Application Security

11/28/2017
12:01 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Developers Can Do More to Up Their Security Game: Report

Developers can play a vital role in accelerating the adoption of AppSec practices, security vendor says.

Data from a new study suggests that there are several measures developers can take to accelerate the adoption of formalized application security practices at their organizations.

This includes developers thinking more like attackers when writing code, being more careful about third-party and open source component use, and being willing to use security experts as consultants rather than adversaries.

Security vendor Veracode recently analyzed data from some 400,000 scans of applications written in Java, .Net, Android, iOS, PHP, and several other languages at large, medium, and small organizations.

The analysis showed that many organizations are making progress integrating security into the software development lifecycle. For instance, more applications are being scanned for security vulnerabilities on a monthly or a more frequent basis than ever before, suggesting increased adoption of DevSecOps practices.  

Compared to last year, 18% more of the applications in Veracode's study were scanned on a monthly basis, while the number of applications being scanned weekly jumped by nearly 50%. Veracode found that organizations are scanning more applications written in Java and .Net in particular. The increased scanning activity is, not surprisingly, leading to better error fix rates at these organizations.

Significantly, Veracode found that applications written in popular Web scripting languages such as JavaScript and PHP are not scanned as frequently and had a higher prevalence of major flaw categories like SQL injection (SQLi), cross-site scripting, cryptographic errors, and credentials. Some 47% of applications written in PHP, for instance, had a SQLi flaw, and 43% had a cross-site scripting flaw, while a relatively lower 31% of .Net applications had SQLi flaws and just 14% had XSS flaws.

Veracode's analysis also showed that organizations are making headway in terms of reducing the number of applications in their portfolio with very high severity flaws. Compared to last year, the ratio of applications with high and very high severity vulnerabilities declined by 26%.

While such data indicates that the long talked about trend toward DevOps and DevSecOps is finally happening, developers still can do more to accelerate AppSec practices, according to Veracode.

"Our scan data offers quantitative proof that those trends are happening," says Pete Chestna, director of developer engagement at Veracode. "Our scanning data indicates that applications are being scanned more frequently on average, and there's been a big growth over the past two years in applications that are scanned monthly or more often, which we think indicates a shift to more frequent code releases in DevOps."

But developers are being let down by a lack of security training in the education system and on the job, he says. "Developers are creating great code and secure code when they have the right training and security tools that work for them," Chestna notes.

For example, Veracode's analysis showed that developers who receive some online security training on the job fix, on average, 19% more flaws than developers who don't receive such training. Similarly, developers who receive remediation coaching from security experts fix an average of 88% more flaws, he says.

"Developers are responsible for remediating flaws. More and more, responsibility for security is shifting left to the developer," Chestna says. While implementing a formalized AppSec practice requires multi-stakeholder support, developers can take the initiative in accelerating the trend.

For instance, developers should begin to think more like an attacker would, Chestna says. "Consider whether your API or error messages are leaking information that an attacker could use to learn more about the application or user. Returning different errors in different situations — for example, "invalid user" vs. "invalid password" on authentication errors — can also help attackers find their way in," he says.

Developers also need to get a lot smarter about component use, Chestna notes. One of the startling findings in the Veracode study was the sheer number of Java applications — 88% — with at least one vulnerable component in them. "Developers frequently aren't tracking, or simply don’t know to begin with, what components are in the open source or third-party code they're using in their applications," Chestna says.

In addition to doing software composition analysis, developers need to make it a best practice to keep an up-to-date inventory of the components in their applications and use the most recent version. "Security teams and vulnerability managers need to update the components as soon as new vulnerabilities are discovered," he notes.

Related content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
The Fundamental Flaw in Security Awareness Programs
Ira Winkler, CISSP, President, Secure Mentem,  7/19/2018
Number of Retailers Impacted by Breaches Doubles
Ericka Chickowski, Contributing Writer, Dark Reading,  7/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19990
PUBLISHED: 2018-07-23
October CMS version prior to build 437 contains a Cross Site Scripting (XSS) vulnerability in the Media module and create folder functionality that can result in an Authenticated user with media module permission creating arbitrary folder name with XSS content. This attack appear to be exploitable v...
CVE-2018-19990
PUBLISHED: 2018-07-23
October CMS version prior to Build 437 contains a Local File Inclusion vulnerability in modules/system/traits/ViewMaker.php#244 (makeFileContents function) that can result in Sensitive information disclosure and remote code execution. This attack appear to be exploitable remotely if the /backend pat...
CVE-2018-19990
PUBLISHED: 2018-07-23
FFmpeg before commit cced03dd667a5df6df8fd40d8de0bff477ee02e8 contains multiple out of array access vulnerabilities in the mms protocol that can result in attackers accessing out of bound data. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fix...
CVE-2018-19990
PUBLISHED: 2018-07-23
FFmpeg before commit 2b46ebdbff1d8dec7a3d8ea280a612b91a582869 contains a Buffer Overflow vulnerability in asf_o format demuxer that can result in heap-buffer-overflow that may result in remote code execution. This attack appears to be exploitable via specially crafted ASF file that has to be provide...
CVE-2018-19990
PUBLISHED: 2018-07-23
FFmpeg before commit 9807d3976be0e92e4ece3b4b1701be894cd7c2e1 contains a CWE-835: Infinite loop vulnerability in pva format demuxer that can result in a Vulnerability that allows attackers to consume excessive amount of resources like CPU and RAM. This attack appear to be exploitable via specially c...