Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

// // //
7/6/2021
01:00 PM
Jeff Williams
Jeff Williams
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv

It's High Time for a Security Scoring System for Applications and Open Source Libraries

A benchmarking system would help buyers choose more secure software products and, more importantly, light a fire underneath software producers to make products secure.

Prompted in part by devastating attacks such as those on SolarWinds Orion, Microsoft Exchange, and Colonial Pipeline, the White House issued an executive order on cybersecurity in May. Application security is a prominent part of the document, with special emphasis on software supply chain security for all applications used by the federal government.

Related Content:

4 Habits of Highly Effective Security Operators

Special Report: Building the SOC of the Future

New From The Edge: rMTD: A Deception Method That Throws Attackers Off Their Game

The administration's emphasis on software supply chains is welcome considering the current threat environment. SolarWinds customers, for example, had no control over the integrity of that company's software and no way of knowing there would be a problem with a particular software update. SolarWinds Orion was simply off-the-shelf software they had purchased. In fact, affected SolarWinds customers were doing the right thing by installing updates quickly.

A Possible Software Security Scoring System
Although the regulations needed to implement the executive order have not yet been issued, one possible way of benchmarking compliance would be a rating system for software security. The Cyberspace Solarium Commission (CSC), which was formed in 2019 to develop a consensus on a strategic approach to defending the United States against cyberattacks, recommended in its 2020 report a voluntary system — similar to the Energy Star ratings on US appliances and Singapore's rating system for Internet of Things (IoT) devices. Others are pushing to make it mandatory.

Some observers have advocated for a scoring system for software for more than a decade. A public software security label with an easy-to-understand, easy-to-calculate overall score and supporting details is the key. Some consumers will use the label to choose more secure software products, but more importantly, such a labeling scheme will motivate software companies to improve their public scores by investing in robust application security for their products.

What Should a Scoring System Look Like?
While a software scoring system could take different forms, one requisite aspect is the need to take the entire software supply chain into account. Software providers need to know the security ratings of their applications' component parts — the open source libraries that are so ubiquitous in software these days. This is because upwards of 90% of applications contain code from third-party libraries. Once a piece of off-the-shelf software is taken to market, the users of that software need a single, overall security score that accounts for the component parts.

It is infeasible to come up with a perfect instrument to measure every aspect of security for every type of software possible. But it is possible to create a framework that (1) empowers software buyers to make more informed decisions, and (2) encourages producers to build better software with more security visibility.

Below is a conceptual model to help imagine how such a scoring system might work. Software is simply evaluated against six key security areas and assigned a grade. As you can see, things are haphazard or nonexistent at the bottom, while those at the top are continuous, automated, standardized, and comprehensive.

(Source: Contrast Security)
(Source: Contrast Security)

Based on an application's score in each of these categories, an overall letter grade could be assigned that would be visible on product webpages, marketing materials, and physical packaging. Based on this easy-to-understand letter grade, organizations and consumers choosing between two different software solutions could take security into account when they make their decision.

Every software user should be able to see letter grades (A, B, C, D, F) for their applications and open source libraries in real time, along with notifications when those scores change. The same system should provide actionable information to developers on the best way to improve an application's overall score. This would provide a unified platform of tools that ensures security across the entire software development life cycle — during build, test, and run.

Software Scoring: Enabling Informed Decision-Making
A software scoring system would improve national security by enabling organizations, such as the federal agencies recently victimized by the SolarWinds attack, to make informed decisions. It will also light a fire underneath software producers to take the needed steps to make their products secure.

 

Jeff brings more than 20 years of security leadership experience as Co-Founder and Chief Technology Officer of Contrast. Previously, Jeff was Co-Founder and Chief Executive Officer of Aspect Security, a successful and innovative application security consulting company ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Promise and Reality of Cloud Security
Cloud security has been part of the cybersecurity conversation for years but has been on the sidelines for most enterprises. The shift to remote work during the COVID-19 pandemic and digital transformation projects have moved cloud infrastructure front-and-center as enterprises address the associated security risks. This report - a compilation of cutting-edge Black Hat research, in-depth Omdia analysis, and comprehensive Dark Reading reporting - explores how cloud security is rapidly evolving.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-10072
PUBLISHED: 2023-02-04
A vulnerability classified as problematic was found in NREL api-umbrella-web 0.7.1. This vulnerability affects unknown code of the component Flash Message Handler. The manipulation leads to cross site scripting. The attack can be initiated remotely. Upgrading to version 0.8.0 is able to address this...
CVE-2018-25079
PUBLISHED: 2023-02-04
A vulnerability was found in Segmentio is-url up to 1.2.2. It has been rated as problematic. Affected by this issue is some unknown functionality of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. Upgrading to version 1.2.3...
CVE-2023-0671
PUBLISHED: 2023-02-04
Code Injection in GitHub repository froxlor/froxlor prior to 2.0.10.
CVE-2023-24806
PUBLISHED: 2023-02-04
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This CVE has been rejected as it was incorrectly assigned. All references and descriptions in this candidate have been removed to prevent accidental usage.
CVE-2013-10017
PUBLISHED: 2023-02-04
A vulnerability was found in fanzila WebFinance 0.5. It has been classified as critical. Affected is an unknown function of the file htdocs/admin/save_roles.php. The manipulation of the argument id leads to sql injection. The name of the patch is 6cfeb2f6b35c1b3a7320add07cd0493e4f752af3. It is recom...