CA Technologies Research Shows Barriers and Benefits of DevSecOps

CA Technologies has released a new report, based on research conducted by industry analyst firm Freeform Dynamics, that sheds light on some of the obstacles for organizations seeking the advantages of a development approach that prioritizes application security, without sacrificing time-to-market and innovation. The report also offers evidence that integrating security throughout the development process – a methodology known as DevSecOps – creates a competitive advantage for top-performing organizations. The vast majority of IT and business executives surveyed for the report identify application security as a top concern. According to the report, 74 percent of the respondents say security threats due to software vulnerabilities is a growing problem. Moreover, nearly all of the IT and business leaders surveyed (91 percent) say integrating security throughout the software development process is a priority for driving business success. While 76 percent of survey respondents identify the importance of security testing early in the development process, just 1 in 5 surveyed believe their application security testing is keeping up with the demands of frequent releases. Cultural and Process Obstacles to DevSecOps DevSecOps is gaining ground in...
Read more

The Biggest Cybersecurity Stories, Breaches and AppSec Lessons of 2017

The past year featured daily news about cyberattacks, data breaches, and software vulnerabilities. If it feels like our cybersecurity challenges grow bigger and more complex, year after year, it's more than just a perception. Research from security companies, including CA Veracode, shows that there are more attacks than ever, and organizations have not caught up with the preventive measures needed to meet the challenge. Web application attacks are the leading cause of confirmed breaches, according to Verizon. Meanwhile, Akamai found in its research for the State of the Internet Security Report that attacks on web applications increased by 69 percent from Q3 2016 to Q3 2017. The number one web application attack vector continues to be SQL injection, and SQL injection attacks increased by 62 percent year over year. What's even more troublesome is that SQL injection, the number one application risk in the
Read more

AppSec in Review Podcast: How Developers Respond to Security Findings

We recently published the State of Software Security Developer Guide, based on real application security testing data. Among the key takeways, the data in the report offers strong evidence that eLearning, security training, and DevSecOps practices have a positive effect on developers' effectiveness at fixing flaws in their code. In this episode of the AppSec in Review podcast, Evan Schuman and CA Veracode's Pete Chestna discuss the report's key points, including what developer mitigations say about how developers respond to security findings. Listen to the 10-minute podcast to hear Pete's take on what the research shows about developers' security skills, their responsiveness to security assessments, and secure development best practices. Download the State of Software Security Developer Guide for a comprehensive view of the research and what it means for developers.
Read more

5 Ways to Get Developers and Your AppSec Program Ready for DevSecOps in 2018

The importance of application security has increased dramatically over the past couple of years in response to rising threats. Meanwhile, software development is changing fast, with continuous delivery and DevOps adoption continuing to grow. It seems inevitable that the we'll be talking more and more in the coming year about securing DevOps and DevSecOps. As we enter 2018, it’s a good time to talk about what security professionals and developers need to do to prepare for the biggest and most disruptive changes you’ll be seeing next year and for years to come. Here are five ways you can get your developers and AppSec teams ready for DevSecOps. 1. Re-evaluate your policies Now more than ever, it is important to re-evaluate and build new policies that work with, and not against, the developer goal of getting good code out quickly. As the definition of quality code becomes synonymous with secure code, consider ways to align your policies with the adoption of DevSecOps: Start with a simple policy: no high or...
Read more

What Developers Need to Know About the State of Software Security Today

We recently published our annual research report, the State of Software Security, analyzing data from 400,000 application scans over 12 months spanning 2016 and 2017. Now we’re issuing a State of Software Security Developer Guide, featuring additional data and analysis aimed at helping developers meet the goal of creating great software that’s also secure software. This report offers the developer and security communities more information about what development practices make the biggest impact on application security, and what organizations should do to better support developers. Here are the major takeaways from the report, along with CA Veracode’s recommendations for making security a seamless part of your development and DevSecOps processes. 1. Developers aren’t trained in secure coding. Traditionally, the focus for developers is creating functional, rather than secure code. CA Veracode research shows that the pass rate of applications against standards like the OWASP Top 10 hasn’t budged in recent years, with applications failing...
Read more

OWASP Top 10 Updated for 2017: Here’s What You Need to Know

For the first time since 2013, the Open Web Application Security Project (OWASP) has updated its top 10 list of the most critical application security risks. According to OWASP, the 2017 OWASP Top 10 is a major update, with three new entries making the list, based on feedback from the AppSec community. The OWASP Top 10 is an influential and widely used AppSec standard – lots of organizations rely on it for direction in their AppSec programs. CA Veracode supports the OWASP Top 10 throughout the Veracode product suite. The Veracode platform allows users to customize their security policy in alignment with this and other industry standards. Veracode’s flaw and vulnerability checks are regularly updated to match industry requirements. Veracode’s developer education courses include OWASP Top 10 materials as well as deep dives into categories disallowed under the industry standard. Veracode contributed a significant percentage of the data used to determine this latest Top 10 and works closely with industry organizations including both OWASP and MITRE to promote software security awareness and enhance understanding...
Read more

How to Connect With AppSec and Developer Peers in the Veracode Community

Security professionals and developers have different roles, responsibilities, and skills, but a common goal in securing applications. Yet there aren't many places to connect with peers, who are among your best resources for solving AppSec and DevSecOps challenges. That's why we created the Veracode Community. The Veracode Community is a destination for developers and AppSec professionals to share your knowledge and experience. It's a great source of information about application security best practices, DevOps, and DevSecOps, from the people who are doing it every day. And it's a forum to ask questions and get answers about Veracode products and integrations with DevOps tools. Below are five ways the Veracode Community connects you with peers and helps you with your biggest challenges. 1. Participate in discussions when you join and start groups. The Veracode Community has discussion groups where you can ask questions on hot topics, and read responses from people with experience and know-how. There are groups about topics such as integrations, open source projects, Veracode Greenlight, and secure coding education. If you...
Read more

What’s New in the State of Software Security 2017 Report

In the past year, we’ve seen an unprecedented series of cyber assaults on democratic elections, ransomware attacks that spread around the world affecting hundreds of thousands of systems in more than 150 countries, and record-breaking data breaches. If we’re going to address this growing crisis effectively, we need a probing inspection of root causes, and fearless prescriptions for new ways forward. The data available within the Veracode Application Security Platform, collected from hundreds of thousands of application scans by our base of 1,600 customers, provides the clearest view into the vulnerabilities and risks in software. Therefore, the State of Software Security report, which draws from the broad and deep pool of our cloud-based platform data, is an essential tool in building an adequate response to the growing threats. This year’s State of Software Security, the eighth edition of this research report, is our biggest and most comprehensive yet. In addition to examining the data collected from scans over a 12 month...
Read more

How Third-Party and Open Source Components Build Hidden Risk Into Software

Whenever there’s a major data breach announced in the news, I think about how there must be other breaches happening that we don’t even know about. Because, although cyberattackers frequently target known vulnerabilities in software, the victims are unlikely to know they were vulnerable until it is too late. As today’s software is increasingly assembled from bits and pieces of open source and third-party code, vulnerabilities lurking in these components have become an enormous blind spot and pose a growing threat to all kinds of software and systems — from e-commerce sites to embedded systems in critical infrastructure. Earlier this year we saw a perfect case study of the hidden risk of components: a critical vulnerability in Apache Struts 2, a Java library that’s widely used in enterprise web applications. Veracode warned about the potential risk of this highly exploitable vulnerability when it was first reported in March 2017. But we also recognized that many organizations would have trouble patching their vulnerable applications because it can be very difficult to know exactly which applications are using the vulnerable component. Components are an essential...
Read more

Veracode Survey Research Identifies Cybersecurity Skills Gap Causes and Cures

The shortage of cybersecurity professionals is on pace to reach 1.5 million empty positions globally by 2020, according to Frost & Sullivan. Yet, as the digital economy relies on rapid innovation in software, the growing demand for developers with security skills is also dangerously outpacing supply. Now, a survey of development and IT professionals, conducted by Veracode and DevOps.com, has found that lack of formal security education, and a shortage of investment in training by employers, is contributing to the growing skills gap. The problem begins at the university level, where just 24 percent of survey respondents were required to complete cybersecurity courses as part of their education. And the lack of formal employer training in security and DevOps skills means IT and development professionals are on their own, forced to learn “on the job,” according to the DevSecOps Global Skills Survey. Although many businesses are now required to take steps to protect data and applications, enforced by strict new regulations such as the
Read more
Page 1 of 212