5 Essential Steps to Shift Security Left [VIDEO]

Speed rules in software development today. The DevOps model means getting newer, better, faster into the hands of customers as quickly as possible is the name of the game. But where does that leave security? If it’s not done right -- overlooked or worked around. Done right -- it’s embedded into the software development process from day one, unobtrusively checking for and removing vulnerabilities before they emerge. The days of a security “gate” at the end of the development process, delaying releases and causing rework, are over; security either shifts left, and in a smart way, or it’s sidelined. This short series of videos, featuring CA Veracode co-founder and CTO Chris Wysopal and CA Veracode director of product management Tim Jarrett, give you five steps to start moving security earlier in your development process. With practical advice and tips on working with developers, embedding security into development processes and creating secure code from the start, Chris and Tim walk you through: Step 1: Automate security from day 1 Take human intervention out of the process as much as possible. Step 2: Integrate as you code Enable developers to test for security on their own early and often. Step 3: Avoid...
Read more

Security: Here’s What You Need to Know About Development

The days of security and development working in separate and isolated silos are over. Security is now a task shared by the development and security teams throughout the software lifecycle – from inception to production. Security testing has become primarily the responsibility of developers, with security taking on more of an enabling role – crafting and communicating policies, assisting with remediation and mitigation guidance, and implementing developer training. This is a big change for most security teams, and requires not only a mindshift about roles and responsibilities, but also about the level of understanding and knowledge. It’s no longer feasible for security professionals to have a superficial understanding of how developers work; they need a deeper understanding of development processes, tools and priorities. Where to start? Increase your developer knowledge by getting a handle on the following: Development priorities and challenges Do you know what your developers are goaled on? Do you understand their processes and what slows them down? It’s no longer practical to make extensive security demands of development teams without any awareness of their workload and priorities. Security and development need to work together, which means understanding each other’s pain. Since developers can’t fix every flaw...
Read more

Podcast: 2017 AppSec Lessons Learned

“The more things change the more they stay the same” could be the application security motto for 2017. Last year featured breaches stemming from the same vulnerabilities that have been wreaking havoc for years. In fact, we saw SQL injection in about 30 percent of the apps we scanned in 2017 – a number that hasn’t budged much since 2011. 2017 also shone a harsh spotlight on the risk of open source component use, with several high-profile breaches originating with this type of code. But 2017 also brought some reasons to be optimistic about the future of application security. We’ve seen awareness increasing, best practices emerging and many organizations moving the needle in reducing their application layer risk. CA Veracode’s Director of Content and Corporate Communications Jessica Lavery recently sat down with Evan Schuman to take a look back at AppSec in 2017 and discuss where it’s headed in 2018.
Read more

What Security Pros Will Get Out of our Upcoming DevSecOps Virtual Summit

The shift to DevOps and DevSecOps is happening. Organizations in all industries are creating software not just faster, but also in a more precise, collaborative and incremental way. In fact, we’ve seen the shift in our own customer base, where the percentage of applications scanned for security on a weekly basis jumped 50 percent last year. And this shift casts a wide net, affecting everything from policies to training and tools. In turn, DevSecOps has a major effect on the security professional’s role, perhaps more than on any other role in the software development process. With security’s shift left, and into the realm of the developer, the security team is no longer responsible for conducting security testing, but for enabling developers. Get a handle on this shift and what it means for you by attending our Virtual Summit, Assembling the Pieces of the DevSecOps Puzzle, this February. You’ll get practical tips and advice on the security team’s role in a DevSecOps world, including: Policies: As your role shifts from conducting testing to governance over testing, you need to get security policies right. Solid and effective policies are key to application security success, and these...
Read more

Did You Read Our 5 Most Popular 2017 Blog Posts?

2017 was quite a year for application security. From big breaches to breakthroughs, 2017 featured a lot of scary headlines reflecting the sorry state of application security, but also news about companies moving the needle on AppSec, and regulators waking up to the reality about how data is exposed. Not surprisingly, our most popular 2017 blog posts mirror the trends and headlines – and reveal both that organizations are concerned about and paying attention to breaches, and searching for ways to become more secure. Our Most Popular Blog Posts in 2017: 2017 featured some very big, headline-grabbing breaches. WannaCry and Struts-Shock were two of the biggest: 1. WannaCry Ransomware Attack Is a Symptom of a Much Bigger Problem 2. Don’t Get Zapped by the Struts-Shock Vulnerability Affecting Apache Struts 2 Struts-Shock Cybersecurity regulations were a big topic in 2017, especially EU GDPR and NY DFS: 3. FAQs About the New York DFS Cybersecurity Regulation The “shift left” message is finally getting traction. As organizations realize that the key to secure code is starting with developers, our Greenlight product got a lot of attention this year: 4. Never Leave Your IDE Again: Secure Coding Feedback in Seconds Finally, this highly practical series of...
Read more

How CA Veracode Products Secure the Production Stage

This is the third entry in a series of blogs on how CA Veracode products fit into each stage of the software lifecycle – from coding to testing to production. We want to emphasize lifecycle here, because we continue to hear the misconception that application security falls squarely and solely into the testing stage. In our 10+ years helping organizations secure their applications, we’ve learned that effective application security secures software throughout its entire lifecycle – from inception to production or, put another way, from prevent to respond. In fact, rather than talking about securing the software development lifecycle, we should focus on securing the software lifecycle. This blog series (and accompanying interactive infographic) will take that notion one step further and detail exactly how our products fit into each stage. We hope this series gives you a better sense of both the security requirements throughout the lifecycle and how CA Veracode can help at each step. The Production Stage The move to Agile and DevSecOps development processes has fostered a lot of attention on the need to shift security testing left in the development cycle. And this is absolutely a pivot in the right direction. Moving security testing into the...
Read more

Podcast: 2017 OWASP Top 10 – What’s New

For the first time in four years, we have a new OWASP Top 10 list of the most critical application security risks. Cross-site request forgery (CSRF) and unvalidated redirects and forwards have been bumped off the list. XML external entities, insecure deserialization and insufficient logging and monitoring have been added. What’s the significance of both the additions, and the subtractions? CA Veracode’s VP of Research Chris Eng recently sat down with Evan Schuman to discuss the new list and its implications. Their conversation covers: Why the top entries in the list continue to be the same year after year Why CSRF was removed from the list How this list is currently used, and best practices for using it OWASP’s methodology change after its controversial release candidate last spring What AppSec practitioners should focus on beyond this Top 10 list Make sure you understand this important update and its implications; listen to this 10-minute conversation today.
Read more

Overcoming the Language Barrier Key to DevSecOps Success

As DevOps moves to DevSecOps, there is a significant “people” component involved in the shift. Development and security teams both need to overcome their “language barriers” and understand each other’s processes and priorities. The effort is worth it because we know that (1) the consequences of neglecting software security are getting more damaging and (2) embedding security early and often into dev processes gets results. In fact, our 2017 analysis of the applications we scanned this year revealed that DevOps organizations that tested frequently with sandbox scanning (developer-initiated scans early in the dev process) had a 48 percent better fix rate than those doing policy-only scanning (security-initiated scans late in the dev process). In addition, in a May 2017 report, Best Practices: Strategies for Making the Crucial Shift to DevSecOps, Forrester Research notes that “Recent research on high-performing DevOps teams shows they're spending 50% less time in remediating security issues because security teams are continually working within their DevOps teams to build security into their daily work.” But getting these two teams to understand each other’s “language” is no easy feat. In the same report, Forrester Research explains, “Security has its own array...
Read more

How Are We Securing the Booming Digital Economy? Our Latest Survey Results

The holiday season is upon us; are you buying all your gifts at the mall? Probably not. Many, if not most, of you are going to research, purchase and pay for all your holiday gifts online this year. Digitization is everywhere – changing every interaction and transaction. But it seems like breaches are everywhere as well – affecting all industries in all geographies. Are business leaders simply unable to keep up with the pace of the digital transformation, or are they unaware of the security implications of their digital initiatives? CA Veracode set out to answer these questions in our Securing the Digital Economy survey report. We surveyed more than 1,000 business leaders across the UK, US and Germany about their companies’ digital transformation initiatives and understanding of cybersecurity in an attempt to get to the bottom of the seeming disconnect between digital innovation and digital risk. Here’s what we found: Software really is eating the world Marc Andreesen was right back in 2011; software is taking over. Nearly a third (29 percent) of our survey respondents indicated that they are actively pursuing digital transformation projects. A further 29 percent stated that they are either planning...
Read more

Hardcoded Credentials: Why So Hard to Prevent?

About a year ago, attackers managed to tap into thousands of IoT devices to create a botnet infected with Mirai malware and wreak havoc on some major websites. This Mirai botnet, made up of 100,000 IoT devices from DVRs to security cameras, unleashed a massive DDoS attack on DNS provider Dyn, which brought down dozens of websites, including Twitter, Spotify, Netflix and The New York Times.  The word “sophisticated” has been used a lot to describe the Mirai botnet, but the reality is that it was decidedly unsophisticated, and not hard to prevent. The attackers simply took advantage of hardcoded default passwords in IoT devices. Far from a complicated endeavor, finding these passwords is trivial once the firmware of these devices is analyzed. And just a couple months ago, we saw another major vulnerability announcement related to hardcoded credentials. Five security flaws were found in Arris routers, which are used by AT&T customers and other Internet providers. Joseph Hutchin, who first noted the defects, referred to some of them as “the result of pure carelessness.” The most serious of the five flaws contains hardcoded credentials that afford anyone access to the cshell service on...
Read more
Page 1 of 212