Daily Archives: June 18, 2019

Live From Gartner Security & Risk Mgmt Summit: Pair Security Trainings With Technical Controls

“We often forget that technology cannot solve the world’s problems.” That was one of the opening lines of Joanna Huisman’s session “Magic Quadrant for Security Awareness Computer-Based Training” at the Gartner Security & Risk Management Summit in National Harbor, MD. While her Magic Quadrant doesn’t address DevSecOps trainings, I took away some valuable lessons that also apply to this area.

20 percent of users will never change behavior, no matter how well you train

Traditional awareness efforts are based on the belief (or hope) that information leads to action. In other words, the problem with trainings is that “awareness” does not automatically result in secure behavior: About 20 percent of learners are never going to do the right thing, no matter how much you train them.

Let’s think this through for a moment: 80 percent of your audience will follow your advice to some extent, so you will get an improvement, but 20 percent will not change their behavior. Most security professionals aim to reward users who follow security process but are reluctant to punish the ones who don’t because they don’t want to be the bad guys. Even if they are prepared to go through with punitive actions, it may be counter to corporate culture (and generally not a good teaching practice).

Education is good, but it must be coupled with technical controls

This means that while security awareness does improve your security posture, you still need technical controls in place to mitigate the rest. In the case of DevSecOps, this translates into a combination of secure coding trainings and automated application security testing. The training will reduce vulnerabilities being introduced into the code, which reduces the cost of your DevSecOps program because security defects that never enter the code are understandably much cheaper than those found in production. The security testing serves as a feedback loop for developers and as a gate to stop security defects escaping to production.

At Veracode, we offer courses to teach the fundamentals of secure coding, both as eLearning and live sessions. With Veracode Greenlight, we provide instant feedback on code security as developers are typing code in their IDE. And we provide feedback via ticketing systems and a security gate as part of Veracode Static Analysis. If developers get stuck fixing a vulnerability, they can book our application security consultants for a coaching session to help fix their security defect.

Learn more about Veracode’s Developer Training.

Application Security Beyond Static Analysis

There is no application security “silver bullet” – it takes a combination of testing types to effectively reduce your risk. Each testing method has a different role to play and works best when used in harmony with others.

For instance, our research showed that there are significant differences in the types of vulnerabilities you discover dynamically at runtime compared to those you’ll find when doing static testing in a non-runtime environment. In fact, two of the top five vulnerability categories we found during dynamic testing weren’t even among the top five found by static, with one not found by static at all.

Add to this the fact that applications are increasingly “assembled” from open source components, rather than developed from scratch, which means software composition analysis is an important part of your testing mix. Neglecting to assess and keep track of the open source components you are using would leave a large portion of your code exposed and leave you open to attack. 

And finally, automation alone is not enough to ensure an application is thoroughly tested from a security perspective. Some flaws, such as CSRF (Cross-Site Request Forgery) and business logic vulnerabilities, require a human to be in the loop to exploit and verify the vulnerability. Only manual penetration testing can provide positive identification and manual validation of these vulnerabilities.

Here's an overview of the different types of vulnerabilities found by different testing types:

capabilities static analysis software composition analysis dynamic analysis manual penetration testing
Flaws in custom web apps (CWEs) X   X X
Flaws in custom non-web apps (CWEs) X     X
Flaws in custom mobile apps (CWEs) X     X
Known vulnerabilities in open source components (CVEs)   X   X(1)
Behavioral issues (CWEs) X(2)     X
Configuration errors (CWEs)     X X
Business logic flaws (CWEs)       X
Repeatable process for automation X X X  
Scalable to all corporate applications X X X  
Scan speed Seconds to hours Seconds to minutes Hours Days to weeks
Cost per scan $ $ $ $$

1Penetration testing can find known vulnerabilities in open source components, but this may not be as rigorous as Veracode Software Composition Analysis, which not only systematically flags CVEs but also crawls commit histories and bug tracking tickets in open source projects to identify silent fixes of security issues.

2This is not true for all static analyzers. Veracode can exercise the code and manipulate the UI for behavioral analysis in mobile applications.

Here’s a summary of when to use each testing type:

assessment type advantages limitations
Static analysis (with entire application in scope)
  • Very broad coverage of flaw types (CWEs)
  • Looks at the flaws in the context of the entire application, analyzing all the data paths
  • Can scan any type of application, including web, mobile, desktop, or microservices
  • Scanning frequency should be in line with how often developers can review scan results
  • Use static analysis as part of Continuous Delivery pipeline and file security issues in bug tracking system
  • Can track flaw history: new, open, fixed. Important for trending reports on mean time to remediation.
  • Suitable for compliance purposes
  • Does not provide instant feedback to developers as they’re coding
  • Cannot find CWEs related to server configurations
  • Limited to code that developers can remediate.
  • Does not report vulnerabilities in third-party components (see: SCA).

Static analysis (on file level, e.g., Greenlight)

  • Recommended for development teams who want to shift left in application security testing by scanning early and often. Scans usually complete in seconds.
  • Best suited when scanning multiple times per day
  • Recommended for use by developers working on the new code for continuous flaw feedback and remediation guidance
  • Developer friendliness: enhances learning, allows developers to find and address issues without exposing flaws in reports
  • Scans web applications without having to integrate with the SDLC
  • Ability to scan in pre-production and production
  • Suitable for compliance purposes
  • Scans individual files, so can only detect vulnerabilities where source and sink are in same file
  • Typically not suited for compliance scanning because scope limitations may cause false negatives
  • Does not report vulnerabilities in third-party components
Dynamic analysis
  • Scans web applications without having to integrate with the SDLC
  • Ability to scan in pre-production and production
  • Suitable for compliance purposes
Scan times are often between 12 and 24 hours for complex applications, so recommended for overnight scans, or for asynchronous scanning

Software composition analysis


  • Finds vulnerabilities in third-party components
  • Scans take seconds or minutes Can scan any type of application, including web, mobile, desktop, or microservices
  • Suitable for compliance purposes
Does not find flaws in first-party code


For more details, check out our new guide, Application Security Best Practices.

New Chrome Protections from Deception

Chrome was built with security in mind from the very beginning. Today we’re launching two new features to help protect users from deceptive websites. The Suspicious Site Reporter Extension will improve security for Chrome users by giving power users an easy way to report suspicious sites to Google Safe Browsing. We’re also launching a new warning to protect users from sites with deceptive URLs.

We designed Chrome to be secure by default, and easy to use by everyone. Google Safe Browsing has helped protect Chrome users from phishing attacks for over 10 years, and now helps protect more than 4 billion devices every day across multiple browsers and apps by showing warnings to people before they visit dangerous sites or download dangerous files. We’re constantly improving Safe Browsing, and now you can help.

Safe Browsing works by automatically analyzing the websites that we know about through Google Search’s web crawlers, and creating lists of sites that are dangerous or deceptive. With the Suspicious Site Reporter extension, you can help Safe Browsing protect web users by reporting suspicious sites. You can install the extension to start seeing an icon when you’re on a potentially suspicious site, and more information about why the site might be suspicious. By clicking the icon, you’re now able to report unsafe sites to Safe Browsing for further evaluation. If the site is added to Safe Browsing’s lists, you’ll not only protect Chrome users, but users of other browsers and across the entire web.

Help us protect web users by reporting dangerous or deceptive sites to Google Safe Browsing through the Suspicious Site Reporter extension.

One way that deceptive sites might try to trick you is by using a confusing URL. For example, it’s easy to confuse “go0gle.com” with “google.com”. In Chrome 75, we’re launching a new warning to direct users away from sites that have confusing URLs.

Starting in the current version of Chrome (75), you’ll see a warning when the page URL might be confused for URLs of sites you’ve visited recently.

This new warning works by comparing the URL of the page you’re currently on to URLs of pages you’ve recently visited. If the URL looks similar, and might cause you to be confused or deceived, we’ll show a warning that helps you get back to safety.

We believe that you shouldn't have to be a security expert to feel safe on the web, and that many Chrome power-users share our mission to make the web more secure for everyone. We’ll continue improving Chrome Security to help make Chrome easy to use safely, and are looking forward to collaborating with the community to further that goal. If you'd like to help out, install the new extension and start helping protect the web!

Can All-in-One Printers Be Hacked? “Hackable?” Sets the Fax Straight

The heyday of fax technology may have been in the 80s, but all-in-one printers found throughout homes and offices often still include a fax machine. And telephonic transmission has resisted the rise of email and other internet-connected messaging tools in a variety of fields, including healthcare and law enforcement.

On the latest episode of “Hackable?” we learn if this dated, but still used, technology puts entire networks at risk. Geoff invites two Israeli cybersecurity researchers to test the seldom-used fax machine and printer sitting in the corner of his home office. Listen and learn what they are able to do with only a $5 modem, Geoff’s fax number, and a Python script.

The post Can All-in-One Printers Be Hacked? “Hackable?” Sets the Fax Straight appeared first on McAfee Blogs.

Live From Gartner Security & Risk Mgmt Summit: Running Midsize Enterprise Security

Over the past few months, I’ve experienced an increased interest in DevSecOps from midsize enterprises, so I was especially interested in attending Neil Wynne and Paul Furtado’s session “Outlook for Midsize Enterprise Security and Risk Management 2019” at the Gartner Security & Risk Management Summit in National Harbor, MD this week.

57 Percent of Midsize Enterprises Don’t Have a CISO

Gartner defines midsize enterprises as companies with less than $20 million in IT security budget. At that size, they have up to 30 people in IT, which means that 57 percent of this group do not have enough security staff to warrant a CISO. This means the CIO is accountable for cybersecurity in most midsize enterprises.

According to Gartner, midsize enterprises spend an average of $1,089 on IT security per employee. About 6 percent of the IT headcount is dedicated to security, so you have to have at least 17 people in IT before you start dedicating a full headcount to security. Below that water mark, it’s only partial headcounts. That’s a lot of security areas to cover for very little headcount, and you can completely forget about 24/7 coverage for security operations. To make things worse, the midsize enterprise is hit even harder by the InfoSec skill gap because they often cannot compete with Fortune 500 salaries and benefits.

How Can Midsize Enterprises Address These Challenges?

Paul Furtado, Sr. Director Analyst at Gartner, recommends the following guidelines for addressing these challenges:

  • Create a baseline: What are you doing today?
  • Know what to protect: You won’t know what to protect if you don’t know what’s critical to the business. Identify your most critical data: PII, IP, partner/customer lists, business-critical applications. If you don't know that, you're spending money in the wrong areas.
  • Know your risk appetite: Categorize all risks by business impact and risk scenario likelihood, then prioritize and decide what’s a level of acceptable risk for the organization.
  • It’s a combined effort: Security is a combination of people, process, and technology.
  • Apply best practices: You are not the first one to set up a security program – learn from others.  

Framing Security Spending With Executive Leadership

Before Paul joined Gartner, he spent decades working in the trenches in midsize enterprises. Most executive leaders ask why they should be spending dollars on security. I loved his response: “I’m not taking a dollar from you, I’m protecting the dollars for you” This is a great mind shift that I can absolutely see working with executives.

I also liked how he boiled down the basics of what a security program must do:

  • Keep bad guys out 
  • Let good guys in
  • Keep the wheels on

I often see security professionals over-rotate on the first item, which is most important to them. However, let’s not forget, items two and three are more important to everyone else in the business!

Be Pragmatic and Don’t Do Everything In-House

With very limited resources, you cannot do everything in-house. You need to outsource some of the work to be successful. Use cloud solutions and vendors that can supply you with specialized knowledge and round-the-clock coverage. As Paul summed it up: “We could do this ourselves, but it’s not a good use of our people.”

A Recipe for a Successful Security Program in Midsize Enterprise

Paul summed up his recommendations as follows:

  • Do the simple things well. This means the more difficult things in IT security become easier. Complexity is the enemy of security. 
  • Start to seriously examine how to leverage your security spending with multiplication platforms.
  • Demand a secure development life cycle and “built-in” security for IT components.
  • Constantly re-evaluate your risk tolerance and your good-enough security comfort level.
  • Investigate emerging security services.

Of course, working in application security, number three resonated most with me, so I’d like to dig into this one a little and tie it back to all of his recommendations.

How to Do DevSecOps in Midsize Enterprises

Key takeaways from Paul’s talk are that you cannot do everything in-house because of lack of headcount and skills shortage in InfoSec. Veracode can help you address both of these challenges.

Let’s get to lack of headcount first. Veracode is the only SaaS-native Leader in the Gartner 2019 Magic Quadrant for Application Security Testing, and we have been a Leader for six times in a row. As a midsize enterprise, you don’t have the time to set up and maintain an application security scanning infrastructure, especially if you have to support multiple geographic sites as well as high availability and scalability for critical DevOps teams. Using Veracode is like having DevSecOps on tap: You don’t have to set up any infrastructure so your developers can start scanning on day one.

Now let’s discuss skills shortage. If you only have a couple of InfoSec people on your team, you will struggle to offer specialized knowledge for developers who need help remediating specific vulnerabilities in their code, especially if your team covers a broad set of languages. At Veracode, we have a dedicated team of application security consultants that your developers can tap into to get help with their code. In addition, our security program managers can onboard your scrum teams onto our platform and help them automate the security scanning.

Security as a Competitive Advantage

As a midsize enterprise, you are often subject to security scrutiny when selling to the Fortune 500, especially when the value you deliver to your customers involves software, either directly or indirectly. Veracode is the only application security testing vendor to offer the Veracode Verified Program, which helps you show your customers that you take security seriously. Many of our midsize enterprise customers even use their Veracode Verified logo as a competitive advantage. Check out some of these companies in the Veracode Verified Directory.


“You may not have the need today, but it’s well worth doing the research today.”

How Veracode Supports DevSecOps Methodologies With SaaS-based Application Security

Veracode Kuppinger Cole Report

Most legacy applications were not developed with security in mind. However, modern businesses and organizations are continuing to undergo digital transformation in order to pursue new business models and revenue channels, as well as giving their customers or constituents a simplified experience. This often means selecting cloud-based tools and solutions that allow for the scalability necessary to provide applications and services to a broad customer base.

For example, in 2013, the UK government adopted a Cloud First, or Cloud Native, policy for all technology decisions, making it mandatory to consider cloud solutions before alternatives. This means that government IT professionals must first consider public cloud options, including SaaS models for enterprise IT and back-office functions, as well as Infrastructure as a Service and Platform as a Service.

But this dramatic expansion of the application layer introduces new security challenges. In one engagement, Veracode worked with a High Street bank to secure its web application portfolio and uncovered 1,800 websites that had not been inventoried – making its attack surface 50 percent bigger than originally thought.

With the growing complexity of IT infrastructures and a shortage of qualified security experts, businesses and government agencies alike need to enlist application security specialists with a deep understanding of the complexity of modern applications.

Veracode pioneered static binary analysis to address the security of modern applications, which are often comprised from different teams, languages, frameworks and third-party libraries. This approach allows security and development teams to assess the security posture of entire applications once they’ve been built, rather than analyzing individual pieces of source code and missing some of the potential “cross-platform” exploits.

Yet the Veracode Platform offers so much more than its signature static binary analysis.

“With a growing number of integrations with CI/CD tools and development environments and expanding its coverage to the full software supply chain, Veracode clearly shows the commitment to fully embrace the modern DevOps and DevSecOps methodologies and to address the latest security and compliance challenges,” writes KuppingerCole Lead Analyst Alexei Balaganski. “With the SaaS approach, the company can ensure that customers can start using the platform within hours, and a wide range of support, consulting and training services means they are ready to guide every customer towards the application security best practices as quickly as possible.”

To learn more about our approach to supporting modern DevOps and DevSecOps methodologies, and how the Veracode Platform is even easier for software developers to use, download the KuppingerCole Report, Executive View: Veracode Application Security Platform.