Author Archives: (lpaine)

How Veracode Supports DevSecOps Methodologies With SaaS-based Application Security

Most legacy applications were not developed with security in mind. However, modern businesses and organizations are continuing to undergo digital transformation in order to pursue new business models and revenue channels, as well as giving their customers or constituents a simplified experience. This often means selecting cloud-based tools and solutions that allow for the scalability necessary to provide applications and services to a broad customer base.

For example, in 2013, the UK government adopted a Cloud First, or Cloud Native, policy for all technology decisions, making it mandatory to consider cloud solutions before alternatives. This means that government IT professionals must first consider public cloud options, including SaaS models for enterprise IT and back-office functions, as well as Infrastructure as a Service and Platform as a Service.

But this dramatic expansion of the application layer introduces new security challenges. In one engagement, Veracode worked with a High Street bank to secure its web application portfolio and uncovered 1,800 websites that had not been inventoried – making its attack surface 50 percent bigger than originally thought.

With the growing complexity of IT infrastructures and a shortage of qualified security experts, businesses and government agencies alike need to enlist application security specialists with a deep understanding of the complexity of modern applications.

Veracode pioneered static binary analysis to address the security of modern applications, which are often comprised from different teams, languages, frameworks and third-party libraries. This approach allows security and development teams to assess the security posture of entire applications once they’ve been built, rather than analyzing individual pieces of source code and missing some of the potential “cross-platform” exploits.

Yet the Veracode Platform offers so much more than its signature static binary analysis.

“With a growing number of integrations with CI/CD tools and development environments and expanding its coverage to the full software supply chain, Veracode clearly shows the commitment to fully embrace the modern DevOps and DevSecOps methodologies and to address the latest security and compliance challenges,” writes KuppingerCole Lead Analyst Alexei Balaganski. “With the SaaS approach, the company can ensure that customers can start using the platform within hours, and a wide range of support, consulting and training services means they are ready to guide every customer towards the application security best practices as quickly as possible.”

To learn more about our approach to supporting modern DevOps and DevSecOps methodologies, and how the Veracode Platform is even easier for software developers to use, download the KuppingerCole Report, Executive View: Veracode Application Security Platform.

What the AMCA Data Breach Teaches Us About Modern Supply Chain Security

The State of Software Security Volume 9 (SOSS Vol. 9) found that the healthcare industry, with its stringent regulations, received relatively high marks in many of the standard AppSec metrics. According to Veracode scan data, healthcare organizations ranked highest of all industries on OWASP pass rate on latest scan, coming in with a rate just over 55 percent. Our flaw persistence analysis shows that the industry is statistically closing found vulnerabilities far faster than any other sector.

However, the recent American Medical Collection Agency data breach has brought attention to the fact that breaches involving subcontractors and business associates, particularly in the healthcare industry, are on the rise. As both Quest Diagnostics and Laboratory Corporation of America Holdings (LabCorp) have filed 8-Ks with the Security and Exchange Commission (SEC), as many as 11.9 million people may have had their personal and payment information stolen by an unauthorized user.

Earlier this year, Moody’s Investor Service ranked hospitals as one of the sectors most vulnerable to cyberattacks. In a press release, Moody's Managing Director Derek Vadala said, “We view cyber risk as event risk that can have material impact on sectors and individual issuers. Data disclosure and business disruption are the two primary types of cyber event risk that we view as having the potential for material impact on issuers' financial profiles and business prospects.”

Ensuring the security of patient data

Healthcare organizations appear to be doing their part to ensure the safety of their patient and customer data. Recently, the Wall Street Journal’s Melanie Evans and Peter Loftus published a story about how hospitals are asking device makers to let them under the hood of their software to look for flaws and vulnerabilities – and opting out of doing business if they’re not granted access. The article cites how, in 2017, NewYork-Presbyterian dropped plans to buy infusion pumps manufactured by Smiths Group PLC after the Department of Homeland Security issued a warning that hackers could take control of pumps (a fix has since been released).

That same year, many hospitals were forced to cancel appointments and surgeries when their operations were stunted by WannaCry and NotPetya cyberattacks – so it’s no wonder hospitals began enlisting the help of cybersecurity pros, including penetration testers.

Evans and Loftus spoke with corporate counsel at Boston Scientific who noted that negotiations with hospitals are more complicated and drawn out than ever before as a result of cybersecurity demands.

Where is the gap in the modern healthcare supply chain?

Given the sensitivity of the data involved, it’s reasonable for hospitals and healthcare IT companies to be more inquisitive. But it’s not just the healthcare-related technologies that they need to look into.

SOSS Vol. 9 shows that the financial industry, while boasting the largest population of applications under test and with a reputation of maintaining some of the most mature AppSec programs, is struggling to meet AppSec standards. The industry ranks second to last in major verticals examined for OWASP pass rate on latest scan, and based on flaw persistence analysis, it’s leaving flaws to linger longer than other industries do.

In order for hospitals and healthcare organizations to ensure the security of those they care for, they need to be able to trust that the third-party vendors and service providers that they enlist to take payments and process claims are taking the appropriate precautions when it comes to software security.

Awareness begets progress

In 2017, Veracode conducted research with YouGov to better understand how well business leaders understood the cybersecurity risks they are introducing to their company as a result of digital transformation and participation in the global economy. What we found was that awareness was low – even following the Equifax breach that occurred that year. The research showed that only 28 percent of respondents had heard of the attack.

Since then, we’ve seen a number of CEOs and other executives paying the price after a breach. Veracode CTO, EMEA, Paul Farrington, said it best:

“Ultimately, this is merely an extension of expectations on the C-Suite when responding to serious events. If CEOs violate environmental, health, or safety standards, they can be fined, and even jailed in many countries. Perfect security is not possible, but with data about our entire lives now being stored and processed by businesses, it is essential that employees and customers alike are afforded a certain standard of cybersecurity. When such standards aren’t met, there out to be accountability at a senior level.”

As healthcare organizations and hospitals are doing an increased level of due diligence before making a purchase or partnering with third parties, we can expect that other industries are likely to follow suit. Executives will begin to add security to their list of priorities, because it will be demanded by the board in an effort to protect their brand and bottom line.

Give your customers confidence that your software is secure

Given that perfect security isn’t possible, organizations should consider reviewing their software development processes to ensure that security is embedded in each stage. One of the reasons that we created Veracode Verified, which helps your organization prove at a glance that you’ve made security a priority, is to help organizations stay ahead of customer and prospect security concerns and speed up sales cycles – without straining limited security resources. The program provides you with a proven roadmap for maturing your application security program, as well as an attestation letter you can share with customers and prospects.

Curious to learn more about how your organization may benefit from Veracode Verified? Have a look at this infographic to get the details, or visit us at Gartner Security and Risk Management Summit June 17-20 to learn about how security can be a competitive advantage for your organization.

Quest Diagnostics Breached Through Third-Party Billing Collections Vendor


Quest Diagnostics has reported that nearly 12 million patients’ may have been impacted by a breach into American Medical Collection Agency (AMCA), the medical testing company’s third-party billing provider. According to a data breach filing with the Security and Exchange Commission, as many as 11.9 million patients may have had their credit card, banking, medical information, and other personal details stolen.

Quest has confirmed that because AMCA does not handle lab results, this information was not affected by the breach. It has also stopped sending collections request through AMCA while the breach is under investigation, and has hired outside security experts to get a better sense of the damage.  

On May 14, AMCA alerted Quest of the potential breach through its web payments page. The data breach filing indicates that between August 1, 2018 and March 30, 2019, an unauthorized party got access to AMCA’s system that allowed them to inject malicious code into the payments pages. They were then able to skim and collect the information users inputted.

According to TechCrunch, this is the second breach affecting Quest customers in three years. In 2016, the company announced the breach of its MyQuest patient portal, which allowed access to the test results and personal information of 34,000 patients.

Your company takes the security of its software seriously. If you want to prove to your customers that you make it a priority, you have to check out Veracode Verified.

WhatsApp Releases Update Following Breach via Remote Code Execution Vulnerability

Veracode WhatsApp Vulnerability May 2019

On Monday, The Financial Times reported that attackers have been exploiting a buffer overflow vulnerability in the popular messaging service WhatsApp. The vulnerability has been fixed, and updates were released on Friday. WhatsApp, owned by Facebook, is urging both iPhone and Android users to update the app as soon as possible.

Veracode’s State of Software Security Volume 9 found that buffer overflow was the 25th most common vulnerability, found in 3 percent of applications. Although not as prevalent as some other flaw categories (like XSS or SQL injection), it is a highly exploitable flaw, and organizations should be aware of it and addressing it quickly. Yet our data also reveals that organizations are taking a troubling amount of time to fix buffer overflow flaws – it took organizations an average of 225 days to address 75 percent of these flaws.

According to theWhatsApp, the vulnerability (CVE-2019-3568) in the VOIP stack allows remote code execution. The RCE vulnerability on WhatsApp is exploited by sending malicious codes to targeted phone numbers. Attackers can exploit the vulnerability by using the WhatsApp calling function to call a user’s mobile phone and then install surveillance software on the device. According to The Financial Times, a user doesn’t need to answer the call to be infected, and the calls seem to disappear from logs.

NSO Group, part-owned by private equity firm Novalpina Capital, is an Israeli company that created Pegasus, the software that is believed to be an integral element for successfully pulling off the attacks. The BBC reports that NSO’s flagship software can gather personal data from a targeted device using the microphone and camera, as well as capturing location data.

WhatsApp has reported the vulnerability to its lead regulator in the Europe Union, Ireland’s Data Protection Commission (DPC), though it is still investigating whether or not any EU user data has been affected as a result of the incident. The company also reported the vulnerability to the US Department of Justice last week.

WhatsApp is one of the most popular messaging tools in the world, with a sizeable 1.5 billion monthly users. It’s favored for its high level of security and privacy, as messages are encrypted end-to-end. This news adds to a turbulent period at Facebook, which bought WhatsApp in 2014 for $19 billion. Last month, a security research firm revealed 540 million Facebook accounts were publicly exposed, and a co-founder, Chris Hughes, recently advocated in The New York Times that the company should be broken up for fear that it has too much influence and power.

2019 Verizon DBIR Shows Web Applications and Human Error as Top Sources of Breach

Veracode App Sec Verizon DBIR 2019

According to the 2019 Verizon Data Breach Investigations Report, there was a noticeable shift toward financially motivated crime (80 percent), with 35 percent of all breaches occurring as a result of human error, and approximately one quarter of breaches occurring through web application attacks. These attacks were mostly attributable to the use of stolen credentials used to access cloud-based email.

Another fun fact: social engineering attacks are increasingly more successful, and the primary target is the C-suite. These executives are 12x more likely to be targeted than other members of an organization, and 9x more likely to be the target of these social breaches than previous years. Verizon notes that a successful pretexting attack on a senior executive helps them to hit the jackpot, as 12 percent of all breaches analyzed occurred for financially motivated reasons, and their approval authority and privileged access to critical systems often goes unchallenged.

“Typically time-starved and under pressure to deliver, senior executives quickly review and click on emails prior to moving on to the next (or have assistants managing email on their behalf), making suspicious emails more likely to get through,” the Verizon DBIR states. “The increasing success of social attacks such as business email compromises (BECs, which represent 370 incidents or 248 confirmed breaches of those analyzed), can be linked to the unhealthy combination of a stressful business environment combined with a lack of focused education on the risks of cybercrime.”

Retailers Are Most Vulnerable at the Application Layer

The good news for consumers and retailers alike are that the days of POS compromises or skimmers at the gas-pump appear to be numbered, as these card breaches continue to decline in this report. The not-so-good news is that these attacks are, instead, primarily occurring against e-commerce payment applications and web application attacks. Indeed, the report shows that web applications, privilege misuse, and miscellaneous errors make up 81 percent of breaches for retail organizations.

What’s more, 62 percent of breaches and 39 percent of incidents occur at the web application layer. While it is unclear exactly how the web applications were compromised in some cases, it’s assumed that attackers are scanning for specific web app vulnerabilities, exploiting them to gain access, inserting some kind of malware, and harvesting payment card data to create a profit.

The report notes, “We have seen webshell backdoors involved in between the initial hack and introduction of malware in prior breaches. While that action was not recorded in significant numbers in this data set, it is an additional breadcrumb to look for in detection efforts. In brief, vulnerable internet-facing e-commerce applications provide an avenue for efficient, automated, and scalable attacks. And there are criminal groups that specialize in these types of attacks that feast on low-hanging fruit.”

Overall, Veracode’s State of Software Security Vol. 9 shows that retail organizations are quick to fix their flaws, ranking second in this regard as compared to other industries. With this in mind, it may mean that retail organizations need to keep a closer eye on third-party software and open source code in their own applications to ensure they’re not the next to sign a cyberattacker’s paycheck.

At Veracode, we help our customers to ensure that every web application in their portfolio is secure through each stage of the SDLC. Check out this case study to learn about how Blue Prism implemented Veracode Verified to ensure the strength of its application security program and protect its most sensitive data.

Learning From the Vodafone-Huawei Backdoor Scandal

Veracode Vodafone Huawei Backdoor April 2019

Yesterday, Bloomberg reported that Vodafone uncovered hidden backdoors in Huawei equipment used for the carrier’s Italian business, which could have given Huawei unauthorized access to Italian homes and businesses. The alleged backdoors were found in 2011 and 2012, and Vodafone told Bloomberg that the issues were resolved at the time.

However, the BBC published a piece this morning in which Vodafone denied the Bloomberg report, citing a spokesperson who says that, "The 'backdoor' that Bloomberg refers to is Telnet, which is a protocol that is commonly used by many vendors in the industry for performing diagnostic functions. It would not have been accessible from the internet.”

Further, the spokesperson indicated that Bloomberg was incorrect in saying that Huawei could have had unauthorized access to the carrier’s Italian network, nor does Vodafone have evidence of any unauthorized access.

According to the BBC, Vodafone took some time off of deploying Huawei equipment in its core networks until a few issues are resolved – namely that Huawei has been accused of being controlled by the Chinese government, which could pose a security risk. The US encouraged allies not to use the equipment in 5G networks, with Secretary of State Mike Pompeo saying the U.S. wouldn't be able to work with nations using the Chinese technology.

What’s the Deal with Backdoors?

Backdoors are a method of bypassing authentication or other security controls in order to access a computer system or the data contained on that system. They can exist at the system level, in a cryptographic algorithm, or within an application. Some backdoors are included in software intentionally, however, they can still pose a serious threat if uncovered by the wrong people.

According a paper from Veracode CTO Chris Wysopal and Veracode Chief Research Officer Chris Eng, backdoored software enables attackers to gain access to highly secure systems that are otherwise rigorously locked down and monitored. The network traffic to and from an application backdoor will most often look like typical usage of the networked application.

For instance, the network traffic of an attacker using backdoored blog software will look like the typical web traffic of a blog user. This will enable them to bypass any network IDS protection. Since the backdoored software is installed by the system operator and is legitimate software it will typically bypass anti-virus software protection.

Many attackers will place backdoors in the source code of software that they have legitimate access to simply because it is a challenge and because they can. They have no intention initially of compromising systems where the software will be installed but take the opportunity because they may want to use the backdoor in the future.

Companies like Apple have forsaken backdoors, and has gone as far as to create their hardware without third-party access to ensure an acceptable level of protection for users and their personal information.

Curious to find out if you have backdoors in your code? Get in touch so we can help.

Your AppSec Program Can Make Your Developers and Your CFO Happy

Veracode AppSec Developers CFO Dynamic Analysis

While cybersecurity risk is steadily growing, so too is the recognition that application security (AppSec) is critical to protecting valuable enterprise resources. More than ever, ensuring that you have a program that spans the entire SDLC is critical to preventing breaches into your organization and customer data. Just as it is important to inventory and secure all of the applications in your portfolio, it’s equally important that your applications are coded securely. Let’s be real: there are a few ways that shifting your application security program left can go wrong. This can include purchasing solutions that don’t really fit the needs of your organization, failing to determine what flaws need fixing first in order to avoid breach, and measuring success against the wrong metrics. This can cost you valuable resources, including your developers’ time and energy, your clients’ trust – and incite the ire of your organization’s CFO.

Here are three tips for running a developer-friendly AppSec program that saves your organization’s most precious resources.

Create Strong Application Security Policies

You know how you treat each email you receive with varying levels of attention and detail? The same sort of policies should be implemented when it comes to fixing flaws found in your software. Like any tool or methodology, AppSec requires a strong structural framework to deliver maximum results. A broadly defined and unfocused program, and the absence of strong AppSec policies, can lead to teams chasing down every flaw and fix. Essentially, you’re running the risk of overwhelming your developers who will no longer have the time or energy to take threats seriously.

There is no one-size-fits-all framework when it comes to creating application security policy (here’s a guide to get you started). It’s really a matter of setting the bar at the right risk and protection level, determining which flaws really matter, understanding remediation and mitigation, and keeping an eye on third-party applications and open source components. Focusing on AppSec standards, like OWASP Top 10, and balancing the needs of your organization will position you for maximum performance and protection, and help you avoid developer burnout.

Identify Appropriate Metrics

The right set of metrics and key performance indicators (KPIs) can greatly simplify and streamline both your software development and your application security. There are a few other metrics to consider beyond meeting your organization’s policy requirements. For example, organizations that have adopted Agile and DevSecOps will find themselves scanning applications and code more frequently. This kind of scanning, when done through automated integration with development systems and at the times best aligned for the development team, can limit the number of vulnerabilities introduced in the Testing and Production stages. Ensuring scan frequency also means reduced mean time to remediate (MTTR) – Veracode’s State of Software Security Volume 9 found that development teams who scanned 300 or more times per year are fixing flaws 11.5x faster than other organizations.

Another metric to consider is flaw density. Flaw density provides a way of looking at the number of flaws produced from a static analysis over the size of the application and can provide directional guidance when comparing groups of applications. A high flaw density simply means more flaws to address, allowing the opportunity to determine where best to use AppSec resources and prioritize flaws accordingly. The beauty of implementing a developer-friendly AppSec program is that it decreases flaw density over time. The Total Economic ImpactTM of the Veracode Application Security Platform, a Forrester Consulting study, shows that prior to using Veracode, the composite organization experienced 60 flaws per MB of code. After adopting the Veracode platform and integrating tools into their CI/CD pipeline, the composite saw a reduction in security flaws of 50% to 90% over three years.

Ensuring that your team has access to actionable results from all application security testing scans performed in a single platform makes coordinating remediation between security, development, and other IT teams easier and more efficient. It also simplifies your ability to measure against the metrics and KPIs set for your organization. To learn more about how to measure your AppSec program, check out the Everything You Need to Know About Measuring Your AppSec Program guide.

Select the Right Solutions

When it comes to AppSec, you need a combination of solutions to ensure that you’re securing your applications at every stage – that’s right, there’s still no silver bullet in security. In the Forrester Consulting study, the organizations interviewed used the Veracode Platform to build stringent security controls and integrate application security testing into their CI/CD pipeline. In addition to using Veracode Static Analysis and Veracode Dynamic Analysis, these organizations shifted security left using Veracode Greenlight and Veracode Software Composition Analysis to identify issues at inception in the SDLC.

As a result, they found that developers were introducing fewer flaws to their code and that the flaws they did find took less time to resolve because we are able to offer contextual remediation advice for those security flaws. Since security flaws were caught earlier in the SDLC, the organization saw a 90 percent reduction in time required to resolve these flaws. Resolutions which previously took 2.5 hours on average were reduced to 15 minutes.

With MTTR included in your overall metrics, it’s important that your application security solutions are designed for speed AND a low false positive rate. This means that security and development teams will spend less time sorting through results to find actual vulnerabilities, and spend more time fixing what matters so that they can move on to other projects.

Developing an AppSec Road Map Saves Time and Money

Organizations need to conduct security testing at the speed of modern day software development in order to maintain tight product roadmap deadlines and increase speed to market. When your teams take the time to understand the bigger picture, the solutions that they need to get the job done well and done efficiently, and they’re able to save time and money doing it, everybody wins. Your development teams will have the space to make your next standout product or feature. You will have the resources to invest in furthering their development education. Your applications will be more secure and your entire organization will be the better for it.

Docker Hub Database Breached, As Many As 190,000 Accounts Affected

Veracode Container Security Docker Breach April 2019

Docker, a company that created an open platform for building and running distributed applications, reported to users that its Docker Hub database had been breached, exposing sensitive data from approximately 190,000 accounts. While that figure makes up less than five percent of Hub users, the data included some usernames and hashed passwords as well as Github and Bitbucket tokens for Docker autobuild. The company reported that the tokens have been revoked, and said it “acted quickly to intervene and secure the site.”

Experts who spoke with Motherboard indicated that the worst-case scenario is that hackers gain access to proprietary source code of some of those accounts. For context, companies on Docker’s roster include the likes of Paypal and Visa. Microsoft quickly reported that its official files hosted in Docker Hub were not compromised.

According to Veracode CTO Chris Wysopal, it is not yet known what the underlying vulnerability was at Docker Hub, but it is a serious breach as attackers could use the access tokens to get at a company’s source code. It is unclear if the attackers would have write privileges, which would enable backdooring into the code. Wysopal said each customer that was notified should be resetting access tokens and looking at logs for access. With revision control, this is all heavily audited.

Since Docker notified customers quickly, hopefully the impact is limited. The company emailed those impacted by the breach directly with a password reset link. Customers using autobuilds should check to ensure that their GitHub or Bitbucket repositories are still linked to the Docker Hub to ensure autobuilds work correctly moving forward.

Thousands of companies and millions of developers around the world use Docker to run containers, which are software packages that include code, runtime, settings, system libraries, and system tools. By isolating software from its surroundings, software containers enable code to always run the same regardless of the environment it is operating within. Although the company is still investigating the breach, if hackers have access to the private code in the repositories, they may be able to inject malicious code into software autobuilt by Docker.

How Many Web Applications Does Your Organization Have? It’s More Than You Think

“Automation has saved a tremendous amount of time. We went from a day per app to review and now we are essentially reviewing through automation 18,000 scans a day with only 20 AppSec engineers. You do the math — 18,000 deploys a day with 20 engineers — you can’t scale that manually.”

Senior manager application and cloud security, insurance, The Total Economic ImpactTM of the Veracode Application Security Platform Study

One of the things we pride ourselves on here at Veracode is offering solutions and services that help add a little bit more ease to the application security process. We talk a lot about shifting left, and we do our best to put our money where our mouths are by creating a variety of integrations and automations that empower development teams to adopt a security-first mindset without sacrificing speed or agility. Yet there is more to a complete and holistic application security program than scanning in the CI/CD or making sure you’re securing open source components.

What about all of the web applications that you don’t know or simply forgot about? What about the exploitable vulnerabilities that can only be found at runtime? Or the applications that contain sensitive data and live behind the firewall? In order to ensure the security of these applications – and to make sure you have a proper inventory – you need to conduct discovery and dynamic scans.

What Do You Mean Web Applications I Don’t Know About or Forgot?

It’s more common that you would imagine that organizations and brands have more web apps than they realize – at Veracode, we help our clients create comprehensive application inventories, and find that they are, on average, comprised of roughly 30 percent more applications than clients knew about. For example, in M&A activity, more than just a company or brand is acquired – you also acquire their web assets. Further, the digital landscape is decorated with marketing promotional sites meant to attract attention.

Paul Farrington, Veracode CTO in EMEA, is familiar with how common it is to underestimate the extent and reach of an organization’s IT assets. In a project that Veracode conducted for a high street bank, we discovered 1,800 websites that had yet to be logged.

“Their perimeter can be 50% larger than they originally thought it was,” Farrington told the BBC.

It's impossible to secure an entire web application attack surface if you don’t know about all of your applications, and the very thing meant to draw attention to your brand and boost your bottom line is the same target attackers go after to infiltrate your organization. According to the 2018 Verizon Data Breach Investigations Report, web applications continue to be the number one vector for reported breaches. In nearly 90 percent of breaches, it took only minutes for attackers to gain access – and it took months for nearly 70 percent of organizations to detect the systems that had been compromised.

Securing ALL of Your Web Applications With Veracode Discovery + Veracode Dynamic Analysis

Without a solution to help you discover these web applications, you can never be completely certain that you have scanned all of your web applications. This is where Veracode Discovery can help.

Veracode Discovery is a threat intelligence solution that leverages IP ranges, host names, keywords, and other inputs to scan the web for every web application that may be associated with your organization. The results are uploaded to the Veracode Application Security Platform where users can sort through the findings and input them into Veracode Dynamic Analysis through an easy-to-follow workflow. This ensures that you have full visibility into what your organization owns and that you are able to either scan and remediate those applications or sunset them, which improves the organization’s overall security posture.

Veracode Dynamic Analysis is fast, but it’s not just about the speed at which a scan returns results. It’s about the complete workflow – scan start, scan complete, and through to remediation. Veracode Dynamic Analysis is fast because of scheduling automation and a single upload that allows you to batch upload multiple applications into the same analysis. As a SaaS solution, Veracode Dynamic Analysis is able to kick off a scan for hundreds of applications at the same time. Unlike other solutions on the market, Veracode Dynamic Analysis can concurrently scan both authenticated and unauthenticated applications both in front of and behind a firewall. What’s more, the results that you receive are immediately actionable: they contain less than 1 percent false positives thanks to the accuracy of our scanner and limited manual scrubbing.

Veracode Dynamic Analysis covers a wide variety of application frameworks, including Single Page Applications, JavaScript apps, HTML5, Angular, and ReactJS. This gives you the reassurance that Veracode Dynamic Analysis will be able to return results on your applications and provide you with actionable results.

To learn more about Veracode Dynamic Analysis, download our whitepaper, Reducing Your Risk of a Breach with Dynamic Analysis.

Why You Should Reconsider Prioritizing High Severity Vulnerabilities in Your Fix Schedule

Veracode Not all Vulnerablities are Created Equal SCA Open Source

When it comes to vulnerabilities, there is a range of severity and exploitability, which often dictates how quickly a flaw is fixed upon discovery. Most companies prioritize high severity and critical vulnerabilities, but ignore lower severity vulnerabilities. The highest severity flaws are less complicated to attack, offer more opportunity for full application compromise, and are more likely to be remotely exploitable — overall they tend to open up a wider attack blast radius.

In the State of Software Security Volume 9, we analyzed flaw persistence based on where vulnerabilities fall on our five-point severity scale, and we found that organizations hit the three quarters-closed mark about 57% sooner for high and very high severity vulnerabilities than for their less severe counterparts. In fact, our scan data indicates that low severity flaws were attended to at a significantly slower rate than the average speed of closure. It took organizations an average of 604 days to close three quarters of these weaknesses.

Here’s the catch: there could be a low severity vulnerability that is affecting your code and it could be used to exploit your application.

Is the Vulnerability in the Execution Path?

There’s another dimension that often isn’t taken into account when prioritizing fixes, and that’s whether the vulnerability is actually impacting the code. When it comes to open source risk, for example, we know that it is multi-faceted and complex. Simply having a library with vulnerabilities in it does not mean that your app is at risk – you have to first understand if a vulnerable method is being called. When leveraging an open source library, it’s very common for a developer to only use a small subset of that library for a very particular function or capability. This means that it’s highly likely your application never calls on a vulnerability in the library and, in essence, is not exploitable.

Rather than prioritizing fixing a high-severity vulnerability in a function that is not called by your application, it would be more advantageous to prioritize a medium-severity vulnerability that lies in the execution path and puts your customers at risk. When developers have this information, they are empowered to prioritize and immediately fix vulnerabilities that pose the highest likelihood of exploitation. Additionally, their remediation time is reduced by up to 90 percent. The time saved for your developers, and the decreased time the attack window is open, is crucial to protecting your data.

That being said, just because a vulnerability isn’t in the execution path doesn’t necessarily mean your application isn’t exploitable – it may simply mean we were unable to identify an execution path for the vulnerability. It’s still important to fix all of the vulnerabilities in your application, especially the high and very high ones. Vulnerable method information allows your team to know, out of all of the vulnerabilities detected, which ones have the highest likelihood of exploit.

How Veracode’s Software Composition Analysis Can Help

With many tools out there, developers will receive an extremely large list of vulnerabilities for all open source libraries packaged in your application, and they will have to make a judgment call on what to fix first – and how much is worth fixing before pushing to production. Download the Addressing Your Open Source Risk eBook to learn more about how Veracode’s combination of machine learning and natural language can help you efficiently and effectively manage open source risk.

Ohio Senate Bill 220 Incentivizes Businesses to Maintain Higher Levels of Cybersecurity

Veracode Ohio SB 220 Data Protection Act

In the last two years alone, there has been a number of high-profile breaches that have given organizations pause, asking them to consider whether the same kind of event could happen to them. After all, a cybersecurity breach could seriously damage or even level your business if you’re not prepared and do not have the appropriate security programs in place. We’ve seen the implementation of the NYDFS Cybersecurity Regulation, and recent breaches have led to serious fines, potentially in the billions, for violating GDPR.

Most recently, we saw the Ohio Senate Bill 220 (S.B. 220) signed into law and go into effect as of Nov. 2, 2018. S.B. 220, known as the Data Protection Act, serves as an incentive to businesses to ensure that they achieve and maintain a higher level of security by maintaining industry-standard cybersecurity programs.

Recent research has shown that the average cost of a data breach globally is $3.86 million – an increase of 6.4 percent from 2017. As data breaches are growing in prevalence and the cost to organizations continue to rise, S.B. 220 serves as a legal “safe harbor” for firms operating in Ohio, if they’re sued for negligently failing to implement reasonable information security controls resulting in a data breach. The organization can use its compliance with the cybersecurity control as an affirmative defense, assuming it is in compliance with one of eight industry frameworks:

  • NIST SP 800-171
  • NIST SP 800-53 and 800-53(a)
  • The Federal Risk and Authorization Management Program (FedRAMP)
  • Center for Internet Security (CIS) Critical Security Controls
  • The ISO 27000 Family
  • The HIPAA Security Rule
  • Graham-Leach-Bliley Act
  • The Federal Information Security Modernization Act (FISMA)

It is important to note that the Data Protection Act “does not, and is not intended to, create a minimum cybersecurity standard that must be achieved,” and it is not to “be read to impose liability upon businesses that do not obtain or maintain” a cybersecurity program that is compliant with one of the eight recognized frameworks listed above. In fact, the bill highlights that there is no silver-bullet approach to cybersecurity, and in order for an organization to call upon the “safe harbor,” it needs to have a program with a scope and scale appropriate to factors like the size and nature of the business, and the level of personally identifiable information it collects and carries.

In the end, it pays for companies to implement proper cybersecurity programs, because it reduces the risk of breach and it mitigates legal risk if a breach occurs. At the same time, cybersecurity protections are still evolving, and organizations are starting to understand that when they focus solely on network security, web application firewalls, or data leakage prevention tools, they are leaving vulnerable a key attack surface: its web applications.

The past few years have seen a marked increase in the number and severity of successful attacks aimed at the application layer, and our State of Software Security report has shown that 85 percent of applications have at least one vulnerability on initial scan. To begin implementing an AppSec program that scales to the size and needs of your organization – and reduces the risk associated with building, buying, and borrowing software – download our Ultimate Guide to Getting Started with Application Security.

The Top Cybersecurity Breaches of 2018

The past year was a wild ride on many fronts, and it included some of the biggest data breaches we’ve seen in recent history. According to a report from Business Insider, some of the biggest victims in 2018 were T-Mobile, Quora, and Orbitz. Millions of people around the world were left vulnerable, as hackers accessed and stole their personal information – which in some cases included passport numbers and credit card information.

Additionally, as we reviewed the State of Software Security, we found that there’s room for improvement in AppSec. The rate of OWASP compliance declined for the third year in a row, with OWASP Top 10 initial scan pass rates only reaching 22.5 percent. Our scan data also shows that more than 85 percent of all applications have at least one vulnerability in them.

Cybersecurity is growing in complexity and organizations are doing their best to protect sensitive data while remaining compliant with regulations like GDPR. At the same time, hackers are seeking out new opportunities and attack vectors through which to launch their campaigns, and as we’ve seen in 2018, many are successful. Here’s a quick look at some of the top breaches from the last year.


Marriott Confirms Less Than 383 Million Unique Guests Affected in Starwood Data Breach

Veracode Marriott Starwood Hotel Breach November 2018

Marriott has confirmed that the number of guests affected in the breach of Starwood’s guest reservation database is down from the originally estimated 500 million to “fewer than 383 million unique guests.” At this time, the hotel giant is unable to confirm an exact number of guests impacted.

According to the statement, approximately 5.25 million unique unencrypted passport numbers and 20.3 million encrypted passport numbers were stolen. Attackers also accessed 8.6 million unique payment card numbers, all of which were encrypted, but only 354,000 cards were active and unexpired at the time of the breach. In its earlier notice in November of last year, the hotel giant confirmed that there had been unauthorized access to the Starwood network since 2014.

Marriott said that it has completed the phase out of Starwood’s reservation database, and now runs guest bookings through its Marriott database, which wasn’t accessed in the breach.

A Breach of Immense Scale and Scope

According to an initial report from the BBC, for roughly 327 million guests, the attacker was able to access personally identifiable information including a combination of name, address, phone number, email address, passport number, account information, date of birth, and gender. In some cases, the compromised records also included encrypted credit card information. At this time, the company was still trying to determine whether the encryption keys had also been stolen.

In a statement published on Nov. 30, Marriott said that it received an alert from an internal security tool that an unauthorized user had attempted to access the Starwood database in the US on Sept. 8, 2018. An investigation into the incident confirmed that an attacker had copied and encrypted the information. Marriott was able to decrypt the information to confirm that the contents were from the Starwood guest reservation database.

Marriott reported the incident to both law enforcement and regulatory authorities, and the UK's data regulator is investigating. While Marriott’s headquarters are in the US, it works with and hosts European citizens, so it must ensure that it meets GDPR complianceIt’s anticipated that Marriott International will receive a substantial penalty because of the size and scale of the breach.

To read initial coverage of this story, with commentary from Veracode Co-Founder and CTO Chris Wysopal, click here.

Hackers Exploit Known Google Chromecast Vulnerability in Thousands of Devices

Veracode Google Chromecast PewDiePie Hack

Starting the New Year off with a bang, Hacker Giraffe and J3ws3r reportedly exploited a vulnerability in thousands of Google Chromecast streaming devices. The CastHack bug, allegedly disclosed nearly five years ago, enabled the hackers to remotely access thousands of the streaming devices, causing them to show a pop-up notice on connected TVs alerting users that their misconfigured router is leaving them vulnerable to more disruptive attacks. While they were at it, they also asked those reading the notice to subscribe to PewDiePie’s YouTube channel.

In 2014, Bishop Fox figure out that it could access and control a Chromecast device by disconnecting it from its existing Wi-Fi network in a deauth attack and reverting it to its factory state. Then, attackers needed to be within range of the Wi-Fi network to gain access, but the attack method has since evolved. Some home routers use Universal Plug and Play (UPNP) networks, which forward ports from the internal network to the internet, allowing connected devices to be viewed and accessed remotely.

“UPnP has been problematic for years. The protocols exist to make interconnectivity of devices simpler for users,” said Paul Farrington, director, EMEA & APJ Solutions Architecture at Veracode. “The idea behind UPnP is nice, but in the context of a hostile attack landscape, it exposes internal networks to risk. The problem with the Chromecast device is that Google haven’t really designed it to anticipate a hostile environment – one in which devices can be directly exposed to the internet.”

Consumers Need More Security Education to Protect Their Networks and Devices

A spokesperson from Google told TechCrunch, “We have received reports from users who have had an unauthorized video played on their TVs via a Chromecast device. This is not an issue with Chromecast specifically, but is rather the result of router settings that make smart devices, including Chromecast, publicly reachable.”

While some devices and software applications may rely on UPnP, the majority don’t, and Farrington advises home users to turn it off on their Internet routers. Still, there is more that device manufacturers and Internet Service Providers (ISPs) could do to help educate consumers about device security and providing secure configurations.

“Before network and software engineers create products, they really need to think about the adversary,” Farrington notes. “Asking the question, ‘how would the attacker benefit from this design feature’ should be a constant question that is asked within development teams. Threat Modelling is a term used to describe an approach of identifying ‘secure by design’ architectures that make sensible trade-offs on risk vs. benefit. Upfront thinking about security, coupled with continuous security testing is really the only way to address the modern challenge of keeping consumers safe from hackers.”

Scan data from Veracode’s State of Software Security Report Volume 9 shows that DevSecOps teams that embed continuous, automated security testing into their routine eliminate security defects 11.5 times faster than those that test more infrequently. Building security in across the SDLC is a competitive advantage for both B2B and B2C organizations. The last few years have shown that consumers are increasingly experiencing breaches of their personal information and devices, and will want to ensure that they’re secure when they make buying decisions.

Carnegie Mellon’s Software Engineering Institute Report Shows Efficacy of Static Application Security Testing

A new report from Carnegie Mellon University’s Software Engineering Institute shows that automated, integrated Static Analysis improves software quality, reduces development time, and makes software more reliable and secure. By incorporating application security testing throughout the entirety of the Software Development Lifecycle (SDLC), organizations are able to ensure the security and quality of its software, and increasing speed-to-market.

The findings stand in support of what our own data and customer practices have shown. In the State of Software Security Volume 9, analysis of Veracode’s application testing data found that development teams that implemented DevSecOps practices fixed flaws 11.5 times faster than typical organizations. While Nichols’ report does not include vendor comparisons, it does provide an overall analysis on the total benefits of a secure development approach. 

Development teams at three organizations were observed, with each team using both static code analysis (SCA) and static binary analysis (SBA). The teams each used these software development tools at different times in the SDLC, across multiple and varying projects. The study found that applying the tools added no additional effort for development teams prior to release, and that as developers sharpened secure coding skills, false positive rates declined with cleaner code. It further recommends that organizations build and automate static testing into their workflows across the SDLC, continue to apply human analysis to testing results to ensure quality.

Three Must-Have Solutions to Kick-Off Your Application Security Program

Building and maturing an application security program might seem like a daunting project, but getting started is simpler than you think. There is an established series of steps most organizations take when developing their programs. Here are the three solutions we recommend to get you started in securing your business-critical applications:

1.Veracode Greenlight: Deliver applications faster and meet your development timelines by writing secure code the first time around. Veracode Greenlight, an IDE or CI integrated continuous flaw feedback and secure coding education solution, returns scans in seconds, which helps developers discern whether their code is secure. This solution helps teams maintain development velocity, reduce the number of flaws introduced into an application, and strengthens secure coding skills and practices. Learn more.

2.Static Analysis: Veracode static analysis enables you to quickly identify and remediate application security flaws at scale and with efficiency. Our SaaS-based platform integrates with development and security tools to make testing a seamless part of your process. Once flaws are identified, teams can leverage in-line remediation advice and one-to-one coaching to reduce mean time resolve. Learn more.

3.Software Composition Analysis: While the report found that SAST wasn’t the strongest solution to reducing the risk of open source components, modern software composition analysis is. Today, applications are more often assembled from other sources, and in a typical application, we’re seeing some comprised of up to 90 percent third-party code. Veracode’s SCA uses real machine learning and natural language processing to identify potential vulnerabilities in open source libraries with a high level of accuracy. By understanding the status of the components within an application, and if a vulnerable method is being called, organizations can prioritize fixes based on the riskiest use of components and maintain their speed-to-market. Learn more.

Applications continue to be one of the top attack vectors for malicious actors, and while there is no application security silver bullet, we can help you implement automated techniques and manual processes to ensure that your applications are secure. To start creating more secure software today and learn more about how our solutions can help drive down application risk in your organization, contact us.

Indictment of Chinese Hackers Underscores Need for Stronger Cybersecurity

Veracode Chinese Hackers Indicted Spearphishing

According to a newly unsealed indictment, two Chinese nationals working with the Chinese ministry of state security have been charged with hacking a number of U.S. government agencies and corporations. The court filing indicates that Zhu Hua and Zhang Jianguo, members of Advanced Persistent Threat 10 (APT10), used phishing techniques in order to steal intellectual property, confidential business data, and technological information between 2006 and 2018.  

The APT10 Group was able to access more than 40 computers to steal confidential data from the U.S. Department of the Navy, including the personally identifiable information of more than 100,000 Navy personnel. The NASA Goddard Space Center and the space agency’s Jet Propulsion Lab were also named in the filing, according to a report in TechCrunch.

Tailored and Convincing Spearphishing Gave APT10 Unfettered Access

Rather than taking a spray-and-pray approach to their attack, APT10 carefully selected their targets and created tailored email campaigns to trick the recipient into opening malicious Word document attachments and files. The emails appeared to originate from a trusted sender, the filenames and types legitimate, and pertained to something relevant to the victim. An example included in the indictment involved a helicopter manufacturer that received an email with the subject line, “C17 Antenna problems” that included a malicious Microsoft Word attachment named “12-204 Side Load testing.doc.”

This methodology created an air of safety and allowed the email recipients to open the emails and attachments without suspicion or question. The indictment indicates that the malware used in the campaigns typically included customized variants of a remote access Trojan (RAT), including one called Poison Ivy, and keystroke loggers used to steal usernames and passwords as users typed in their credentials.

The “Technology Theft Campaign”

Over the course of this campaign, members of APT10 – including Hua and Jianguo – gained access to approximately 90 computers belonging to commercial and defense technology companies, as well as U.S. Government agencies in at least 12 states. They stole hundreds of gigabytes of sensitive data and targeted the computers of companies across dozens of industries and technologies, including aviation, space and satellite, manufacturing, pharmaceutical, oil and gas exploration and production, communications, computer processing, and maritime.  

The “MSP Theft Campaign”

In 2014, the defendants and co-conspirators in APT10 hacked into the computers and networks for managed service providers (MSP) for businesses and governments around the world. Because MSPs are responsible for remotely managing their clients’ information technology infrastructure – like servers, storage, networking, consulting and support services – the attackers were able to steal intellectual property and confidential business data on a global scale. The indictment states that through one particular MSP, which supports operations for the Southern District of New York, the group was able to access data of clients from 12 different countries across dozens of industries, including banking and finance, healthcare, and biotechnology. The malware used in this campaign was programmed to communicate with domains hosted by DNS service providers that were assigned IP addresses of computers APT10 controlled. In total, the group registered roughly 1,300 unique malicious domains.

Stronger Security Hygiene Is Necessary to Avoid Digital Theft

Although prosecutions are unlikely, the details of the indictment clearly indicate that if a tech company is vulnerable, its valuable intellectual property and personal data can be taken.

“Tech companies aren’t ramping up their security to protect their IP and data commensurate with the value attackers put on the data,” said Veracode CTO Chris Wysopal. “Compromising endpoints with vulnerable Word Documents means there isn’t good endpoint hygiene. Microsoft has recently released Windows Sandbox for Windows Pro and Enterprise users.  It would be a good idea to open externally sourced Word Documents with Word running in Windows Sandbox.”