Podcast: CA Veracode’s 2018 Development Resolutions with Maria Loughlin

Earlier this year, we looked at what 2018 has in stock for open source, and we wanted to continue this trend to dive a little bit deeper into the resolutions the developer community may have for the New Year. For some, it’s a matter of striving to write smaller batches of code that are more testable, better for security stance, or getting more of the enterprise to internalize that quality code is everyone’s job. For others, it’s trying to integrate the right rigors at the right point in the development cycle while simultaneously not undermining the goal of delivering value quickly. Heaven forbid if security conflicts with aggressive time to market. In this podcast, CA Veracode Vice President of Engineering Maria Loughlin discusses some of the resolutions she and her development team have for the year, and examines development trends including deepening DevOps, microservices and how successful dev teams will be composed to create great, secure software. Show Notes: The Human Side of DevSecOps: Security Champions Get Ready for the Full Spectrum Engineer CA Technologies Research Shows DevSecOps Barriers and Benefits Veracode Survey Research Shows Shift to DevOps and DevSecOps
Read more

Forrester Analyst Amy DeMartine on What to Expect in Open Source in 2018

When it comes to open source and security, one of the most popular words that pops into the head of security aficionados and professionals is “dread.” Certainly that perception is driven by open source’s reputation – it is seen as fast, easy, low cost and, well, risky. With unknown hands touching the code – and a surprisingly low number of developers maintaining common components – it’s challenging for CSOs and security professionals to have much trust. This is especially true when you take into consideration the number of highly-publicized reports of malicious code hiding in open source code. But there are ways for security and open source to be friends. In this podcast, Forrester Principal Analyst Amy DeMartine suggests that teaming up with developers, establishing an executive sponsor and getting more involved with open source projects are just a few of the ways we’ll improve open source and our relationship with it in 2018. Show Notes: Best Practices for the Adoption of Open Source Software How Software Composition Analysis Reduces Risk from Open Source Components What Developers Need to Know About the State of Software Security Today How...
Read more

Podcast: Are We at Risk For Data Breach Disclosure Fatigue?

What is the fundamental purpose of data breach disclosures? To help the company breached? To help other companies in a similar position? To help the customers of the breached company? To help law enforcement? At its most extreme, should it ever be about shaming a company that had poor security? Depending on the circumstances, it can be about all of the above. Focus on the customer. That’s a common breach disclosure refrain predicated on the idea that knowing of a breach helps customers make more informed choices. But does it really do that? With so many breaches being announced every few days in the U.S. alone, what more can customers do? Does it, indeed, help them? This forces us to look at the unsuccessful breach. Should those be announced as well? Or would that result in disclosure fatigue, where the announcements no longer promote action? And if a company has been breached, how can it ever know with any certainty what was – and what was not – touched? It’s assumed that security logs in a breach have been tampered with and that misleading clues have been planted.   CA Veracode’s...
Read more

CA Veracode Named a Leader in The Forrester Wave for Static Application Security Testing

I’m always a fan of ending the year on a high note, so you can imagine how excited I am to share the news that CA Veracode has been named a leader in The Forrester Wave™: Static Application Security Testing, Q4 2017 report by Forrester Research. Forrester ranks its vendors through the detailed evaluation of the 10 most significant vendors in static application security testing (SAST). The report cited that CA Veracode offers “the Greenlight IDE plug-in for early, on-the-fly SAST checking” and that we show “very strong support for binary and byte code scanning as well as wide support of source code language.” Software Development Lifecycle (SDLC) integration was an evaluation criterion in this report, as “SAST vendors are trying to serve new users as security pros demand that their products give developers early remediation advice throughout the SDLC.” With the DevSecOps approach to software security, development teams are taking on more responsibility by bringing security into the earliest phases of development. This is why it is important for developers to be empowered with static testing tools that can test from the earliest phases of development. What’s more,...
Read more

Podcast: When it Comes to Data Breach Disclosure, When Does the Clock Start Ticking?

In the last episode of the Cyber Second Podcast, we talked about the confusing patchwork of rules and laws – state, federal, global – dictating data breach disclosure rules. The common thread in nearly all of the existing regulations is that the disclosure clock starts the very moment that a company becomes aware of the breach. But when does someone truly know something, and who needs to know to establish that the company knew they were impacted? Does the clock start when the first log anomaly is detected by a member of the security staff, when the CEO is formally briefed, or when the forensic investigation proves a breach really occurred? Certainly, businesses have a desire to truly understand what - if anything – has occurred before they communicate it to customers. But what about the desire of the customers? How long will it take an attacker to monetize the data and automate phishing attacks, or do something with the information that is bad for the consumer? The business may be impacted, but it seems the true injured party in a breach is not the company, but the person whose data was...
Read more

Podcast: Would A National Data Breach Disclosure Law Create Clarity or Confusion?

WannaCry and Petya, among other high-profile breaches, have sparked new conversations at CA Veracode around the potential value of cybersecurity and data breach disclosure legislation. Certainly, data breach disclosure requirements are popping up in just about every state, not to mention global standards, such as GDPR. Although they all insist on timely disclosures, their requirements, rules and definitions are all over the map. Would a national breach disclosure law make life easier for companies desperately trying to comply? Or would it simply add more complexities when, for example, a state law is more stringent than the federal one? This topic is one that we’ve been talking about quite a bit with our CA Technologies colleagues, especially in light of some fairly scary findings in our 2017 State of Software Security Report – including the fact that 88 percent of Java applications had at least one component-based vulnerability. In this month’s Cyber Second Podcast, we connected with CA Technologies Director of Global Government Relations Jamie Brown (@JamiesonBrown) to take a look at the viability of, and issues around, a potential national...
Read more

Podcast: How to Fix the Widening AppSec Skills Gap

The AppSec Skills Gap Is Widening Nearly 20% A Year. Here's How We Fix It. A recent survey from Veracode and DevOps.com found that the majority of IT and development professionals weren’t required to take security courses in college – and they’re not receiving the necessary training from their employers. So, we have to ask: where does the fault lie? Should universities ramp up their security education – or does that responsibility fall on the industry? Perhaps the solution is somewhere in-between. Wall Street Journal columnist and author Gary Beach addresses these questions – and how to close the skills gap – in this month’s Cyber Second podcast.
Read more