliothèques.Les vulnérabilités sont les bienvenus pour violations des mauvais acteurs, et une fois qu'ils ont entré votre système, l'impact peut être colossal.Une facture de matériel logiciel (SBOM) est un outil important pour gérer la sécurité des logiciels open source.Ici, nous explorerons comment les SBOMS aident les organisations à comprendre ce qui est dans leurs applications, à garantir la conformité réglementaire et à gérer le risque global.
Où les SBOM s'inscrivent-ils dans le programme de sécurité de votre application?
Considérez un SBOM comme une loupe qui vous permet de voir de plus près ce qui se passe dans vos applications natives dans le cloud.Les SBOMS fournissent une vue détaillée des composants open source que les développeurs et les professionnels de la sécurité peuvent utiliser pour comprendre la sécurité des bibliothèques et des dépendances tierces utilisées dans une application.Avec ces informations, les équipes peuvent créer des campagnes de cyber-hygiène contre connu…
A staggering 96% of organizations utilize open-source libraries, yet fewer than 50% actively manage the security vulnerabilities within these libraries. Vulnerabilities are welcome mats for breaches from bad actors, and once they\'ve entered your system, the impact can be colossal. A software bill of materials (SBOM) is an important tool for managing the security of open-source software. Here we will explore how SBOMs help organizations understand what\'s in their applications, ensure regulatory compliance, and manage overall risk. Where Do SBOMs Fit in Your Application Security Program? Think of an SBOM as a magnifying glass that allows you to get a closer look at what goes on in your cloud-native applications. SBOMs provide a detailed view of open-source components that developers and security professionals can use to understand the security of third-party libraries and dependencies used in an application. With that information, teams can create cyber hygiene campaigns against known… |
Tool Vulnerability | ★★★ | |
|
2023-05-22 10:41:02 | Une nouvelle ère d'AppSec: 10 fois en tant que leader de Gartner & Reg;Magic Quadrant ™ pour les tests de sécurité des applications A New Era of AppSec: 10 Times as a Leader in Gartner® Magic Quadrant™ for Application Security Testing (lien direct) |
Ten représente l'achèvement d'un cycle et le début d'un nouveau, car il y a dix chiffres dans notre système de nombres de base-10.Nous avons scanné près de 140 billions de lignes de code, nous ne pouvons donc aider à reprendre le seul et le zéro dans notre annonce passionnante.C'est la dixième publication du Gartner & Reg;Magic Quadrant ™ pour les tests de sécurité des applications (AST), et nous sommes heureux d'annoncer que nous sommes un leader pour le dixième temps consécutif.Voici un aperçu du nouveau cycle que nous voyons commencer: la nécessité d'une sécurité logicielle intelligente.
Des tests de sécurité des applications à la sécurité des logiciels intelligents
Ce marché n'est pas ce qu'il était auparavant, et nous voyons un nouveau cycle commençant que nous considérons comme la nécessité d'une sécurité logicielle intelligente.Ce qui a commencé comme un outil de balayage de code SaaS reconnu est devenu une plate-forme de sécurité logicielle intelligente qui empêche, détecte et répond aux défauts de sécurité et aux vulnérabilités et gère les risques et la conformité pour des milliers d'organisations de premier plan autour du…
Ten represents the completion of a cycle and the beginning of a new one, as there are ten digits in our base-10 number system. We\'ve scanned nearly 140 trillion lines of code, so we can\'t help but pick up on the one and the zero in our exciting announcement. It\'s the tenth publication of the Gartner® Magic Quadrant™ for Application Security Testing (AST), and we are pleased to announce we are a Leader for the tenth consecutive time. Here\'s a look at the new cycle we see beginning: the need for intelligent software security. From Application Security Testing to Intelligent Software Security This market isn\'t what it used to be, and we see a new cycle beginning which we see as the need for intelligent software security. What started as a recognized SaaS code scanning tool has evolved into an intelligent software security platform that prevents, detects, and responds to security flaws and vulnerabilities and manages risk and compliance for thousands of leading organizations around the… |
Tool Cloud | ★★★ | |
|
2023-02-28 12:25:03 | SAST Tools: How to Integrate and Scale Security Workflows in the SDLC (lien direct) | Static Application Security Testing (SAST) tools present a significant opportunity for organizations looking to reduce application security risk. However, not all workflows or tools are created equal. Using the right SAST tools at the right times, you can seamlessly integrate and scale security workflows throughout the software development lifecycle (SDLC). In this post, we'll walk through examples of how easily you can work with Veracode's SAST tools for first-party and third-party code scanning when using Azure DevOps and Visual Studio – and the different plugins available. Ticket Follow Up Let's start where all developers' workdays begin: the ticketing system. In this scenario, it's the Azure DevOps Workboard, and the idea is that you have run a SAST policy scan. A Veracode policy scan effectively tests at the integration or systems level. Through integration, the tool can automatically generate security bug tickets inside of Azure DevOps based on scan results. From the ticket… | Tool | ★★★ | |
|
2022-11-18 15:03:25 | Anatomy of a Stored Cross-site Scripting Vulnerability in Apache Spark (lien direct) | One of the services that Veracode offers is a consultation with an Application Security Consultant – a seasoned software developer and application security expert. In the context of a consultation, my team works with the software engineers of Veracode's customers to understand and, ideally, remediate security flaws found by the Veracode tool suite. There is a well-defined difference between a security flaw (a defect that can lead to a vulnerability) and a vulnerability (an exploitable condition within code that allows an attacker to attack it). While working with potentially dozens of different customer applications every week, we usually have a strong gut feeling for when a security flaw might constitute an exploitable vulnerability and should receive extra attention. During one of our consultations, a set of similar Cross-site Scripting (XSS) flaws was discovered by Veracode Static Analysis in what turned out to be 3rd party JavaScript files belonging to Apache Spark. After some… | Tool Vulnerability Guideline | ||
|
2022-07-08 15:48:47 | Unifying Security and Development (lien direct) | Most developers don't learn about secure coding in the college IT programs. And once they join the workforce, they often don't have the time to learn about secure coding. The responsibility of training developers in secure coding best practices usually falls on security practitioners. Security practitioners are notoriously overworked, often lacking the bandwidth to train developers. Organizations are thus turning to AppSec learning experiences built specifically for development teams. These learning experiences deliver the tools and skills needed to keep an AppSec program on track. According to PeerSpot, the number one ranked solution in application security training software is Veracode Security Labs, which gives developers tools and hands-on training to tackle modern threats and adopt secure coding practices. PeerSpot members who use the platform share why it is deserving of its high ranking. Making the Choice for Veracode Security Labs Veracode Security Labs empowers developers… | Tool Threat | ||
|
2022-06-23 17:31:50 | Musings of a Former State CTO Part 3: The Cybersecurity Evolution (lien direct) | Claire Bailey had a front-row seat to the evolution of cybersecurity. Since the 1980s, when she started in the field, security challenges have grown in number and complexity. She learned that the best strategy for mitigating software vulnerabilities and strengthening cybersecurity has come to be summarized in two little words. “Shift left,” Claire says. “Shifting left” is the concept of taking a security task that traditionally occurs in the later stages of the software development process and performing it earlier. This concept is particularly timely given the fact sheet released by the Biden Administration which warns against the likely rise of potential cyberattacks. It recommends building application security into products from the ground up and using modern tools to consistently monitor for potential vulnerabilities. To that end, Claire recommends that CIOs and CTOs look toward the adoption of agile workforces and development processes, converging steps into smaller bites that… | Tool | ||
|
2021-10-29 14:31:12 | Software Composition Analysis Mitigates Systemic Risk in the Popular NPM Repository (lien direct) | Chris Wysopal, Veracode Chief Technology Officer and Co-Founder, recently sat down to discuss the open source supply chain attack on the popular npm repository. Below is the transcript and corresponding video of his reaction. Just a few days ago, we saw a classic open source supply chain attack where someone modified a JavaScript library, UA-Parser-JS, which is in the npm repository. The attackers modified the library to include password stealers and crypto miners so that the applications of anyone who downloaded that version would be compromised. With an attack like this, the applications that are using this library with this code are going to be running that code with the privileges that they have, wherever they're deployed. In this case, it was malicious code that was planted. I'm sure it was done in such a way that everyone using those libraries is going to become vulnerable. If it's password-stealing code, it's going to grab the passwords and send them to the attackers. In the case of crypto miners, it's going to suck up resources and CPU time and send the money to the attacker's wallets. It's important if you're using any kind of open source – which 99 percent of people building applications are – to use an open source software composition analysis (SCA) tool. What that can do is determine what open source you're using. Veracode SCA does this. Another important thing to do is make sure the vulnerability database that your SCA tool uses is current and up to date. At Veracode, we scan all the open source repos every single night. When this malicious code was inserted, we detected it right away. All of our customers were alerted that if they're using this version of the code, they need to update to the non-vulnerable version immediately. Veracode's recent State of Software Security: Open Source Edition report shows that 79 percent of the open source libraries that developers include are set it and forget it, which means they include it once and they never update it. But the updates tend to be relatively straightforward. In fact, 92 percent of open source flaws can be fixed with an update. And 69 percent of updates are a minor version change or less. It is really important to have good and timely information about the vulnerabilities in the libraries you're using and a good process for updating the libraries … hopefully in a very automated manner. That way you're updating these libraries without any manual effort, probably in minutes or hours instead of months. That could be the difference between an attacker compromising you or not. This is why it's so important to stay on top of all the known vulnerabilities in the open source libraries you're using as part of your application, because when you include that third-party code, your application is likely to become vulnerable to those same problems. Don't fall victim to an open source attack. Learn how Veracode Software Composition Analysis can protect your code. Want to stay up to date on the latest Veracode news? Sign up for our monthly newsletter. | Tool Vulnerability | ||
|
2021-09-30 14:22:27 | .NET 5, Source Generators, and Supply Chain Attacks (lien direct) | IDEs and build infrastructure are being a target of various threat actors since at least 2015 when XcodeGhost has been discovered - https://en.wikipedia.org/wiki/XcodeGhost - malware-ridden Apple Xcode IDE that enabled attackers to plant malware in iOS applications built using it. Attacks executed through builds abuse trust we have in our build tools, IDEs, and software projects. This is slowly changing (for example Visual Studio Code added Workspace Trust feature in one of the recent releases: https://code.visualstudio.com/docs/editor/workspace-trust ), yet at the same time, .NET 5 added a powerful yet dangerous feature that could make attacks similar to described above easier to implement, deliver, and stay under the radar. Source Generators introduction Back in 2020 (https://devblogs.microsoft.com/dotnet/introducing-c-source-generators/ ) Microsoft announced a new and exciting feature of the upcoming .NET 5 - Source Generators. This functionality is intended to enable easier compile-time metaprogramming. Similar in purpose to macros or compiler plugins Source Generators offer more flexibility as they're independent of IDE & compiler and do not require modifications of the source code. Source Generators can be present in your software solution as a part of Visual Studio solution structure, visible as a separate project in the IDE Solution browser. They can also be added, more often, as a nuget library similarly to any other dependency. Compilation pipeline that includes Source Generator, source: https://devblogs.microsoft.com/dotnet/introducing-c-source-generators/&…; As Source Generators follow the same concept as Analyzers they may need to have the install and uninstall script. In a simple scenario, the install script will modify the given project csproj file in order to trigger Source Generator at build time. Similarly - uninstall script will remove any references to the Source Generator from csproj file. Note: supply chain attacks that utilize install scripts or build event scripts are certainly viable and were already attempted in the wild but technique described in this blog post does not use scripts making potential attacks harder to detect. Generators can be used for various purposes, in the most trivial case to inject code that'll be callable from first-party code snippet. Source: https://devblogs.microsoft.com/dotnet/introducing-c-source-generators/ using System; using System.Collections.Generic; using System.Text; using Microsoft.CodeAnalysis; using Microsoft.CodeAnalysis.Text; namespace SourceGeneratorSamples { [Generator] public class HelloWorldGenerator : ISourceGenerator { public void Execute(SourceGeneratorContext context) { // begin creating the source we'll inject into the users compilation var sourceBuilder = new StringBuilder(@" using System; namespace HelloWorldGenerated { public static class HelloWorld { public static void SayHello() { Console.WriteLine(""Hello from generated code!""); Console.WriteLine(""The following syntax trees existed in the compilation that created this program:""); "); // using the context, get a list of syntax trees in the users compilation var syntaxTrees = context.Compilation.SyntaxTrees; // add the filepath of each tree to the class we're building foreach (SyntaxTree tree in syntaxTrees) { sourceBuilder.AppendLine($@"Console.WriteLine(@"" - {tree.FilePath}"");"); } // finish creating the source to inject sourceBuilder.Append(@" } } }"); // inject the created source into the users compilation context.AddSource("helloWorldGenerator", SourceText.From(sourceBuilder.ToString(), Encoding.UTF8)); } public void Initialize(InitializationContext context) { // No initialization required for thi | Malware Tool Threat | ||
|
2021-09-21 10:49:49 | MPT\'s Value at Veracode (lien direct) | You finally have some budget to buy tools for your application security (AppSec) program! GREAT! Purchasing the correct tools for your AppSec pogram can be overwhelming. Even when looking only at point solutions, there still may be some confusion on the value that various tools can provide. Sometimes you'll find the perfect tool, but others may offer you a similar tool with added manual penetration testing (MPT) as part of the overall bundle. That seems like a great idea for the budget. Let's dive in and see what these types of value these other offerings really provide. First, let's cover the shortcoming of other Automated Tools + Manual Penetration Testing bundles. This is going to be pretty high level and will avoid comprehensive dives for ease of consumption. If you read anything, read the short bulleted list! Who is doing your MPT as part of this engagement? Veracode has world-famous authors and hackers on their MPT teams. Please reach out and ask for our MPT team profile and then google them! Chances are that your bundled MPT is being conducted by offshore teams to provide cost savings. Apps don't get great coverage with MPT This is a light MPT engagement when bundled. Ask for regular pricing so you can see the difference. Typically you can gauge the effectiveness of the offering by comparing the 1-day retail price of MPT to what is offered in the bundled offering. Cheap MPT and any other labor-intensive-based offerings DO NOT SCALE! Think about it. MPT on demand? Do they have people staffed and waiting for you to make a request? How is it that the queue is not long? Also, claimed less than 1% FP rates due to manual labor scrubbing DO NOT SCALE. Remember, anything labor-intensive requires people being on payroll and WORKING. If they are not WORKING, they are on stand-by. We all know that no one is hired to be on stand-by. Why Veracode's Manual Penetration Testing value can NOT be beaten Veracode's value in MPT can be summarized into four major points. Single Pane Looking Glass reports Comprehensive Security Analysis Value, Remediation and AppSec Program Assistance, and scalability. Single pane looking glass report Veracode has a single pane looking glass capability that is unmatched in the industry. You can purchase Static Analysis, Dynamic Analysis, Software Composition Analysis, and Manual Penetration testing. Then you can generate a report with all the findings on one PDF in the context of a single application. With our big data analytics tools, you can then generate views on the entire organization portfolio or per team application's security posture. Comprehensive security analysis value If you already are a customer of our automated tools, then MPT with Veracode generates a value proposition that CAN NOT be beaten. For example, if you are running daily/weekly SAST, DAST, and SCA checks. MPT will skip all the findings in those reports. This allows us to find more complex and nefarious things that automated tools simply can not do. With other MPT offerings, the vendors must use the hours and will not know to skip the low-hanging fruit that our tools already caught such as SQL Injections, cross-site scripting, etc. Since other vendors don't have access to the same analysis, they must generate as many findings as they can per hour. When you compare hour for hour MPT offerings against Veracode- you will find that Veracode can do more with an hour of MPT than any other vendor can. Remediation and AppSec program assistance Other vendors won't have the experience in providing remediation advice or AppSec program assistance that Veracode has. Don't spend hours looking for answers. Speak to one of our services experts to help you fix the findings we generate or help manage your application security program. This is not an extra add-on, this is included upfront so it is easy to forecast and budget. If your security or dev teams have questions- Veracode is there to help. Scalability No other Vendor can scale like Veracode. In our automated tools, we don't lean on manual labor to generate better findings. I | Tool | ||
|
2021-08-06 09:32:28 | Recap: Black Hat USA 2021 (lien direct) | Black Hat USA 2021 kicked off this week and we enjoyed the show! In addition to hosting a Cards and Coding virtual casino night to discuss the future of cybersecurity (and give away some prizes), we held a Lunch & Learn with Wallace Dalrymple, CISO of Emerging Markets at Advantasure. In the session, our Founder and CTO Chris Wysopal chatted with Wallace about how Veracode and Advantasure worked together to build a mature application security (AppSec) program while addressing modern software security requirements. As Chris noted when the Lunch & Learn session began, the pandemic drove many organizations to digitally transform most functions of business, quickly, which meant increased security threats - especially for organizations in the healthcare industry where Advantasure thrives. The effort to produce more secure code is especially critical after the Biden Administration's recent Executive Order on cybersecurity, which impacts software security for organizations big and small. We know from our annual State of Software Security report that 75 percent of apps in the healthcare industry have security flaws, and 26 percent have high-severity vulnerabilities. To get ahead of this risk in the pandemic (during which they saw an uptick of cyberattacks by 50%), Advantasure knew they needed to bolster their AppSec program and set themselves up for a successful digital transformation. That's where Veracode came in, helping Wallace and his team build a stronger security program and enable their developers to become more security-minded. “I believe in: if you write it, you own it. You really have to have that buy-in from development, from project managers to deployment teams and release teams, all the way up to the management,” Wallace said. Speaking about Veracode Security Labs he continued, “Veracode provides a platform where we can actually provide a tool for developers to not just learn – not just watch a webinar – but to actually be hands-on and understand the coding mistakes they make through real-time feedback.” Wallace elaborated that their developers have been able to embrace new tools as part of their existing processes, giving them ownership over the efforts and boosting security adoption. If you missed the Lunch & Learn, you can read Advantasure's full story here to see how they got it done. From Big Data to Open Source We also had the chance to sit in on some sessions, one of which delved into the security of big data infrastructures: The Unbelievable Insecurity of the Big Data Stack: An Offensive Approach to Analyzing Huge and Complex Big Data Infrastructures. Sheila A. Berta of Dreamlab Technologies spoke about data ingestion, storage, processing, and access, as well as the techniques threat actors use to get into data infrastructures. As Head of Research for Dreamlab Technologies, Sheila asked the question, “What is a security problem and what is not a security problem in Big Data infrastructures?” What it comes down to, she said, is that security teams need to stay on top of methodologies and keep their skills sharp if they want to proficiently evaluate the security of these infrastructures. The methodology presented by Sheila came with new attack vectors in data; for example, she discussed techniques like the remote attack of a centralized cluster configuration managed by ZooKeeper, as well as relevant security recommendations to prevent these attacks. Another interesting session titled Securing Open Source Software – End-to-End, at Massive Scale, Together was held by Christopher Robinson, the Director of Security Communications at Intel, and Jennifer Fernick, SVP & Global Head of Research at NCC Group. In their discussion, they highlighted that, while open source software is foundational to the Internet, it's also rife with risk if left unchecked. This is a problem we work to combat here at Veracode with tools like Software Composition Analysis and developer enablement programs - our recent State of Software Security: Open Source Edition report found that just over half of | Tool Threat | ||
|
2021-06-29 11:30:29 | Speed or Security? Don\'t Compromise (lien direct) | “Speed is the new currency of business.” Chairman and CEO of Salesforce Marc R. Benioff's words are especially potent today as many organizations small and large look for ways to speed up production during their shifts to digital. In software development, speed is a critical factor. Everything from shifting priorities to manual processes and siloed teams can seriously impede deployment schedules. One of the biggest obstacles, however, is a lack of security throughout every step of the production process to ensure that coding mistakes and flaws are found and fixed before they turn into project-derailing problems. A lack of an efficient and flexible AppSec program becomes an issue when you look at the data: Cyberattacks occur every 39 seconds. 60 percent of developers are releasing code 2x faster than before. 76 percent of applications have least at least one security flaw on first scan. 85 percent of orgs admit to releasing vulnerable code to production because of time restraints. A mere 15 percent of orgs say that all of their development teams participate in formal security training. But there's good news, too. We know from our annual State of Software Security report that frequent scanning with the right tools in the right parts of your software development lifecycle can help your team close security findings much faster. For example, scanning via API alone cuts remediation time for 50 percent of flaws by six days, slamming that window of opportunity shut for cyberattackers. The Veracode Static Analysis family helps you do just that. It plugs into critical parts of your software development lifecycle (SDLC), providing automated feedback right in your IDE and pipeline so that your developers can improve the quality of their code while they work. You can also run a full policy scan before deployment to understand what your developers need to focus on and to prove compliance. Together, these scans throughout My Code, Our Code, and Production Code boost quality and security to reduce the risk of an expensive and time-consuming breach down the road. Automation and developer education In addition to having the right scans in the right places, there are supporting steps you can take to ensure the quality of your code without sacrificing speed. Automation through integrations is an important piece of the puzzle because it speeds everything up and boosts efficiency. The automated feedback from Veracode Static Analysis means your team of developers has clear insight into existing flaws so they can begin prioritization to eliminate the biggest risks first. Automation also sets the standard for consistency which, as you go, improves speed. Developer education also helps close gaps in information and communication with security counterparts so that they can work towards a common goal. It goes both ways – if the security leaders at your organization can walk the walk and talk the talk of the developer, everyone will have an easier time communicating goals and solving security problems. One way to close those gaps is through hands-on developer education with a tool like Veracode Security Labs. The platform utilizes real applications in contained environments that developers can hack or patch in real-time so that they learn to think like an attacker and stay one step ahead. Like Static Analysis, Security Labs helps meet compliance needs too, with customized education in the languages your developers use most. The prioritization conundrum Security debt can feel like a horror movie villain as it lingers in the background. But it isn't always teeming with high-risk flaws that should be tackled first, and so it's important to carefully consider how to approach prioritization. A recent analyst report, Building an Enterprise DevSecOps Program, found that everything can feel like a priority: “During our research many security pros told us that all vulnerabilities started looking like high priorities, and it was incredibly difficult to differentiate a vulnerability with impact on the organization from one which | Hack Tool Vulnerability Guideline | ||
|
2021-06-28 09:40:27 | Too Many Vulnerabilities and Too Little Time: How Do I Ship the Product? (lien direct) | The percentage of open source code in the enterprise has been estimated to be in the 40 percent to 70 percent range. This doesn't make the headlines anymore, but even if your company falls in the average of this range, there is no dearth of work to do to clean up, comply with AppSec policies, and ship the product. Phew! So where do you start when it comes to resolving all the vulnerabilities uncovered in your open source libraries? By prioritizing the findings from your scans and addressing the most critical and relevant vulnerabilities first. How do you prioritize? CVSS severities are an obvious choice, but considering the percentage of open source code you are dealing with, and depending on the language under the scanner, this alone might not bring the vulnerabilities to be addressed to a manageable number within your resource and time constraints. We will look at some common prioritization approaches before looking at Veracode's recommendation based on our deep expertise gathered from advising hundreds of customers about this aspect of their AppSec program. Common prioritization approaches You can resolve your findings to comply with your AppSec policy by prioritizing alongside one of a few dimensions. Here is the list of most common prioritization approaches: Threat-focused approach: This zeroes in on the flaws that are actively targeted in the wild through malware, exploit kits, ransomware, or threat actors. Vulnerability-focused approach: This prioritizes flaws and vulnerabilities according to how critical they are. For example, how easy they are to exploit, what their exploitation impact looks like, or if there is a public exploit available. Asset-focused approach: This gives the highest priorities to vulnerabilities that are associated with critical assets, and then orders the rest by how dangerous they are. Some organizations measure the exploitability of different flaws and vulnerabilities, taking a threat-focused approach as outlined above. This can also factor in the maturity of known flaws which sometimes impacts how easy it is to remediate, or how exploitable it is out in the wild. While these approaches are a good starting point and cover the broad base of risk, there is an additional piece of information that can make it easy for security stakeholders and developers to prioritize their Software Composition Analysis (SCA) scan findings when operating under tight resource and time constraints. Vulnerable methods: a powerful arrow in your AppSec quiver If the goal of AppSec is to ship clean code fast, then Veracode's vulnerable methods feature is a powerful arrow in your quiver to hit that target. Veracode's vulnerable methods feature goes beyond severities and exploitability to answer the key question for prioritization: How is this finding from the SCA scan relevant to my code? It answers that question by pointing to the precise function/method that makes a library vulnerable. This allows you to quickly assess whether it is worth the effort to remediate an SCA finding. Once a library is known to be vulnerable, our security research team researches and documents the exact function/method that makes it vulnerable. This team (say hello to them if you visit Singapore) of security experts, data scientists, and programmers continue to add new languages to our repository of languages for which we provide vulnerable methods coverage. When you're ready to tackle your security backlog, examine how particular applications use vulnerable methods and prioritize them in a way that reduces the immediate threat quickly. Getting ahead of possible exploits while reducing debt Security debt and unresolved vulnerabilities can feel daunting to developers and security professionals, especially as open source code only continues to increase its footprint in enterprise applications. But with a powerful tool like Veracode's vulnerable methods, you can go beyond severity or exploitability and focus on what really matters to your organization. Learn more about Veracode's Software Composition Analysis solution by readi | Tool Threat | ||
|
2021-04-29 16:28:56 | Developer Training Checklist: 5 Best Practices (lien direct) |  The role of the developer has evolved over the past several years. Developers are not only responsible for writing code and releasing new software rapidly but also for securing code. By implementing security in the software development lifecycle, you can reduce risk and cost without slowing down time to production.
But the developer role is already stretched so thin and many developers don???t have a background in security. How can you get developers up to speed on security measures in an engaging manner that doesn???t add too much extra work? And how can you ensure that your developers are successfully implementing the security learnings?
Leveraging findings from a recent Enterprise Strategy Group report, Modern Application Development Security, and tips from our Director of Development Enablement, Fletcher Heisler, we were able to establish a list of best practices to follow when training developers in security.
Make security training a real requirement. Developers are very busy. If they???re not required to take secure coding training, it???s highly unlikely that they will. So, make it part of their goals. And to ensure that they???re paying attention to the trainings, consider adding knowledge checks.
ツ?
Make sure the training is relevant and engaging. As Fletcher states in Four Fundamentals of Education The Sticks, use training tool like Security Labs that ???bring magic, adventure, and exploration back to security so that developers can actually explore when something goes wrong.??? And make sure the examples are relevant to the developer???s day-to-day work. The more realistic, the more serious they take the training.
ツ?
Measure the effectiveness of the training. Don???t just assume that developer training is working, track it. To ensure that your developers are implementing the learnings from their security training, you should track both issue introduction and continuous improvement metrics for both scrum teams and individual developers. By keeping track of these metrics, you can tailor future security trainings toward areas of weakness. [As you can see in the chart below from Enterprise Strategy Group, only 41 percent of organizations are tracking the continuous improvement of development teams.]ツ?
ツ?
 ???
ツ?
Offer a mix of training types. Not everyone learns the same way. Some developers might prefer instructor-led courses while others might like on-demand courses or hands-on training tools. It???s also important to keep in mind that developers likely have different levels of security knowledge. A new developer might need an introductory course to secure code training while a more experienced developer might benefit from a more technical course.
ツ?
Implement a security champions program. Many organizations benefit from implementing a security champions program. To start a security champions program, select interested volunteers from each development team and give them extra tools and training needed to be security experts on their scrum teams. They???ll be able to pass along their additional security skills to peers on their team. |
Tool | ||
|
2021-04-22 12:43:02 | Reporting Live From Collision Conference 2021: Part One! (lien direct) |  This week, Collision (virtually) kicked off its annual conference, bringing together creatives, builders, influencers, innovators, and other great minds to cover some of the hottest topics in business and technology. Known as ???America???s fastest-growing tech conference,??? this year Collision featured over 450 speakers with more than 100 hours of content to consume across the three-day event.
With a sizable group of 40,000-plus attendees to entertain, the team behind Collision came prepared with a packed schedule. The lineup included speakers from some brand heavy-hitters ??? Amazon, Twitter, TikTok, and PayPal to name a few ??? as well as our very own Chris Wysopal representing the application security (AppSec) space for Veracode!
AI, AI??ヲOh!
Chris first led a hodgepodge of talent from security and tech to moderate Collision???s AI, AI??ヲ Oh!: AI, Security and Privacy in Online Society session. For this roundtable, Chris was joined by Jeff Moss of DEF CON, Jordan Fisher of Standard Cognition, Katie Moussouris of Luta Security, Alexander Vindman of Lawfare, Gary Harbison of Bayer, and Window Snyder of Thistle Technologies. The topic at hand? Just how major the impacts of AI and machine learning are on all industries today, and the risks this technology can bring if left unchecked.
The roundtable dug into important issues like allocating organizational resources to security, privacy, and transparency to monitor AI, as well as what can go wrong when companies don???t quite get it right. Chris kicked off the conversation by asking, how can we have technology figure out exactly what algorithms are doing so that we know when something is going awry, and who is to blame when it does? Gary Harbison brought up the idea of self-driving cars, which take data from their environment and make decisions in the moment. At some point, if there is a decision made by the algorithm that pits the safety of the driver against a pedestrian, who is to blame and what is the ramification? Gary followed up that we as an industry need to think this through sooner rather than later.
Another risky implication of this technology, the group suggested, is that in cases where AI is used to track consumer behavior, such a tool can quickly become an invasion of privacy. Window Snyder noted that implementing security (and being able to measure it) is a critical first step. She posed the question, how are we going to measure efficacy and improvements in security around AI technologies so that we can see what is actually providing value to consumers? ???Consumers will feel understandably uncomfortable knowing that a brand is tracking what they do inside of a store, and they may feel like they???re being watched everywhere they go,??? she said.
Window went on to explain that, if we want to create a trust between technology companies and the people we???re observing, we need to make sure that we???re creating clear business requirements and metrics, reducing the scope and time for tracking, and doing as much as possible to reduce the granularity of the data that is collected. Another important step, she says, is that when you build a mechanism to collect data, you also need to build a mechanism to remove it after extracting as much granularity as possible. Doing so tells consumers that the technology was built with their privacy in mind.ツ?
There???s an economic and geopolitical aspect to the risks of AI te |
Tool | ||
|
2021-04-19 09:05:28 | DevSecOps in Practice: How to Embed Security into the DevOps Lifecycle (lien direct) |  You???ve heard of DevOps. And by now, you???ve probably also heard of DevSecOps, which extends DevOps principles into the realm of security. In DevSecOps, security breaks out of its ???silo??? and becomes a core part of the DevOps lifecycle.
That, at least, is the theory behind DevSecOps. What???s often more challenging for developers to figure out is how to apply DevSecOps in practice. Which tools and processes actually operationalize DevSecOps? Until you can answer that question, DevSecOps will be just another buzzword.
To help bridge the gap between theory and practice, let???s walk through what DevSecOps means from a practical perspective, and how to go about embedding it into your development workflows.
DevSecOps, defined
If you???re familiar with DevOps (which encourages collaboration between developers and IT operations engineers in order to speed application delivery), then the meaning of DevSecOps is easy enough to understand. DevSecOps adds security operations teams into the equation so that they can collaborate seamlessly with developers and IT engineers.
DevSecOps places a DevOps spin on basic security concepts. Just as DevOps encourages continuous delivery, DevSecOps is all about continuous security ??? meaning the constant and holistic management of security across the software development lifecycle. Similarly, DevSecOps encourages continuous improvement in the realm of security ??? meaning that no matter how secure you believe your environment is, you should always be looking for ways to improve your security posture even further.
DevSecOps in practice
These are all great ideas to talk about, and it???s easy to see why they are valuable. Security postures are indeed stronger when developers, IT engineers, and security engineers work together, rather than working in isolation. It???s much easier to optimize security when developers prioritize security with every line of code they write, and when IT engineers think about the security implications of every deployment they push out, rather than viewing security as something that someone else will handle down the line.
The big question for teams that want to embrace DevSecOps, though, is how to go about putting these ideas into practice. That???s where things can get tougher. There is no simple methodology that allows you to ???do??? DevSecOps. Nor is there a specific tool that you can deploy or a particular role that you can add to your team.
Instead, operationalizing DevSecOps means building holistic combinations of processes and tools that make it possible to integrate security into DevOps workflows. While the best approach to this will vary from team to team, the following are some general best practices for implementing DevSecOps.
Scanning early and often
One basic step toward implementing DevSecOps is to ensure that you perform security tests and audits at the beginning of the software delivery pipeline. You don???t want to wait until code is written and built to start testing it for flaws (and you certainly don???t want to let it get into production before testing it). Instead, you should be scanning code as it is written, by integrating security tooling directly into your IDEs if possible.
Importantly, security scanning should continue as code ???flows??? down the pipeline. You should scan your test builds and application release candidates before deployment. Security monitoring and auditing should also continue once code is in production.
Automation
Automation is a founding principle of DevOps, and it???s just as important to DevSecOps. Automation not only makes processes faster and more efficient, but also helps reduce friction between the different stakeholders in DevSecOps |
Tool | Uber | ★★★ |
|
2021-04-01 15:22:17 | Secure Coding Urban Myths and Their Realities (lien direct) |  ???Science and technology revolutionize our lives, but memory, tradition, and myth frame our response.??? ??? Author Arthur M. Schlesinger
Urban myths rely on their communities of origin to thrive and survive. Perpetuated by offhand anecdotes, sensational news stories, and friend-of-a-friend legends, urban myths about secure coding are no different; as developers share tidbits of information around common struggles and issues in application security, those conundrums quickly become myths that can make secure coding seem daunting.
Schlesinger???s quote is even more important today as so much of the world is powered by modern applications, yet at the same time myths clouding the development community often frame how developers respond to (or avoid) issues with their code. The reality is clear: when you take ownership over your code and rally around your team???s security efforts to squash these myths, your apps carry far less risk than before. And once you recognize these myths for what they are, you have the power to reframe how you approach similar challenges in the future.
Popular myths in programming
So what are some of the common urban myths in software development? They can range from the security of open source code to relying solely on developer tools and why PHP is considered a ???dying language??? ??? did you know 80% of all websites built on known programming languages are powered by PHP? Some of today???s heavyweights like Etsy, Facebook, and Wikipedia were built on PHP, and PHP-based publishing platforms like WordPress and Drupal are still extremely popular. It isn???t going anywhere anytime soon.
Maybe you???ve also heard the urban myth that fixing flaws in your open source code is too time-consuming? Myth busted: almost 75 percent of known vulnerabilities in open source code are fixable with a simple library update to patch the exploits. Even better, tools like Veracode Software Composition Analysis provide immediate and actionable guidance to help you remediate flaws in your open source code before they add risk to your organization.
Or, perhaps you???ve seen comments on Reddit that your favorite developer tool is all you need to secure your code, but security features in basic developer tools typically lack the comprehensiveness required for ample coverage. In reality, you need the right testing types in the right places throughout your SDLC, ensuring coverage for your CI/CD pipeline and giving you peace of mind while you work. ツ?
 ???
We???ve only scratched the surface when it comes to urban myths about secure coding! To learn more about some of these common conundrums (and their realities), download our eBook: 6 Urban Myths About Secure Coding. |
Tool | ||
|
2021-03-16 10:45:23 | Automated Security Testing for Developers (lien direct) |  Today, more than ever before, development organizations are focusing their efforts on reducing the amount of time it takes to develop and deliver software applications. While this increase in velocity provides significant benefits for the end users and the business, it does complicate the process for testing and verifying the function and security of a release.
The days of long-running, waterfall-style development cycles, wherein security was manually evaluated and bolted on at the end, are gone for good. With the move towards an agile development methodology, security testing and remediation is inherently shifting to the left. And to support this, developers must adopt tools to automate security testing for easy vulnerability identification at the earliest point possible in the development lifecycle.
Below, we discuss the why and how of implementing an effective strategy for automated security testing within the development lifecycle.
Shifting security testing to the left
Through the use of automation, security testing can be executed earlier (or left) in the development pipeline. This is advantageous for a variety of reasons. For one, the earlier vulnerabilities are discovered, the less expensive they are to fix. If a security issue was introduced into the code early in the release cycle, it???s more likely that it???ll be resolved in minutes or hours. Whereas, a vulnerability discovered at the end of the release cycle could face complexity that increases the time required to remediate.
Moreover, earlier execution of security tests ensures that vulnerabilities pose less of a threat to the delivery schedule. When security tests are automated as part of the build and integration processes, there is less uncertainty as the release approaches the later stages of the development lifecycle. This reflects well on both development personnel and the organization as a whole.
Shifting security left can also help reduce security debt, which piles up over time and can only add to serious risk if left unchecked. Instead of leaving the prioritization and remediation of bugs and vulnerabilities until the very end, shifting security left encourages collaboration between security and development to tackle this issue and determine which security debt is acceptable, and which should be remediated ASAP, reducing lingering risk.
Automated security testing for developers
So with the intent being to automate and shift security testing to the earliest possible point in the development lifecycle, let???s analyze how this is done in practice.
What are we looking for when we test? What does automated security testing involve?
Automated security testing for applications is accomplished by scanning code for vulnerabilities. Static code analysis, for instance, scans a codebase while the application is not running. The code is evaluated against a set of policies to ensure that developer implementation is in compliance with the security standards set forth by the organization. Non-compliance with any standard would indicate a vulnerability. These vulnerabilities can include anything from failure to properly protect database calls from SQL injection, to non-compliance with PCI standards for processing, storing, and transmitting credit card information. Furthermore, automated security testing can be leveraged to validate the security of third-party libraries being used by the system.
Organizations that wish to shorten their development cycles and enable continuous delivery should uti |
Tool Vulnerability Threat | ★★★ | |
|
2021-03-03 13:26:24 | Veracode Named a Leader for AST on IT Central Station (lien direct) |  To keep up with the pace of the modern world, organizations are constantly looking for ways to release software faster than their competitors. This ???need for speed??? has led many organizations to adopt DevSecOps. With DevSecOps, security is moved earlier in the software lifecycle, into the realm of developers. As a result of the changing development landscape, application security testing has also been evolving. Yesterday???s application security testing tools and processes will no longer do.
Organizations need an AppSec vendor that is not only DevSecOps friendly but also offers multiple testing types, developer security training, and keeps false positives to a minimum. IT Central Station users have recently ranked AppSec vendors on these attributes and awarded Veracode the top spot for application security testing (AST) solutions.
Be DevSecOps friendly
DevSecOps, which adds security to the already merging workstreams of development (Dev) and IT operations (Ops), is now a critical piece of the application security story. IT Central Station members acknowledged the importance of having application security testing integrated into the DevSecOps workflow. For example, according to Riley B., a senior security analyst at a wellness & fitness company with over 1,000 employees, ???Veracode has improved our application security program by providing numerous integrations and tools to take our AppSec/DevSecOps to the next level.???
Being able to integrate automated scans into the DevSecOps pipeline makes applications security testing more ???DevSecOps friendly.??? For a security architect at a financial services firm with over 1,000 employees, one of Veracode???s most valuable features is its ability to submit the software and get automated scan results from it.
Divakar R., a senior solutions architect at NessPRO Italy, a small tech services company, simply stated that Veracode is ???a well-supported and valuable tool that was part of our DevSecOps process,??? while a DevSecOps consultant at a communications service provider with over 10,000 employees compared Veracode to a competitor: ???Veracode is more API and DevSecOps friendly. Veracode's scanning time is better.???
Cover all application types
Application security testing needs to cover a wide variety of application types if it???s going to contribute to positive outcomes in the modern world of DevSecOps. This means supporting testing for the web, mobile apps, microservices, and more. A senior security architect at a financial services firm with over 10,000 employees spoke to this need, saying, ???We are scanning external web applications, internal web applications, and mobile applications with various types/combinations of scanning. We use this both to improve our application security as well as achieve compliance with various compliance bodies that require code scanning.???
The communications service provider???s DevSecOps consultant echoed this approach, sharing, ???We use th |
Tool | ★★★★★ | |
|
2021-03-02 10:55:24 | Top Security Anti-Patterns in ASP.NET Core Applications (lien direct) |  Microsoft's ASP.NET Core enables users to more easily configure and secure their applications, building on the lessons learned from the original ASP.NET. The framework encourages best practices to prevent SQL injection flaws and cross-site scripting (XSS) in Razor views by default, provides a robust authentication and authorization solution, a Data Protection API that offers simplicity of configuration, and sensible defaults for session management.
What could possibly go wrong? Let's break down a few scenarios where misusing security features and improperly overriding defaults may lead to serious vulnerabilities in your applications. We'll focus on MVC-based ASP.NET Core applications; however, most of the scenarios are equally applicable to Razor Pages.
Not validating anti-forgery tokens properly
Cross-Site Request Forgery (CSRF) attacks allow an attacker to trick a user into performing an action on a trusted web application, typically through getting the user to click on a link created by the attacker that will call the vulnerable application. A vulnerable application would have no idea that the malicious request triggered by the user was not intentional, and it would perform it. If the user was logged in during this time, the web browser would likely send the cookies with the request.
To protect against this, tokens should be created by the web application that are then passed back on each request to the server. These tokens change regularly, so a link provided by an attacker would be detected due to the outdated or missing token, and subsequently discarded by the application. Because CSRF relies on a stateful, pre-existing session and that the session information will be automatically passed via cookies, it is less likely to be required for API endpoints which are typically stateless.
ASP.NET Core provides a powerful toolset to prevent attacks using anti-forgery tokens. POST, PUT, PATCH and DELETE HTTP methods are the most likely to have significant side effects if REST guidelines have been followed, because these verbs are reserved for actions that alter state or data, and therefore they will require and validate anti-forgery tokens. For the sake of brevity we???ll use POST as an example from here on.
There are multiple ways to apply attribute-based filters to configure anti-forgery token validation, and the approaches may seem overwhelming:
ValidateAntiForgeryToken??ッapplied to each POST action in the controllers that would be exposed to requests.
ValidateAntiForgeryToken??ッapplied at the Controller level, exempting specific methods (most prominently those with GET actions) from validation using IgnoreAntiforgeryToken.
AutoValidateAntiforgeryToken??ッapplied globally to validate tokens on all relevant requests by default, and using IgnoreAntiforgeryToken to opt out of validation for specific actions if necessary.
ASP.NET Core project templates and the code generation command-line interface creates controller actions that use approach (1) using the ValidateAntiForgeryToken attribute attached to every action associated with updating data - that is, ValidateAntiForgeryToken and HttpPost attributes are always used together:
[HttpPost]
[ValidateAntiForgeryToken]
public async Task CreateSomething(Something something)
While the result of the approach is valid, if the developer is writing the methods manually, they may easily forget to include the ValidateAntiForgeryToken??ッattribute alongside the attribute designating the action such as [HttpPost]. By default, neither ASP.NET Core nor the code editor wi |
Tool Guideline | ★★★ | |
|
2021-02-05 09:59:35 | AppSec Bites Part 2: Top 3 Things to Consider When Maturing Your AppSec Programs (lien direct) |  A joint blog post from Veracode andツ?ThreadFix
When it comes to maturing an AppSec program, there are several best practices that can help you get started. In part two of our AppSec podcast series, Tim Jarrett, Director of Product Management at Veracode, and Kyle Pippin, Director of Product Management at ThreadFix, share the top 3 things they???ve learned from organizations that have successfully matured and scaled their AppSec programs.
1. Know your anchor points.
The first thing you need to think about when maturing your AppSec program is the current landscape of your organization. What are the things you can???t change? It could be that you can???t find more AppSec resources (supply and demand) or that there is no budget for additional scan types. Whatever the constraints are at your organization, you need to acknowledge them so that you can find acceptable workarounds.
2. Automate.
Next, if you are not doing so already, you need to automate as much as possible. If application security scans are automated into the developers??? existing tools and processes, there will likely be an increase in scan activity and developers will have more free time to work on securing their code and remediating flaws. Automation can also be used for other purposes, like onboarding. Since security professionals are hard to come by, they are often stretched thin for time. Because of this, security professionals can become a bottleneck when it comes to software deployments. If you automate some of their tasks, like onboarding developers in security best practices, it can free up some of their time and improve speed to market.
3. Focus on outcomes.
Last, but certainly not least, it???s important to focus not just on finding, but fixing flaws. You can help developers improve fix rates through training measures. For example, Veracode Security Labs is a great tool to help developers practice writing and remediating code in their chosen language. Implementing a security champions program is also a useful way to help make security top of mind for developers. Most developers don???t take security courses in college, so unless they are learning about security at their organization, chances are it???s not a strong skillset. If you find developers who are interested in learning more about security, you can train them to be security champions and they can take those skills back to other developers.
To learn more about the best practices for maturing your AppSec program, check out part 2 of our AppSec Bites podcast series with Threadfix. |
Tool | ||
|
2021-01-26 11:37:41 | Which AppSec Testing Type Should You Deploy First? (lien direct) |  The gold standard for creating an application security (AppSec) program is ??? and always will be ??? to follow best practices. By following preestablished and proven methods, you can ensure that you are maximizing the benefits of your AppSec program.
Unfortunately, time, budget, culture, expertise, and executive buy-in often restrict organizations from following best practices. But that doesn???t mean that you can???t create an impactful AppSec program. You should aim to follow best practices but ??? when you can???t ??? there are practical first steps you can take to position your program for future improvements.
Ideally, you should be using every testing type ??? static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing.
Each AppSec test has its own strengths and weaknesses, with no one tool able to do it all. If you choose not to employ a specific test, you could be leaving your application vulnerable. For example, if you don???t employ software composition analysis, you may miss vulnerabilities in your third-party code. And if you don???t employ dynamic analysis, you could miss configuration errors. But by using all of the testing types together, you can drive down risk across the entire application lifetime from development to testing to production.
If you don???t have the funds or support to employ every AppSec testing type, you should always begin with the test(s) that will have the most impact, in the shortest amount of time, for the least amount of money. This will depend on factors like your release cadence, risk tolerance, and budget.
For organizations releasing software less than four times a year, manual AppSec scans will probably suffice. But if you release software daily or weekly ??? likely in a CI/CD fashion ??? you will need to automate your AppSec scans with each code commit.
You also need to consider the speed of different scan types. Static analysis can provide immediate feedback with each commit. Penetration tests, on the other hand, are much slower because they rely on a human pen-tester to review the code.
But speed isn???t the only concern. You also need to consider the risk of your applications. An application housing sensitive data ??? like banking information ??? needs to undergo more in-depth AppSec tests than a lower-risk application. In-depth AppSec tests, like penetration testing, may take longer but they are critical in preventing cyberattacks. It really comes down to weighing the risk vs. time to market. In some instances, it may be okay to release software with low- or medium-severity risks. But for high-severity risks, you should break the build until the vulnerability is remediated.
Budget is also a major factor. Penetration tests are considerably more expensive than other testing types. So, if you???re on a tight budget, frequent pen tests may not be feasible. You might be better off pen-testing on an annual or bi-annual basis.
Once you???ve successfully implemented the AppSec testing type(s) that provides the most value to your organization, it???s time to start making the case for additional scans. As always, consider your budget, risk tolerance, and technology when adding to your AppSec mix.ツ?
To learn more about AppSec best practices and practical first steps, check out our guide, Application Security Best Practices vs. Practicalities: What to Strive for and Where to Start, and keep an eye out for our upcomin |
Tool Vulnerability | ||
|
2020-12-09 16:34:28 | Is Your Language of Choice a Major Flaw Offender? (lien direct) |  In volume 11 of our annual State of Software Security (SOSS) report, we uncovered some valuable nuggets of information about how you, the innovative developers of our world, can craft more secure code. For example, did you know that scanning via API improves the time to remediate 50 percent of security flaws by about 17 days, or that C++ and PHP languages have an alarmingly high number of severe security flaws and need greater attention?
It???s not enough to simply stay on top of the biggest flaw offenders and the latest trends. If you want to improve the quality of your code, you need to take that information and apply it to the tools, processes, and languages that you use every day. Knowing these trends in application security before you sit down to code means you???re prepared to fix them quickly or ??? even better ??? prevent them altogether.
This year???s edition of SOSS comes equipped with a standalone report and an interactive heat map to help you do just that; our Flaw Frequency by Language infosheet explores vulnerability trends in various common languages to highlight everyday risks so that you can get ahead of them. This breakdown of the data, which includes information from 130,000 application scans, tells us which languages tend to house the most critical flaws:
 ???
If C++, PHP, .Net, or Java are your languages of choice, take note ??? they???re prone to some of the riskiest vulnerabilities around. In fact, a whopping 59 percent of C++ applications have high and very high-severity flaws, with PHP coming in at a close second place.
 ???
The worm map above is a visual representation of just how prevalent certain flaws are in the languages they impact the most. You can see that (despite being in second place) PHP has a high frequency of risky flaws like Cross-Site Scripting (XSS), cryptographic issues, directory traversal, and information leakage exploits. Another interesting note; you can tell from this worm map that Python and JavaScript are quite similar when it comes to flaw frequency, with fewer occurrences of those high-risk flaws.
 ???
Further breaking down flaw frequency by language, our interactive heat map is a helpful tool for understanding just how risky some of these exploits can be in your languages of choice. Simply click through the vulnerabilities to see the data, gain insight into why these flaws are so dangerous, and learn how to prepare yourself for tackling |
Tool Vulnerability | ★★★ | |
|
2020-12-03 09:40:55 | CI/CD With Veracode Docker Images (lien direct) |  On November 19, Veracode published new, official Docker images for use in continuous integration pipelines. The images, which provide access to Pipeline Scan, Policy (or Sandbox) scans, and the ability to access Veracode APIs via the Java API Wrapper or via HTTPie with the Veracode API Signing tool, make it easy to include the current version of Veracode tools in your automation workflow.
Why Docker?
Providing official Docker images addresses customer feedback we???ve received regarding the use of Veracode tools in a pipeline. Without using a Docker image, a customer???s script must download the tool each time to the CI/CD runner, adding time to each run, or a customer must implement their own caching mechanism to avoid redownloading the tool every time. Also, any dependencies required by the Veracode tool, including the Java runtime or Python, must be installed on the local machine, potentially raising issues of version compatibility. Last, some continuous integration pipelines, including AWS CloudStar and TravisCI, require external testing tools to be integrated via containers.
The Veracode Docker images address these concerns. Docker automatically provides caching and makes it easy to always use the latest version available. Also, the Docker image contains any dependencies required by the Veracode tool. Last, the Docker images are supported by Veracode, addressing concerns from customers about having to write their own image or rely on a community-provided one.
Securing Docker images
The Veracode Docker image was originally designed and built by Veracode???s product security team for internal use in pipelines by Veracode development teams. The team has done the following to ensure the images are secure:
The Docker images are built and published to DockerHub via continuous delivery pipelines that include the most current version of each included tool and scan the images for vulnerabilities.
Each image is run with a de-privileged local user to avoid privilege escalation.
The underlying tools are developed with a secure SDLC and are tested with Veracode Static Analysis and Veracode Software Composition Analysis in their own development pipelines.
The images are based on well-known and widely used base images.
Only the prerequisites absolutely needed for downloading the tools in the images are included.
Usage examples
Here are a few samples using the images in continuous integration workflows.
GitLab examples
These examples are drawn from a single workflow that uses all three containers in different stages. (You can see the project in which the workflow is published here.)
Pipeline Scan
Pipeline Scan Static Analysis:
image: veracode/pipeline-scan:latest
stage: Security_Scan
only:
- development
script:
|
Tool | ★★★ | |
|
2020-11-19 16:23:50 | Healthcare Orgs: What You Need to Know About TrickBot and Ryuk (lien direct) |  In late October, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) co-authored an advisory report on the latest tactics used by cybercriminals to target the Healthcare and Public Health (HPH) sector. In the report, CISA, FBI, and HHS noted the discovery of, ?????ヲcredible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers,??? which they shared as a warning of potential ransomware attacks.
In the report, the agencies found that threat actors are targeting the HPH Sector using TrickBot and BazarLoader malware efforts, which can result in the disruption of healthcare services, the initiation of ransomware attacks, and the theft of sensitive data. As noted in the advisory, these security issues are even more difficult to handle and remediate during the COVID-19 pandemic; something healthcare providers should take that into consideration when determining how much to invest in their cybersecurity efforts.ツ?
The FBI first began tracking TrickBot modules in early 2019 as it was used by cyberattackers to go after large corporations. According to the report, ?????ヲTrickBot now provides its operators a full suite of tools to conduct a myriad of illegal cyber activities. These activities include credential harvesting, mail exfiltration, cryptomining, point-of-sale data exfiltration, and the deployment of ransomware, such as Ryuk and Conti.???
What makes it so dangerous? Researchers found that TrickBot developers created a tool called anchor_dns which uses a single-byte X0R cipher to obfuscate communications and, once de-obfuscated, is discoverable in DNS request traffic. When the malware is successfully executed, TrickBot is copied as an executable file and the copy is placed into one of the following directories:
C:\Windows\
C:\Windows\SysWOW64\
C:\Users\[Username]\AppData\Roaming\
From there, the executable file downloads modules from command and control servers (C2s) and places them into the host???s %APPDATA% or %PROGRAMDATA% directory. Every 15 minutes, the malware runs scheduled tasks on the victim???s machine for persistence, and after successful execution, anchor_dns deploys more malicious .bat scripts and implements self-deletion techniques through commands. The report notes that an open source tracker for TrickBot C2 servers is located here.
BazarLoader and Ryuk ransomware
CISA, FBI, and HHS note in the advisory report that around early 2020, threat actors believed to be associated with TrickBot began executing BazarLoader and BazarBackdoor attacks to infect targeted networks.
???The loader and backdoor work closely together to achieve infection and communicate with the same C2 infrastructure,??? the report says. ???Campaigns using Bazar represent a new technique for cybercriminals to infect and monetize networks and have increasingly led to the deployment of ransomware, including Ryuk. BazarLoader has become one of the most commonly used vectors for ransomware deployment.???
BazarLoader malware usually comes from phishing emails, the advisory says, with a link to a Google Drive document or another file hosting service housing what looks like a PDF file but is really an executable. The emails often appear personal with recipient or employer names in the subject l |
Ransomware Malware Tool Threat Patching | ★★★ | |
|
2020-10-29 13:04:48 | A Software Security Checklist Based on the Most Effective AppSec Programs (lien direct) |  Veracode???s Chris Wysopal and Chris Eng joined Enterprise Strategy Group (ESG) Senior Analyst Dave Gruber and award-winning security writer and host of the Smashing Security podcast, Graham Cluley, at Black Hat USA to unveil the findings from a new ESG research report, Modern Application Development Security. The research is based on a survey of nearly 400 developers and security professionals, which explored the dynamic between the roles, their trigger points, the extent to which security teams understand modern development, and the buying intentions of application security (AppSec) teams.
As the presenters went through the data, it led to a larger discussion about AppSec best practices and what steps organizations can take to mature their programs. Here are the best practices laid out during the presentation as an easy-to-follow checklist as well as supporting data from the ESG report.
Application security controls are highly integrated into the CI/CD toolchain.
In the ESG survey, 43 percent of organizations agreed that DevOps integration is most important to improving AppSec programs, but only 56 percent of respondents answered that they use a highly integrated set of security controls throughout their DevOps process. Integrating security measures into the CI/CD toolchain not only makes it easier for developers to run AppSec tests, but it also helps organizations discover security issues sooner, which speeds up time to deployment.
Application security best practices are formally documented.
In order to have a successful AppSec program, everyone needs to be on the same page regarding best practices. The CISO should help facilitate the formal documentation of AppSec best practices. Developers and security professionals can reference the list and use it to guide their decisions.
Application security training is included as part of the ongoing development security training program.
Developers have been increasingly tasked with implementing security measures, including writing secure code and remediating vulnerabilities. Most developers don???t receive secure code training courses in college, so it is up to organizations to offer security training. But according to the survey, more than 20 percent of organizations only provide training when developers join the team.
Developers should have multiple, at-leisure training opportunities throughout the year, like virtual or hands-on programs ??? such as Veracode Security Labs. Chris Wysopal pointed out the importance of human touchpoints as part of ongoing developer training. If someone is checking in on developers to make sure they???re completing their training, they???ll likely take it more seriously. Consider a security champions program. The security champions are developers who have an interest in learning about security. If you have at least one security champion on every scrum team, that person can help ensure that their peers are up to speed on the latest security training and best practices.
Ongoing developer security training includes formal training programs, and a high percentage of developers participate.
At-leisure security training is a great way for developers to learn on their own time. But it is also important to implement formal security training with a set completion date and a skills assessment. Without formal security training, developers may not develop the skills they need to write secure code and remediate vulnerabilities. This could lead to slower and more expensive deployments because of rework or vulnerable code being pushed to production.
Accordin |
Tool Vulnerability Guideline | Uber | |
|
2020-10-01 14:10:28 | 96% of Organizations Use Open Source Libraries but Less Than 50% Manage Their Library Security Flaws (lien direct) |  Most modern codebases are dependent on open source libraries. In fact, a recent research report sponsored by Veracode and conducted by Enterprise Strategy Group (ESG) found that more than 96 percent of organizations use open source libraries in their codebase. But ??? shockingly ??? less than half of these organizations have invested in specific security controls to scan for open source vulnerabilities.
Why is it important to scan open source libraries?
For our State of Software Security: Open Source Edition report, we analyzed the security of open source libraries in 85,000 applications and found that 71 percent have a flaw. The most common open source flaws identified include Cross-Site Scripting, insecure deserialization, and broken access control. By not scanning open source libraries, these flaws remain vulnerable to a cyberattack. ツ?ツ?ツ?
Equifax made headlines by not scanning its open source libraries. In 2017, Equifax suffered a massive data breach from Apache Struts which compromised the data ??? including social security numbers ??? of more than 143 million Americans. Following the breach, Equifax's stock fell over 13 percent. The unfortunate reality is that if Equifax performed AppSec scans on its open source libraries and patched the vulnerability, the breach could have been avoided. ツ?
Why aren???t more organizations scanning open source libraries?
If 96 percent of organizations use open source libraries and 71 percent of applications have a third-party vulnerability, why is it that less than 50 percent of organizations scan their open source libraries? The main reason is that when application developers add third-party libraries to their codebase, they expect that library developers have scanned the code for vulnerabilities. Unfortunately, you can???t rely on library developers to keep your application safe. Approximately 42 percent of the third-party code pulled directly by an application developer has a flaw on first scan. And even if the third-party code appears to be free of flaws, more than 47 percent of third-party code has a transitive flaw that???s pulled indirectly from another library in use.
What are your options for managing library security flaws?
First off, it???s important to note that most flaws in open source libraries are easy to fix. Close to 74 percent of the flaws can be fixed with an update like a revision or patch. Even high priority flaws are easy to fix ??? close to 91 percent can be fixed with an update.
So, when it comes to managing your library security flaws, the concentration should not just be, ???How |
Data Breach Tool Vulnerability | Equifax | |
|
2020-09-14 15:51:05 | 43% of Orgs Think DevOps Integration Is Critical to AppSec Success (lien direct) |  It???s no secret that the rapid speed of modern software development means an increased likelihood of risky flaws and vulnerabilities in your code. Developers are working fast to hit tight deadlines and create innovative applications, but without the right security solutions integrated into your processes, it???s easy to hit security roadblocks or let flaws slip through the cracks.
We recently dug through the ESG survey report,ツ?Modern Application Development Security, which uncovers some interesting data about the state of DevOps integration in the modern software development process. As the report states, DevOps integration is critical for improving your organization???s application security (AppSec) program, as automating and integrating solutions removes some of the manual work that can slow teams down and moves security testing into critical parts of the development process.
???DevOps integration reduces friction and shifts security further left, helping organizations identify security issues sooner,??? the report says. ???While developer education and improved tools and processes will no doubt also improve programs, automation is central to modern application development practices.???
 ???
According to the survey results, nearly half of organizations agree; 43 percent believe that DevOps integration is the most important piece of the puzzle for improving their AppSec programs. The report also outlines 10 elements of the most successful AppSec programs, and topping that list is ensuring that your AppSec controls are highly integrated into the CI/CD toolchain.
Integration challenges
For some survey respondents, that???s easier said than done. Nearly a quarter (23 percent) said that one of their top challenges with current AppSec testing solutions is that they have poor integration with existing development and DevOps tools, while 26 percent said they experience difficulty with ??? or lack of ??? integration between different AppSec vendor tools.
AppSec tool proliferation is a problem too, with a sizeable 72 percent of organizations using more than 10 tools to test the security of their code. ???Many organizations are employing so many tools that they are struggling to integrate and manage them. This all too often results in a reduction in the effectiveness of the program and directs an inordinate amount of resources to managing tools,??? they explain further.
So where should organizations like yours start? By selecting a vendor with a comprehensive offering of security solutions that integrate to help you cover those bases and consolidate solutions while reducing complexity. That???s where Veracode shines. We bring the security tests and training tools you need together into one suite so that you can consolidate and keep innovating ??? securely. And your organization can scale at a lower cost, too: our range of integrations and Veracode solutions are delivered through the cloud for less downtime and more efficiency.
Simplifying AppSec
We aim to simplify your AppSec program by combining five key analysis types in one solution, all integrated into your develo |
Tool |
To see everything:
Our RSS (filtrered)
