In 2015, the United States Office of Personnel Management (OPM) announced that it had been the target of two massive data breaches. These breaches are thought to be a result of gaining valid user credentials to the systems they were hacking through social engineering, as well as through a malware package which installed itself within OPM’s network and established a backdoor. Attackers then escalated security privileges to gain access to a number of OPM systems. The first attack resulted in the theft of approximately 21.5 million records of people who had undergone background checks – though they may not have been current or former government employees. In the second breach, the personnel data of 4.2 million people had been stolen. Think: full name, birth date, home address and Social Security Number.
While there are no silver bullets for solving today’s cybersecurity problems, its clear government organizations have a long history of vulnerabilities and breaches. In fact, government organizations continue to underperform those in other industry sectors when it comes to the security of its software, according to our State of Software Security 2015 report. We continue to see the same trend year-over-year with only slight improvements. In the State of Software Security 2017 report, applications developed by government agencies remain the least secure of all industry groupings, measured by pass rate against OWASP Top 10 policy. Further, applications also had the highest flaw prevalence of any industry group for cross-site scripting (49 percent), SQL injection (32 percent), and cryptographic issues (48.3 percent). To dive deeper into the findings, please download the State of Software Security 2017: Government Sector infosheet.
There are several reasons that government software continues to be insecure, including the fact that it is still developing applications with older programming languages known to produce more vulnerabilities, and they’re not always fixing the flaws that they find. It’s also likely that the relative inability to be agile and to try new things, as a result of strict acquisition regulatory practices, prevents government engineers from implementing a DevSecOps approach to development. Certainly, the need to align with compliance requirements may not always reflect modern best practices, and may prevent procurement personnel from utilizing feedback loops and nimble, iterative processes.
Through our conversations, we understand that the government sector is trying to improve its processes and learn from the private sector. The Modernizing Government Technology Act, which was signed into law last year, has made a point of prioritizing both security and agile management practices as government looks to refresh its IT infrastructure. We also appreciate that there are many layers to the changes that need to be made, ranging from creating a culture of security to helping those in procurement to have access to the technical expertise when selecting vendors. If you work in the government sector and you’re not sure where to start with appsec, our Policy Maker’s Guide to Application Security can help get you up to speed on the basics, and provides guidance for policy makers interested in securing the world’s software.
Highwire Cybersecurity Panel: State of the Current Threat Landscape (RSA 2018) - YouTube
During this year's RSA Conference, Highwire PR and WSJ Pro Cybersecurity hosted several panel discussions, including this one with CA Veracode CTO Chris Wysopal. Chris joined Andrea Limbago, chief social scientist at Endgame, Michael Daniel, president and CEO of Cyber Threat Alliance, to talk about the current and evolving threat landscape. Throughout the panel, you'll learn more about how automation is changing the game when it comes to security, why your application security and detection game has to be on point, why the future of development will be secure by design - and more.
Policies are a critical part of your application security program; you need them to frame your program, set goals, measure success, and report on progress. But they can also stall your program if they work against, and not with, developer processes and priorities. With the shift to DevOps, and developers working in a faster and more incremental way, it might be a good time to ensure your policy isn’t holding them back. Is your application security policy DevOps-ready? Pejman Pourmousa, CA Veracode VP of Program Management at CA Veracode, recently recorded a quick “chalkboard” video where he outlines our top 5 tips on application security policies. Listen to Pejman as he walks you through:
Tip No. 1: Work with current development processes, not against. With the rapid change in the ways software is developed and released, most of the security policies that were deployed a few years back are no longer acceptable by the development community. Many application security policies were built when we did not have fast, automated security tools that could be plugged into the SDLC. Now more than ever, with teams moving to DevOps and CI/CD, it is important to revisit and build new policies that work with, and not against, the developer goal of “getting good code out quickly.”
Tip No. 2: Don’t set the bar too high. If your development team is new to security, enacting a stringent policy right out of the gate will create pushback and frustration.
Tip No. 3: Not all apps are created equal … Treating all apps equally will leave your developers spinning their wheels to address vulnerabilities that would never lead to exposure of sensitive information. A one-page temporary marketing site doesn’t require the same attention as an application that contains valuable IP. Tweak policies based on the criticality of applications.
Tip No. 4 … nor are all vulnerabilities. Similarly, adjust your policies to ensure your team isn’t wasting time on flaws that are not actually vulnerabilities. Consider whether a flaw is truly an exploitable vulnerability or whether it has compensating controls.
Tip No. 5: Don’t neglect open source components. In today’s development environment, if your policy is only addressing your internally developed code, it’s missing a significant portion of your threat surface. Ensure your policy covers your code, plus any components your developers are adding to your environment. One option is to build developers a library of safe components.
Watch Pejman’s short video to get all the details on these five tips, and set yourself up for AppSec success.
We talk a lot about the digital transformations going on around us – about how organizations of every size and shape are transforming how they do business in order to keep pace with customers and competition in a digital world. But we at CA Veracode are undergoing a transformation of our own. We are evolving to ensure our architecture and processes are optimized to meet our customers’ need in this fast-paced digital world.
What does our architecture evolution look like? We are working to improve our scanning performance by refreshing our infrastructure, re-architecting our platform as a set of microservices, and deploying those services on AWS and using managed AWS services.
Hardware infrastructure improvements: In an effort to improve our scanning performance, we completely refreshed our underlying compute, storage, and networking infrastructure last year. Those changes have resulted in significant improvements in scan times for most customer scans, and given us greater flexibility in responding to sudden increases in customer demand.
Re-architecting the platform to leverage microservices: To deliver new functionality and fix issues more quickly, we have worked hard to re-architect our platform using the microservices architecture pattern. We’ll continue this effort going forward, but the results are already visible to customers in the form of higher feature velocity, targeted scalability improvements, and better performance.
In addition, to enable the kinds of automation and integration that customers require as they embrace DevOps processes, we’ve increased our emphasis on APIs and integrations. During this year, we’ll release an increased number of RESTful APIs and integrations that our customers and partners can use to make scanning and remediation more seamless. This enables developers, security teams, and risk management professionals to work within the tools of their choice while still gaining all the power and insights of the CA Veracode platform.
Increased use of AWS: As our customers continue to move toward DevSecOps processes for their software development and operations, we’re seeing increases in scan frequency and the need for increased speed and scalability. We’re continuing to deliver on these needs via evolution of our core software, and by leveraging secure, highly available, and scalable services provided by AWS. While we’ve architected some of our newer offerings such as CA Veracode Greenlight from the ground-up using AWS services like Lambda and KMS, we’ve also done extensive refactoring across our full platform to use AWS services in a secure manner where it makes sense. Some of the benefits customers can expect from this evolution include:
Robust security controls and increased levels of data protection
Faster scan times
Improved API response time
Accelerated report generation
Faster delivery of new features and services
Reduced maintenance window downtime
We take the security of our customer data seriously. Protecting that data has always been, and always will be, a top priority. CA Veracode’s AWS implementation adheres to the same rigorous attestation and security review processes that we have always used. Customer data, while in the AWS cloud, is encrypted both at rest and in transit. Access to customer data by software services that make up the CA Veracode Platform prescribes to the principle of least privilege and requires authorization.
As our customers transform the way they create software, we’re transforming the way we secure it. Our customers are clear in what they need from CA Veracode in the years ahead: fast scan times, accurate results, easy integrations into their security and development tools, new products that meet their emerging needs, and, most of all, a combination of technology, expertise, and service that helps them more effectively find and fix the vulnerabilities. Through investments on all those fronts, we’ll continue to ensure that CA Veracode remains the clear leader in application security.
We recently revamped and relaunched our CA Veracode Verified program. To better suit the needs of organizations that are producing and updating apps at DevOps speed, we are moving away from attesting to the security of an application at one point in time, and, rather, attesting to the security of the overall development process of an application. In this way, your prospects and customers can rest assured that security was embedded into the development process that created your product. With the Verified seal, you prove at a glance that you’ve made security a priority, and that your security program is backed by one of the most trusted names in the industry.
Is the CA Veracode Verified program right for you? It is if you are:
Looking for a way to speed sales cycles by addressing customer and prospect security concerns pre-emptively
Tired of bogging down security resources with audit requests from customers
Ready to embark on an application security initiative, but don’t know where to start
Required to justify your AppSec spend
The CA Veracode Verified program includes three tiers, allowing you to quickly get ramped up and achieve your first seal, then work toward the other tiers over time as you grow and mature your application security program. The first tier of the CA Veracode Verified program is the Standard tier. What does application security look like at this tier?
Organizations in the standard tier:
Assess first-party code with static analysis: The ultimate goal of an application security program is to assess the security of every application – both those created internally, plus third-party and open source code – with multiple testing types. However, most organizations start small and build their program over time, and a good place to start is by assessing your internally developed code with static analysis. Unlike manual code reviews or penetration tests, CA Veracode Static Analysis is an automated process that delivers repeatable results. Since we give you accurate results and prioritize them based on severity, you won’t need to waste resources dealing with hundreds of false positives.
To get a better sense of our static analysis works, get a personal demo.
Document that the application does not allow Very High flaws in first-party code: Tackling the most severe vulnerabilities first is always best practice. Ultimately, successful vulnerability management is all about prioritizing remediation based on risk. Encouragingly, we found that to be a best practice among our customer base in 2017. Our most recent State of Software Security report compared the fix rate of very high and high severity vulnerabilities to the overall fix rate, and found that organizations are reducing the most severe flaws at about twice the overall fix rate.
Provide developers with remediation guidance: Effective application security doesn’t stop at finding flaws, it also fixes them. But many developers aren’t equipped to remediate the vulnerabilities static analysis uncovers. In fact, in a survey we conducted with DevOps.com, seven in 10 developers said their organizations don’t provide adequate training in security, and 76 percent reported that they weren’t required to complete any security courses while in school. On the other hand, providing the team with remediation guidance gets results. Research done for our 2017 State of Software Security report revealed that CA Veracode customers that offer developers remediation coaching improve fix rates by 88 percent.
Application security can be a daunting prospect for many, but breaking it into manageable steps, prioritizing the tasks, and starting small make it doable. The CA Veracode Verified program can help you do just that, while proving to your prospects that security is a priority at your organization.
Ready to reach the Standard tier? Contact us to get started.
Open source components have gone mainstream. With every company undoubtedly becoming a software company, open source and commercial components are a vital element in developing applications at the speed of DevOps. But while they’re a powerful tool for adding features and functionalities to applications in relatively short order, they also introduce remarkable security risks.
For the second year in a row, CA Veracode has received several accolades from CRN, a brand of The Channel Company and one of the industry’s top sources for news and analysis for the IT channel. CA Veracode’s world-class Partner Program received the 5-Star Rating in CRN’s 2018 Partner Program Guide, and Leslie Bois, vice president, global channels and alliances, was named to its prestigious list of 2018 Channel Chiefs. The 5-Star Partner Program Guide rating recognizes an elite subset of companies that offer solution providers the best partnering elements in their channel programs. Channel Chief honorees are selected by CRN’s editorial staff on the basis of their professional achievements, standing in the industry, dedication to the channel partner community, and strategies for driving future growth and innovation. We’re in good company, with CA Technologies celebrating similar accolades. To read more about our collective achievements, please visit CA’s Highlights blog by clicking here.
When you work in the banking industry, security is a part of everything you do. And just as important as protecting the money is protecting the integrity of the software it all flows through. But for us at CAP COM Federal Credit Union (CAP COM), ensuring that we were producing secure code had become a bigger priority.
As part of redefining our software development lifecycle (SDLC), CAP COM began to seek an all-in-one solution that would allow the credit union to integrate security into the build process. Any solution we brought in would need to help us meet the security specifications outlined by the National Credit Union Association (NCUA), along with industry certifications, including PCI, OWASP and HIPAA.
Since I've come on board two years ago, we've been moving slowly toward bringing in more of a .NET-centric infrastructure for all our software development and SDLC processes. We reached the point where we almost had a whole build system in place and really needed some kind of SAST and DAST tool so the developers could do security scans.
Looking for an SAST provider to accommodate the migration to .NET, we considered both CA Veracode and another leading on-premise SDLC solution before signing a long-term deal with CA Veracode. There were several factors that made CA Veracode the clear choice over the competitors:
CA Veracode features a seamless integration with our .NET infrastructure, specifically TFS and Visual Studio. This allowed the team to get started scanning code faster while making it easier to build application security into their process. On the other hand, the competitor’s integrations were less intuitive while its findings were less comprehensive.
CA Veracode offered us a true all-in-one solution, providing a full suite of services including SAST, DAST, and MPT from a single vendor. With no ability to conduct DAST testing, the use of the competitor would require other vendors to provide the same capability.
Upon analysis, we discovered CA Veracode’s false-positive rate to be noticeably lower than the rates reported by the on-premise solution.
Beyond its technical merits, there were several indicators CA Veracode would be an easy company to partner with. CA Veracode’s support reps were a significant factor, giving us the confidence that someone would always be available to help troubleshoot or configure the scan engine to their software build process. In addition, we felt that CA Veracode’s reporting for the Security Officer was more comprehensive, while the documentation around CA Veracode’s security practices was more extensive. Third-party validation in the form of Gartner’s Magic Quadrant for Application Security Testing also provided additional peace of mind.
Of course, pricing was also a factor. CA Veracode’s pricing model was far more affordable for CAP COM over the medium- and long-term.
We chose CA Veracode not only to reduce security risks in its software, but also to reduce the risk of working with the wrong solution for its needs. By comparing CA Veracode to other vendors, we were able to find the capabilities, integrations, support, and price it needed to accomplish both our security and business performance goals.
When officials explore the issues surrounding election integrity in the United States, one obstacle tends to frame those discussions: the huge chasm that exists between the technology sophistication of cyber attackers intent on disrupting U.S. elections, and the technology sophistication of the officials who run those elections. Even an attack as low-tech as an email phishing campaign, where attackers try and trick locals into opening malware attachments, can prove effective when those safeguarding voter integrity are not comfortable with the technology. Training those officials is certainly an essential first step, but will it be even close to enough?
In this podcast, we caught up with Michael Figueroa, executive director of the Advanced Cybersecurity Center to discuss how much of a technical disconnect there really is.
ACS Center’s Michael Figueroa Discusses the Technical Disconnect in Election Security - SoundCloud (873 secs long, 1 plays)Play in SoundCloud
We are in the midst of the fourth industrial revolution. Instead of steam machines or textiles, our economy is becoming ever more tied to technology. In order for our digital economy to thrive, we as a collective society need to have trust in our technology. Yet, the technology world has done very little to earn that trust.
During RSA David Duncan, VP, Product Marketing and Mark McGovern, VP, Product Management discussed our state of digital trust and how not improving it will impact the growth of our digital economy. Duncan pointed out that the digital economy is the 5th largest economy in the world. The growth of this economy is essential to our current way of life and a lack of trust caused by a series of preventable breaches and loss of personal data is threatening this growth. It is estimated that the digital economy has lost $3 trillion in growth due to a lack of trust in technology. And when companies don’t earn trust on their own, governments take action. Just look at the slew of new regulations and legislations coming out, especially in Europe. After the Equifax breach, the former CEO was forced to testify in front of Congress, and just recently Mark Zuckerberg was asked to do the same in order to answer questions about breaches in privacy.
As McGovern pointed out during his presentation, the digital economy has us living in a paradox. We want better technology, faster and with more access but we also want to it be more secure. The equation doesn’t add up with the way we think about security. This is why we need a modern approach to things like application security – where security is a function of software quality and is built into the development process. And of course we need to have a modern approach to identity and access management. This means things like single sign-on, advanced authentication, directory services and mobile AppSec. And we need to make use of behavioral analytics so that IAM becomes background and not a nuisance.
We live in a borderless world, our security needs to be borderless too. Otherwise it becomes inconvenient and we cannot build the trust with our customers we so badly need for our economy to continue growing.
Read Full Article
Read for later
Articles marked as Favorite are saved for later viewing.
Scroll to Top
Separate tags by commas
To access this feature, please upgrade your account.