Application Security

11/28/2017
12:01 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Developers Can Do More to Up Their Security Game: Report

Developers can play a vital role in accelerating the adoption of AppSec practices, security vendor says.

Data from a new study suggests that there are several measures developers can take to accelerate the adoption of formalized application security practices at their organizations.

This includes developers thinking more like attackers when writing code, being more careful about third-party and open source component use, and being willing to use security experts as consultants rather than adversaries.

Security vendor Veracode recently analyzed data from some 400,000 scans of applications written in Java, .Net, Android, iOS, PHP, and several other languages at large, medium, and small organizations.

The analysis showed that many organizations are making progress integrating security into the software development lifecycle. For instance, more applications are being scanned for security vulnerabilities on a monthly or a more frequent basis than ever before, suggesting increased adoption of DevSecOps practices.  

Compared to last year, 18% more of the applications in Veracode's study were scanned on a monthly basis, while the number of applications being scanned weekly jumped by nearly 50%. Veracode found that organizations are scanning more applications written in Java and .Net in particular. The increased scanning activity is, not surprisingly, leading to better error fix rates at these organizations.

Significantly, Veracode found that applications written in popular Web scripting languages such as JavaScript and PHP are not scanned as frequently and had a higher prevalence of major flaw categories like SQL injection (SQLi), cross-site scripting, cryptographic errors, and credentials. Some 47% of applications written in PHP, for instance, had a SQLi flaw, and 43% had a cross-site scripting flaw, while a relatively lower 31% of .Net applications had SQLi flaws and just 14% had XSS flaws.

Veracode's analysis also showed that organizations are making headway in terms of reducing the number of applications in their portfolio with very high severity flaws. Compared to last year, the ratio of applications with high and very high severity vulnerabilities declined by 26%.

While such data indicates that the long talked about trend toward DevOps and DevSecOps is finally happening, developers still can do more to accelerate AppSec practices, according to Veracode.

"Our scan data offers quantitative proof that those trends are happening," says Pete Chestna, director of developer engagement at Veracode. "Our scanning data indicates that applications are being scanned more frequently on average, and there's been a big growth over the past two years in applications that are scanned monthly or more often, which we think indicates a shift to more frequent code releases in DevOps."

But developers are being let down by a lack of security training in the education system and on the job, he says. "Developers are creating great code and secure code when they have the right training and security tools that work for them," Chestna notes.

For example, Veracode's analysis showed that developers who receive some online security training on the job fix, on average, 19% more flaws than developers who don't receive such training. Similarly, developers who receive remediation coaching from security experts fix an average of 88% more flaws, he says.

"Developers are responsible for remediating flaws. More and more, responsibility for security is shifting left to the developer," Chestna says. While implementing a formalized AppSec practice requires multi-stakeholder support, developers can take the initiative in accelerating the trend.

For instance, developers should begin to think more like an attacker would, Chestna says. "Consider whether your API or error messages are leaking information that an attacker could use to learn more about the application or user. Returning different errors in different situations — for example, "invalid user" vs. "invalid password" on authentication errors — can also help attackers find their way in," he says.

Developers also need to get a lot smarter about component use, Chestna notes. One of the startling findings in the Veracode study was the sheer number of Java applications — 88% — with at least one vulnerable component in them. "Developers frequently aren't tracking, or simply don’t know to begin with, what components are in the open source or third-party code they're using in their applications," Chestna says.

In addition to doing software composition analysis, developers need to make it a best practice to keep an up-to-date inventory of the components in their applications and use the most recent version. "Security teams and vulnerability managers need to update the components as soon as new vulnerabilities are discovered," he notes.

Related content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
The Case for a Human Security Officer
Ira Winkler, CISSP, President, Secure Mentem,  12/5/2018
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-8651
PUBLISHED: 2018-12-12
A cross site scripting vulnerability exists when Microsoft Dynamics NAV does not properly sanitize a specially crafted web request to an affected Dynamics NAV server, aka "Microsoft Dynamics NAV Cross Site Scripting Vulnerability." This affects Microsoft Dynamics NAV.
CVE-2018-8652
PUBLISHED: 2018-12-12
A Cross-site Scripting (XSS) vulnerability exists when Windows Azure Pack does not properly sanitize user-provided input, aka "Windows Azure Pack Cross Site Scripting Vulnerability." This affects Windows Azure Pack Rollup 13.1.
CVE-2018-8617
PUBLISHED: 2018-12-12
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8583, CVE-2018-8...
CVE-2018-8618
PUBLISHED: 2018-12-12
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8583, CVE-2018-8...
CVE-2018-8619
PUBLISHED: 2018-12-12
A remote code execution vulnerability exists when the Internet Explorer VBScript execution policy does not properly restrict VBScript under specific conditions, aka "Internet Explorer Remote Code Execution Vulnerability." This affects Internet Explorer 9, Internet Explorer 11, Internet Exp...