CA Veracode Dynamic Analysis Helps You Check Your Security Headers

CA Veracode Dynamic Analysis helps you follow Google I/O 2018 security recommendations

I’ve been binging on the Google I/O 2018 videos. I guess every web geek does! One video caught my attention: Google Chrome security team’s improvements to fight off the Spectre & Meltdown “celebrity” vulnerabilities. They’re using software at the browser level to mitigate against a hardware vulnerability. How cool is that?

Just like Google, CA Veracode has been beating the drum on the importance of security headers here in 2012, 2013 and 2014. Google calls out Site Isolation feature, cross-origin read blocking, cookie restrictions, high resolution timers, and Google V8 JavaScript engine. Read more here

However, Chrome security cannot make the web safer on its own. It needs web developers to help defend against Spectre vulnerability and future software vulnerabilities. For these goals, Chrome security recommends a bunch of website configuration best practices. This is where CA Veracode Dynamic Analysis comes in!

Best part, no new workflows! Just run your Dynamic Analysis scans as usual to verify your web developers are using the website configuration best practices. Checking these security headers is just one of the many vulnerability checks we have to help you safeguard modern web applications.

CA Veracode Dynamic Analysis checks the following security headers are set correctly. Some of these were called out by Google Chrome in their Google I/O 2018 talk.

X-Content-Type-Options 16 Configuration
X-Frame-Options 16 & 693 Configuration & Protection Mechanism Failure
Strict-Transport-Security 16 Configuration
Access-Control-Allow 668 Exposure of Resource to Wrong Sphere
Content Security Policy directives (including SameSite Cookie) 352 Cross-Site Request Forgery (CSRF)

For more information on setting them up correctly and common misconfigurations, check out our blog post here.

How often do you hear the phrases “Zero Trust” or “Trust but Verify” bandied about? It’s so true in application security. We should enable our developers to do the right thing. But we have to verify, either before production releases or on a regular cadence in production. At CA Veracode, we happen to favor using our Dynamic Analysis for such purposes! 

P.s. If you want to watch the Google I/O talk in full, see this YouTube link:

*** This is a Security Bloggers Network syndicated blog from RSS | Veracode Blog authored by [email protected] (schavali). Read the original post at: