Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

11/28/2017
12:01 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Developers Can Do More to Up Their Security Game: Report

Developers can play a vital role in accelerating the adoption of AppSec practices, security vendor says.

Data from a new study suggests that there are several measures developers can take to accelerate the adoption of formalized application security practices at their organizations.

This includes developers thinking more like attackers when writing code, being more careful about third-party and open source component use, and being willing to use security experts as consultants rather than adversaries.

Security vendor Veracode recently analyzed data from some 400,000 scans of applications written in Java, .Net, Android, iOS, PHP, and several other languages at large, medium, and small organizations.

The analysis showed that many organizations are making progress integrating security into the software development lifecycle. For instance, more applications are being scanned for security vulnerabilities on a monthly or a more frequent basis than ever before, suggesting increased adoption of DevSecOps practices.  

Compared to last year, 18% more of the applications in Veracode's study were scanned on a monthly basis, while the number of applications being scanned weekly jumped by nearly 50%. Veracode found that organizations are scanning more applications written in Java and .Net in particular. The increased scanning activity is, not surprisingly, leading to better error fix rates at these organizations.

Significantly, Veracode found that applications written in popular Web scripting languages such as JavaScript and PHP are not scanned as frequently and had a higher prevalence of major flaw categories like SQL injection (SQLi), cross-site scripting, cryptographic errors, and credentials. Some 47% of applications written in PHP, for instance, had a SQLi flaw, and 43% had a cross-site scripting flaw, while a relatively lower 31% of .Net applications had SQLi flaws and just 14% had XSS flaws.

Veracode's analysis also showed that organizations are making headway in terms of reducing the number of applications in their portfolio with very high severity flaws. Compared to last year, the ratio of applications with high and very high severity vulnerabilities declined by 26%.

While such data indicates that the long talked about trend toward DevOps and DevSecOps is finally happening, developers still can do more to accelerate AppSec practices, according to Veracode.

"Our scan data offers quantitative proof that those trends are happening," says Pete Chestna, director of developer engagement at Veracode. "Our scanning data indicates that applications are being scanned more frequently on average, and there's been a big growth over the past two years in applications that are scanned monthly or more often, which we think indicates a shift to more frequent code releases in DevOps."

But developers are being let down by a lack of security training in the education system and on the job, he says. "Developers are creating great code and secure code when they have the right training and security tools that work for them," Chestna notes.

For example, Veracode's analysis showed that developers who receive some online security training on the job fix, on average, 19% more flaws than developers who don't receive such training. Similarly, developers who receive remediation coaching from security experts fix an average of 88% more flaws, he says.

"Developers are responsible for remediating flaws. More and more, responsibility for security is shifting left to the developer," Chestna says. While implementing a formalized AppSec practice requires multi-stakeholder support, developers can take the initiative in accelerating the trend.

For instance, developers should begin to think more like an attacker would, Chestna says. "Consider whether your API or error messages are leaking information that an attacker could use to learn more about the application or user. Returning different errors in different situations — for example, "invalid user" vs. "invalid password" on authentication errors — can also help attackers find their way in," he says.

Developers also need to get a lot smarter about component use, Chestna notes. One of the startling findings in the Veracode study was the sheer number of Java applications — 88% — with at least one vulnerable component in them. "Developers frequently aren't tracking, or simply don’t know to begin with, what components are in the open source or third-party code they're using in their applications," Chestna says.

In addition to doing software composition analysis, developers need to make it a best practice to keep an up-to-date inventory of the components in their applications and use the most recent version. "Security teams and vulnerability managers need to update the components as soon as new vulnerabilities are discovered," he notes.

Related content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18214
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
CVE-2019-18197
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...