Best Practices for Complying with Emerging Application Security Regulations

In a previous blog post, we discussed how the proliferation of data breaches has caught the attention of regulators, which are increasingly focused on cybersecurity and application security. Case in point: Two recent major regulations – the EU Global Data Protection Regulation (EU GDPR) and NY State Department of Financial Services (NY DFS) Cybersecurity Regulations – are unprecedented in their scope and depth. In my last blog, I examined the trends these two major regulations point to in terms of application security standards. In this post, we consider some best practices organizations should consider adopting in the face of this changing regulatory environment. In the end, it’s better to have a system in place that eases and streamlines compliance with regulations, rather than trying to address each emerging regulation or request in an ad hoc fashion. Track code flaws, reviews and compliance through a single platform.  Best-practice organizations create a single, central repository for information about software weaknesses, as well as proposed, accepted and rejected mitigations. This approach both streamlines compliance and maximizes the effectiveness of security assessments by consolidating the results of multiple testing methods (for instance, static analysis, dynamic...
Read more

What You Need to Know About the Latest Trends in AppSec Regulations

As major data breaches continue to expose customers’ sensitive data and cause major monetary and reputation damage to organizations, regulators are taking notice. Two recent major regulations – the EU Global Data Protection Regulation (EU GDPR) and NY State Department of Financial Services (NY DFS) Cybersecurity Regulations – are unprecedented in their scope and depth. Considering the prominence and influence of these two bodies, these regulations are most certainly setting a bar and should be considered a taste of what’s to come in terms of cybersecurity regulations. In addition, both regulations affect application security, and both point to AppSec regulation trends we can expect to see more of going forward. These trends include: Creating more prescriptive guidelines To this point, cybersecurity regulations tended to address the type of initiatives that should be undertaken in a general way. These two regulations are much more prescriptive in their approach, and not only indicate what organizations should do, but how. For instance, the NY DFS regulations don’t just stipulate that organizations assess the security of third-party providers, but require “representations and warranties”: Section 500.11 requires the establishment of a third-party information security policy, which includes “relevant...
Read more

Announcing Updates to Veracode Integrations to Microsoft Visual Studio Team Services, Team Foundation Server and Visual Studio

We are pleased to announce updates to the Veracode integrations to Microsoft Visual Studio Team Services (VSTS) and Team Foundation Server (TFS), and to Visual Studio. The VSTS/TFS integration makes static and dynamic security findings available as work items in the VSTS/TFS issue tracker, and automatically updates the related defects when they are fixed or have approved mitigations. The Visual Studio update enables the Veracode Visual Studio Extension to work with Visual Studio 2017, allowing developers to compile their applications for static analysis, start scans, view results, and triage and fix security findings from within their IDE. Why AppSec Integrations Matter To keep up with the shift to DevOps and rapid release cycles, application security solutions need to integrate into security and development teams’ existing tools and processes as much as possible. Tacking additional steps onto the development process or forcing teams to interrupt their workflows to switch tools are becoming increasingly unfeasible within today’s development paradigms. In modern development environments, AppSec needs to be available where development and QA teams are already working and integrate with the tools they’re already using. About the VSTS Extension Update We’ve updated the Veracode Visual Studio Team Services Extension to provide integration with...
Read more