Author Archives: lpaine@veracode.com (lpaine)

Veracode Customers Improve Mean Time to Remediation by 90%

Bill Gates is well known for treating time as a scarce resource, and in 1994, John Seabrook published a piece in The New Yorker detailing an email exchange he carried on with the famous technologist. Seabrook notes that Gates’ reverence for time was evident in his correspondence – skipping salutations and pleasantries, leaving spelling mistakes and grammatical errors in-line, and never addressing the journalist by his name. In one of the emails, Gates wrote that, “the digital revolution is all about facilitation – creating tools to make things easy.”

Software is the heart of the global economy, and it has paved the way for increased productivity, simplified workflows, and has helped leaders build businesses beyond their wildest dreams. It has changed the way that security practitioners and developer teams view and manage time, through agile methodology and sprint planning facilitated by tools like JIRA.

Just as minutes, hours, and days can be the difference between meeting sprint deadlines and maintaining speed to market, time is also the difference between preventing a massive data breach and being the victim of one. However, although a cutting-corners approach may work well for email correspondence between colleagues, and perhaps journalists, using this timesaving approach when crafting code has the potential to be downright dangerous. Organizations today need to balance time to market and code quality, which includes code security.

How organizations reduced mean time to remediation and saw a 63% ROI with Veracode

We recently commissioned the Forrester Total Economic ImpactTM of Veracode Application Security Platform to learn how our customers’ security and developer teams are strengthening the security posture of their applications by reducing mean time to remediation (MTTR) by implementing DevSecOps practices using our solutions. Based on interviews with Veracode customers in insurance, healthcare, finance, and information technology services, Forrester created a TEI framework, composite company, and an associated ROI analysis to illustrate financial impact.

The report found that prior to using Veracode, the composite organization experienced 60 flaws per MB of code, though they were using other application security testing solutions. After adopting the Veracode Platform and integrating tools into their CI/CD pipeline, the composite saw a reduction in security flaws of 50 percent to 90 percent over three years.

Additionally, by implementing DevSecOps practices, building stringent security controls, and integrating vulnerability testing into their CI/CD pipeline, our customers were able to reduce mean time to remediation by 90 percent. Resolutions that previously took 2.5 hours on average were reduced to 15 minutes, helping developers reduce their time spent remediating flaws by 47 percent. This stands to reason, given that our State of Software Security Volume 9 (SOSS Vol. 9) found that the most active DevSecOps teams fix flaws 11.5x faster than the typical organization.

By using Veracode Greenlight and Veracode Software Composition Analysis, developer teams were able to identify issues while they were coding, which reduced the likelihood that flaws would enter later stages of production. What’s more, our customers’ developer teams introduced fewer flaws to their code, and those flaws took less time to resolve because we offered them contextual information related to the data path and call stack information of their code.

It’s not enough to find security flaws quickly if you’re not remediating the right ones quickly

Most companies prioritize high-severity and critical vulnerabilities because they are less complicated to attack, offer greater opportunity for complete application compromise, and are more likely to be remotely exploitable. The trouble is that if a low-severity vulnerability is present in the execution path, it may put your application at greater risk than a high-severity vulnerability if your application is never calling upon that severe vulnerability in the first place. The exploitability of a vulnerability is a critical consideration many organizations overlook.

In our analysis of flaw persistence in SOSS Vol. 9, we found that organizations hit the three quarters-closed mark about 57 percent sooner for high and very high severity vulnerabilities than for their less severe counterparts. In fact, our scan data indicates that low-severity flaws were attended to at a significantly slower rate than the average speed of closure. It took organizations an average of 604 days to close three quarters of these weaknesses.

With many tools out there, developers will receive an extremely large list of vulnerabilities, including those open source libraries packaged in your application, and they will have to make a judgment call on what to fix first – and how much is worth fixing before pushing to production. The stark reality is that the time it takes developers to fix security flaws has a much larger impact on reducing risk than any other factor.

Veracode offers developers the opportunity to write secure code, limit the vulnerabilities introduced into production, and prioritize vulnerabilities with our vulnerable method approach, expert remediation coaching, and security program managers. To learn more about how the Veracode Platform enables security and development teams to work in stronger alignment, reduce mean time to remediation, and boost an organization’s bottom line, download the Forrester Total Economic ImpactTM of Veracode Application Security Platform.

Veracode Now Available on the Digital Marketplace G-Cloud UK

G Cloud Blog Featured Image

There is a deepening awareness that cyberthreats can never be eliminated completely, and digital resilience is an absolute necessity – and this is true for both private and public sector organizations and agencies. With this understanding, the UK Government created its G-Cloud Framework, which has transformed the way that public sector organizations can purchase information and communications technology in order to better build secure digital foundations. The program allows public bodies to buy commodity-based, pay-as-you-go cloud services through government-approved, short-term contracts via the Digital Marketplace. This procurement process supports the UK Government's Cloud First policy, as well as its desire to achieve a “Cloud Native” digital architecture.

Strengthening the security posture of your applications is critical in strengthening the security posture of your organization, and the Veracode Platform was created as a cloud-based application security solution because of the multitude of advantages it offers our customers. Not only are you able to avoid the expenses associated with purchasing hardware, procuring software, managing deployment and maintaining systems, you are also able to implement immediately – which means seeing results and value on day one. We’ve now made it even simpler for organizations within the UK to secure their application security portfolio: The Veracode Platform and services are now available for purchase on the Gov.co.uk Digital Marketplace.

Revolution not Evolution: How the UK Government Created a Cloud First Initiative

In 2010, the UK Government began a revolution that has influenced the way in which nations around the world are conducting business and structuring cybersecurity programs within their own government bodies and organizations. The creation of Government Digital Service (GDS), a consumer-facing portal and link for businesses that simplifies interacting with the government, led way to the adoption of a Cloud First policy for all government technology purchases.

The GDS team was created to more fundamentally rethink how government works in the modern era, with the aim to establish a digital center for the UK government that would bring the talent in-house, rather than relying on vendor expertise to make changes to government web applications and properties. The ultimate goal was to fix and enhance the way that people interact with the government, embed skills and capability across the government so that it could work in a new way, and open up data and APIs so other people could build on government-developed services.

The re-architecting of the government website began with a whiteboard and a heavy focus on user needs. The small team worked together to build a hub that would evoke a response, understanding that leading with imagery was really powerful, and iterated, changed, and improved as they honed in on the users’ needs. At that time, no other government technology had run in an agile fashion.

And then GDS team took it one step further by making all of its GitHub repositories open, because they considered it to be the people’s code, they wanted the people to help make their code better, and they knew it would make recruitment simpler if they could more easily show potential candidates what was under the hood. It allowed for different agencies within the government to work together more openly, which helped to reduce the risks associated with the open source code everyone was using.

The Cloud First Policy

This new approach to development also called for new processes and policies for acquiring software and working with technology vendors. In 2013, the UK government adopted a Cloud First, or Cloud Native, policy for all technology decisions. By operating in a Cloud Native framework, the government is able to adapt to how they organize their work to take advantage of what’s available in the market and any emerging technologies. This new policy made it mandatory to consider cloud solutions before alternatives, as well as making it necessary to demonstrate why non-cloud technologies would provide better value for the money if opting for an on-premise solution.

Further, the policy states that the government must also consider public cloud first – to consider SaaS models, particularly for enterprise IT and back office functions – and Infrastructure as a Service and Platform as a Service. The GDS team understands that without adapting and adopting technologies and focusing on core outcomes and principles, it won’t be able to meet the expectations of its users, and it won’t be prepared for the changes likely to arise as they manage growing volumes of data, and a proliferation of devices and sensors.

To truly become cloud native, the GDS transformed how it monitors and manages distributed systems to include diverse applications. It continues to deepen the conversations with vendors about the standards that will help them manage these types of technology shifts. Most of all, it continues to ensure it always chooses cloud providers that fit the needs at hand, rather than basing choices on recommendations.

To learn more about Veracode’s offerings on the Digital Marketplace G-Cloud UK, including our application security platform and services, click here.

New Research: Apache Solr Parameter Injection

Apache Solr is an open source enterprise search platform, written in Java, from the Apache Lucene project. Its major features include full-text search, hit highlighting, faceted search, dynamic clustering, and document parsing. You treat it like a database: you run the server, create a collection, and send different types of data to it (such as text, XML documents, PDF documents, etc.). Solr automatically indexes this data and provides a fast but rich REST API interface to search it. The only protocol to talk to the server is HTTP, and yes, it's accessible without authentication by default, which makes it a perfect victim for keen hackers.

In a new research paper, Veracode Security Researcher Michael Stepankin sheds light on this new type of vulnerability for web applications – Solr parameter injection – and explains how cyberattackers can achieve remote code execution through it. Whether the Solr instance is Internet-facing, behind the reverse proxy, or used only by internal web applications, the ability to modify Solr research parameters is a significant security risk. Further, in cases where only a web application that uses Solr is accessible, by exploiting 'Solr (local) Parameters Injection,' it is possible to at least modify or view all the data within the Solr cluster, or even exploit known vulnerabilities to achieve remote code execution.

Read the in-depth, technical whitepaper, “Apache Solr Injection,” on GitHub.

Live From Black Hat USA: Making Big Things Better the Dead Cow Way

When Reuters’ investigative reporter Joseph Menn confirmed that presidential candidate Beto O’Rourke was an early member of The Cult of the Dead Cow (cDc), it seemed as though folks had two viewpoints on it. They either had more respect for him because they understood what cDc was trying to accomplish, or they were relatively horrified because “hackers are bad.” It’s easy to fear what we don’t understand, and what is often shed in a bad light.

In InfoSec, we know and understand that hackers are not inherently bad. Many of them are hactivists looking to make positive change in the world. During the Black Hat panel discussion, “Making Big Things Better the Dead Cow Way,” Menn talked about how O’Rourke was 14 or 15 years old when he joined the cDc and left before the organization grew in notoriety, and that he interviewed a neo-Nazi in Texas and proceeded to let him hang himself with his own words. Even at that young age, he was all about diversity and engagement, especially within the cDc.

Mudge Zatko, a prominent member of L0pht and the cDc, who went on to be a program manager at DARPA, shared what he thought stood out most about O’Rourke, saying, “You can form groups online, but when you get together and meet the person, are they who you thought? You met [Beto] and he was a very friendly guy.”

This story matters because in order to make change, you have to understand where your power and influence lie to have the best results. For O’Rourke, that looks like running for president. For the cDc, it was acknowledging that hackers have power and influence. With the understanding that computers and encryption could be leveraged to help human rights efforts, the group made a more public move toward hactivism.

“What can you do to make the world a better place? How do we leverage this power? Use that to go through the media, and hopefully through some sort of technology, but especially through our connections to the media and use the influence of our long history,” said Mudge.

While Veracode co-founder Christien Rioux, or Dildog, opted to work with the private sector to tackle issues of security at a wide-scale by creating the technology that would become static binary analysis and Veracode, there are many who opt to take more of a hactivist approach. As with anything else, there are varying views on what hactivism is and what it isn’t – which parallels with debates about what human rights truly encompasses.

“What is your definition of human rights? Just governmental interaction because of civil liberties, or is it applicable to private organizations,” asks Luke Benfey (aka Deth Veggie). “Some believe it is and some believe it isn't. There are philosophical disagreements about what is ethically valid. Some believe that DDOS or web defacement is not applicable as legitimate means of protest, and others believe it is a legitimate means of protest. These are things that are still going on, and I don't necessarily think that the kinds of hactivism have changed radically, so much as scale has changed; the Internet and access to it has spread much more widely around the world.”

With broader access comes broader awareness and even broader responsibility: once something is seen it can’t be unseen. While we certainly see malicious cyberattacks making headlines, a lot of good is being done by the hacktivist community as well. Just look to discussions around coordinated disclosure and the ways in which security researchers are working with private and public organizations to make them – and all of us – safer.

If you’re looking for something to do, and want real proof of the cDc’s hacktivist ethos, we were told that if you search the former Yugoslavia website for cDc in the case files pertaining to former Yugoslav president Slobodan Milosevic’s trial for war crimes, you’ll see that they pop up a lot for their work helping prosecutors.

Or you could just watch this video Q&A where Veracode Co-Founder Chris Wysopal (@WeldPond) interviews Menn, Rioux, and Deth Veggie about the cDc and Menn’s book, “Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World” at this year’s Black Hat.

Live From Black Hat USA: The Inevitable Marriage of DevOps & Security

During her briefing with Kelly Shortridge, vice president of product strategy at Capsule8, Dr. Nicole Forsgren, research and strategy at Google, did a beautiful job of adding imagery to the story she told of the attendee reactions during the now-famous talk Paul Hammond and John Allspaw gave at Velocity in 2009. If you're not familiar, the title of said talk was, "10 Deploys Per Day: Dev & Ops Cooperation at Flickr."

Forsgren recalled that, "The room was split. At the end of this process, large pieces of code would be deployed and, basically, lit everyone on fire. Half the room was amazed and it was changing the world. Half of the room said they were monsters and how dare they light people on fire 10 times per day." Forsgren concluded that "DevOps has crossed the chasm - the business benefits are too striking. We see most of the industry doing this. There is no turning the ship around."

Indeed, DevOps has long moved beyond the conceptual and has become a widely adopted practice in software development and delivery. It gave birth to the InfoSec equivalent of DevSecOps and the concept of "shifting security left." From where I sit within Veracode, I see the ways that many security solutions providers are doing their best to provide developers with the tools they need to embed security into their workflow, yet it’s clear that there is still more to be done to get InfoSec professionals on board.

"James Wickett has said the ratio of engineers in development, operations, and InfoSec in a typical technology organization is 100:10:1. If we integrate [InfoSec professionals] earlier to have input, the shift left can build a more collaborative culture, contribute to amazing outcomes - like stability, reliability, and resiliency," Forsgren said. "We need to build secure systems, and we will find ways to do this. We know this is super important, and security is the next frontier. Security can contribute to this and join DevOps. Or you can stand aside as DevOps figures this out and carves its own path. I would love to see InfoSec contributing the expertise we just don't have."

Forsgren was clearly echoing the sentiment Dino Dai Zovi expressed in his conference keynote. Certainly, the concept of being lit on fire 10 times per day would create a fight-or-flight response, and it is much easier to go to no than to go to yes. Yet, when Forsgren spoke about the benefits of this type of work, she explained that what InfoSec pros would face would be mini-fires with a smaller blast radius. She argues that it is time for InfoSec to say, "no, and…"

The Security of Chaos

It appeared that Shortridge couldn't have agreed more.

"The real DevOps will be held accountable for security fixes," said Shortridge. "So what should goals and outcomes become? Why should InfoSec and DevOps goals diverge? InfoSec should support innovation in the face of change - not add friction. InfoSec has arguably failed, so 'this is how we've always done it' is invalid. The greatest advances in security are rarely spawned by the security industry."

In other words, it's time to start jumping out of the proverbial planes in order to face our fears and start doing things differently in security. Shortridge reminded us that it is inevitable that things will fail and things will be pwned, which is why she is a proponent of adopting chaos engineering. Chaos engineering is the discipline of experimenting on a software system in production to provide your organization with a level of confidence in the system's capability to withstand turbulent and unexpected conditions, while still creating adequate quality of service (resiliency) during difficult times.

The concept of chaos engineering was created while Greg Orzell was overseeing Netflix's migration to the cloud in 2011. He wanted to address the lack of adequate resilience by creating a tool that would cause breakdowns in their production environment - the one used by Netflix customers. In doing this, the team could move from a development model that assumed no breakdowns to one where they were considered inevitable. This encouraged developers to build resilience into their software from the start. By regularly "killing" random instances of software service, they could test redundant architecture to make sure that a server failure wouldn't noticeably impact the customer experience.

"Expect your security controls will fail and prepare accordingly. System architectures must be designed assuming the controls and users will fail," she said. "Users very rarely follow the ideal behaviors. Don’t try to avoid incidents. Embrace your ability to respond to them. Ensure that your systems are resilient enough to handle incidents gracefully. Pivot toward realistic resilience."

If your team can plan for nothing but the chaos factor, then you should understand that there are true benefits to applying chaos resilience, including lower remediation costs, decreased stress levels during real incidents, and less burnout.

"Incidents are a problem with known processes, rather than fear and uncertainty. It creates feedback loops to foster understanding of systemic risk. Chaos engineering does this to help us continuously refine security strategy - essentially all the time red teaming. You have the ability to automate the toil, or the manual, repetitive, tactical work that doesn't provide enduring value," she said.

How to Marry DevOps and Security

At the end of the talk, Forsgren offered these tenants for a scalable love between DevOps and Security:

  1. Sit in on early design decisions and demos – but say “No, and…” vs. “No.”
  2. Provide input on tests so every testing suite has InfoSec’s stamp on it.
  3. By the last “no” gate in the delivery process, nearly all issues will be fixed.
  4. InfoSec should focus on outcomes that are aligned with business goals.
  5. Time To Remediate (TTR) should become the preliminary anchor of your security metrics.
  6. Security- and performance-related gamedays can’t be separate species.
  7. Cultivate buy-in together for resilience and chaos engineering.
  8. Visibility/observability: collecting system information is essential.
  9. Your DevOps colleagues are likely already collecting the data you need - work with them to collect it.
  10. Changing culture: change what people do, not what they think.

Forsgren and Shortridge made the case that security cannot force itself into DevOps, it must marry it - and have an equal partnership. Chaos/resilience are natural homes for InfoSec and represent its future, and InfoSec will need to evolve to unify responsibility and accountability.

"If not, InfoSec will sit at the kids’ table until it is uninvited from the business," Shortridge said. "Giving up control isn’t a harbinger of doom. Resilience is a beacon of hope."

Stay tuned for more from Black Hat …

Live From Black Hat USA: Four Key Takeaways from Dino Dai Zovi’s Keynote

"Did you know that your 20th Black Hat is when you get to give the keynote at Black Hat?" Dino Dai Zovi, head of security for Cash App at Square, joked to the packed ballroom. While it may have been Dai Zovi's 20th conference, the topic of his keynote has never been more fitting for where we are in security and the ways in which it mirrors what we experience in our day-to-day life.

He gave us an overview of his history: in high school he realized that hacking and security was a lot more like magic than he previously thought, because it was about figuring out how things work, putting a lot of thought into writing and making something respond in the way you want it to. In college, he spent his nights, weekends, and spring breaks learning how to find and exploit vulnerabilities in code. And about that time (in 2007) he used his skills to simultaneously prove that Apple's OS X operating system could, indeed, be hacked and win a laptop for his friend in the Pwn2Own competition.  

No big deal.

Dai Zovi took his work as a security researcher into more corporate organizations, where he learned about the importance of automation, understanding what is really being asked for in order to solve the right problem, and ensuring that there is collaboration between security and development to achieve more quality outcomes. Here are the four key lessons that Dai Zovi learned as he transitioned from offense to defense.

Work backwards from the job: Dai Zovi talked about how McDonald's was working to understand how they should evolve their milkshake. What they noticed was that people were ordering them in the morning, and they wanted to see why this was happening. In discussions with a customer, the customer indicated that they needed to have breakfast on their morning commute. They had tried a banana, but it wasn't filling enough; a bagel was too dry, and spreading cream cheese while driving was too challenging; in giving doughnuts a shot, they found they were eating too may; but the McDonald's milkshake - unlike other milkshakes - was thick enough to last the full 40 minute drive to work and left them feeling full. As it turns out, they customer was not ordering a milkshake to satisfy hunger, but to cure boredom. Really try to understand your customer, who they are and where they struggle, and what you need to do to provide the best product or solution for them.

Seek and apply leverage: For this story, Dai Zovi took us back to his time with @stake, where when he first started he was essentially fuzzing by hand. He wanted to show off his skills, but when he realized that his colleague was completing his work - and finding more vulnerabilities - faster than him (and subsequently honing his foosball game) by using an automated technique. So Dai Zovi followed his lead and found that he was able to find more and do it more effectively. By using feedback loops, software, and automation you can really scale your impact.

Culture is more powerful than strategy which is more powerful than tactics: In one of the organizations he worked in, Dai Zovi was in a conversation with a developer who had been working on a feature but noticed it was coming out…a bit "sketchy." So the developer and security team white boarded out the feature and worked together to ensure that it was secure by design (shift left, anyone?). As security leaders, it's important that we focus on the security culture of our organizations. If we can create security culture change in every team, we can scale a lot more powerfully than we can if security is only security's responsibility.

Start with yes: We need to engage the world starting with yes. It keeps the conversation going, it keeps the conversation collaborative, and it keeps the conversation constructive. It says, "I want to work to solve the other problems you have, and I want to make you safe.” That's how we create real change and have a real impact.

"Why don't all security teams start with yes," Dai Zovi asked the audience. "Fear. There are lots of reasons to be afraid. But fear misguides us because it's irrational. Fear causes paralysis and creates more insecurity because it often leads to doing nothing."

For me, this was the most powerful takeaway. Dai Zovi talked about how he overcame his fear of flying by learning how to skydive. He felt the fear center in his brain activate and assured it that he would be fine: he had the right equipment and knowledge and knew that he would land safely. The more he jumped, the more he proved to his brain that he was safe and the fear dissipated.

Here is a truth about the human brain: we fear being rejected (or not belonging) and change above all else. There was a time when being outcast from the community meant certain death, and because change cannot be predicted, it cannot be planned for. As evolved as we have become, our brains have not kept up and we are all walking around with outdated technology that thinks that it should respond to change in the same way that it does being chased by a lion.

Ultimately, if we want to strengthen communication we need to first understand that we're all human and assume good intent. Everyone wants to feel safe and they want to belong, and these two desires can stop progress in its tracks. Yet being agile and objective, communicative and collaborative, are essential in today's changing threat landscape. The reality is, we need more innovation and teamwork in development and security - not less. Change is both an inevitable part of life and keeping software safe - we must be agile in our thinking and in our actions.

Stay tuned for more from Black Hat …

Live From Black Hat USA: Communication’s Key Role in Security

The kick-off keynote for the 23rd Black Hat USA Conference in Las Vegas set the stage for the conversations that will undoubtedly be discussed in great detail over the next two days - and likely the next two years - if Black Hat founder Jeff Moss’ opening remarks are indicative of a trend. Moss pointed out that security had been asking for the spotlight, both in legislative and more corporate settings, and the industry has had it for the last two years. However, it isn't enough to have the spotlight if you don't know how to harness it. In this case, what Moss was talking about is that how we communicate determines the outcomes we receive. He quipped that if you communicate well, then you may find yourself with more budget - and if you communicate poorly, you could find yourself fired.

Point taken.

Yet defining what cyber or security is remains an ongoing challenge, and Moss notes that oftentimes the language that we use causes us to think of a problem in a certain way, taking us in a direction we don't really want to be heading. He notes that while cyber, or information, is considered the Fifth Domain, it doesn't mean that it is equal to land, sea, air, and space. It's different and requires a different language and level of thinking. You can't use the language and laws of the sea to govern the laws of the Internet or how we engage there, because it is vastly different in nature. It's also vastly different depending on where you're engaging, assuming the Internet isn't simply … everywhere.

Moss told a story about how he was speaking with a colleague who told him about how in China, the money is in DDoS protection because attackers are using the "Great Firewall of China" to blackmail other Chinese companies. They're not worried about identity theft because they don't really have it: Chinese farmers sell their identity for 3,000 yen. Meaning that "all of the identities are legit, they're just not the person you think they are."

"You think might think the Internet works one way, and in one conversation it can flip upside down," Moss told the audience.

Simply put: we all have our perceptions, either individually or collectively, about what is needed when it comes to cybersecurity - and we're not communicating effectively about them. In order to fix this problem, we need to reorder the way that we think about things so that we can have more open and effective dialogue. As Moss said, "communication is a soft skill that leads to better technical outcomes."

Stay tuned for more from Black Hat …

Grasshoppers, Dead Cow, and Controlled Chaos: What We’re Looking Forward to at Black Hat USA

Veracode Black Hat USA 2019 Las Vegas

Usually, Black Hat USA is all the rage this time of year when it comes to Las Vegas; however, it seems the excitement about the show has been eclipsed by a grasshopper invasion. I admit, I was puzzled when my colleagues informed me of the news and proceeded to show me the horrifying photographic and video evidence. I joked that I would need to wear a Veracode-branded beekeeper suit, and wondered what the symbolism of the grasshopper is. So before I get to what you really care about – Black Hat – I leave you with two fun facts:

  1. Upon asking my mother – a Las Vegas resident – about the grasshopper invasion, she informed me that this happens every year, but it usually isn’t this bad. And that her side of town has significantly less grasshoppers.
  2. Grasshoppers can’t move sideways or backwards, they can only take big leaps forward. Seems apt when we’re considering the future of security and development.  

Without further ado, here are three events I’m most looking forward to attending at this year’s show:

Controlled Chaos: The Inevitable Marriage of DevOps & Security

Kelly Shortridge, VP of Product Strategy at Capsule8, and Dr. Nicole Forsgren, Research & Strategy at Google Cloud, will take a closer look at the choice information security has to make when it comes to DevOps: marry with their DevOps colleagues and embrace the philosophy of controlled chaos, or eventually lose the race, because software – secure software especially – is a competitive differentiator in today’s global economy. I’m curious to see Shortridge and Forsgren’s take on DevOps, the concepts of resilience and chaos engineering, and the impact on the future of security programs.

Where: South Pacific When: Aug. 7 from 4-4:50 p.m. Read More: Here

All Things Cult of the Dead Cow

Remember when much of the nation was astonished to learn that presidential candidate Beto O’Rourke was a member of America’s oldest hacking group, The Cult of the Dead Cow (cDc)? This was after Reuters reporter Joseph Menn published a special report that was adapted from his book Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World. While I’ll be sure to check out the briefing at BHUSA, at Veracode, we’re excited to host a conversation with Menn, Chris Wysopal, Veracode's CTO, Christien Rioux, Software Architect at Flowmill, and Luke Benfey - Deth Veggie – cDc Minister of Propaganda, for a discussion about the new book at our booth. Plus, we’re donating $2 to BuildOn for every booth visit.

Where: Booth #854 When: Aug. 7 from 5-6:30 p.m. Read More: Here

DevSecOps: What, Why and How

When it comes to development, security is often added towards the end of the DevOps cycle through a manual/automated review – but we know it doesn’t have to be that way. Security can actually be integrated – and automated – at each stage of the DevOps pipeline. In this briefing, Anant Shrivastava from NotSoSecure will dive into the technology and cultural aspects of DevSecOps, and the changes needed to get tangible benefits. Shrivastava will also present case studies on how critical bugs and security breaches affecting popular software and applications could have been prevented using a simple DevSecOps approach.

Where: South Pacific When: Aug. 8 from 11-11:50 a.m. Read More: Here

We’d love to talk to you about your own development shop and security practices during the show, so please stop by Booth #854 – we’ve got demos, spun chairs, and we’ll send you home with a one-of-a-kind custom t-shirt.

I’m not sure I’ll be able to score that branded beekeeper suit, but I’m looking forward to seeing everything Black Hat has to offer. If you’re open to sharing what you’re looking forward to at the show, let’s connected on Twitter (@lauraleapaine) so I can get your perspective. Make sure to check back here for live coverage – or subscribe to get our content updates sent directly to your inbox.

Capital One Benefits From Responsible Disclosure Program Following Massive Data Breach

Veracode Capital One Data Breach Coordinated Vulnerability Disclosure

This blog post was updated on August 1, 2019 to include additional details uncovered as a result of the ongoing investigation associated with the Capital One data breach.

Capital One’s data breach may be one for the record books, impacting as many as 106 million U.S. and Canadian credit applicants dating back to as early as 2005. While it’s natural to want to draw parallels to the 2017 Equifax breach, there are a couple of details in this story that make it remarkably different – including Capital One’s quick response to a tip submitted through its Responsible Disclosure process.

According to multiple reports, 33-year-old Paige A. Thompson allegedly gained access to approximately 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers, and 80,000 linked bank account numbers. Other affected personal information included phone numbers and credit scores. Thompson, who is facing five years in prison and a fine of up to $250,000, was previously an employee of Amazon Web Services, which hosted the Capital One database that was breached.

“The attacker was an ex-AWS employee, which did not give her special privileges, but does go to explain expertise of the AWS platform,” said Veracode Co-Founder and CTO Chris Wysopal. “The attacker found a configuration error in a Web Application Firewall (WAF) that allowed privileged commands to be executed with the credentials of Capital One. These commands had privileges that allowed her to access the storage where the Capital One PII was stored.”

Paul Farrington, Veracode EMEA CTO, noted that WAF log files are likely to have been stored in the AWS S3 storage system, which may be how the attacker was able to access the customer data that contain PII. What’s yet to be understood is who the WAF vendor is – if this breach is indeed the result of a configuration error, this vulnerability may be undocumented and many other organizations could be at risk.

UPDATE: TechCrunch's Zack Whittaker has reported that, "Israeli security firm CyberInt said Vodafone, Ford, Michigan State University and the Ohio Department of Transportation may have also fallen victim to the same data breach," and that the Justice Department said Thompson may face additional charges, which suggests other companies may have been involved.  

What Does Coordinated Disclosure Have To Do With It?

Many news outlets are drawing parallels to the 2017 Equifax breach, saying that this may not have happened if adequate measures had been taken legislatively to ensure significant consequence following breaches of this magnitude. The facts of the Capital One breach are certainly alarming, particularly when you consider that this is yet another example of consumers experiencing a significant privacy breach with far-reaching consequences. Certainly, the $700 million settlement Equifax is paying sets a precedent in penalizing companies that have not adequately protected their customers’ personal information – and failed to act quickly when a breach is brought to its attention.

That’s just one of the ways in which the Capital One breach is different. If the company was indeed breached through a WAF provided to them by a third-party vendor, it could be said that Capital One was doing its diligence to ensure the security of its customer data. We could get into how complicated supply chain security can be (think back to the AMCA data breach in June) and where the fault really lies in this case, but that seems fruitless given we don’t yet have all the facts.

It’s what we do know that deserves to be highlighted, both to differentiate this breach from Equifax and to highlight a critical best practice for all organizations with software underpinning the success of their business: Capital One has a working responsible disclosure process.

Thompson was not shy or discreet about her hack into the financial institution, posting the data she exfiltrated back in March to her GitHub account, which included her full name and resume. According to Wired, she also talked openly about it on Slack. The court documents indicate that on July 17, an anonymous tipster informed Capital One about the flaw and breach by emailing the responsible disclosure address with a warning about the data as well as the GitHub link.

In a statement made on July 29, Capital One said it, “immediately fixed the configuration vulnerability that this individual exploited and promptly began working with federal law enforcement. The FBI has arrested the person responsible and that person is in custody. Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual. However, we will continue to investigate."

Meaning that once informed through its disclosure process, Capital One alerted the FBI, fixed the vulnerability, and the suspect was arrested – all within 12 days. Although consumers are still waiting to see if their data has been impacted, this response and resolution is much faster than others we have historically seen.

When a vulnerability in Zoom was made public earlier this month, it was done so by a security researcher who had disclosed the vulnerability to the video conferencing company 90 days before he published his blog post. At that time, they still hadn’t fixed it, and it became major news in the hours and days following the public disclosure.

The Capital One data breach could have been far worse had it not been for the openness of the hacker and the financial institution’s responsible disclosure process. Consumers may still be waiting to find out whether or not their information was breached, but it is clear that Capital One either learned from the massive breaches that came before or has a security leader hip to the value of working with outside security researchers.

The debates around responsible disclosure – now more commonly referred to as coordinated disclosure – have been going on for many, many years. We know that both businesses and the security community see the value, and that there is frustration from security researchers when they are either ignored or feel the issue isn’t being remedied fast enough. While it is important to consider how best to handle these breaches when it comes to legislative involvement, it is just as important to strengthen the relationship between enterprise and security researchers to ensure smooth reporting and resolution of flaws.

Vulnerabilities and flaws aren’t going anywhere – but we can all work together better to make sure they’re harder to exploit, and that resolution is swift after there has been a breach.

You can keep up with AppSec news like this, plus get trends and best practices, by subscribing to our content.

State of Louisiana Declares State of Emergency Following Malware Attacks

Veracode State of Louisiana 2019 Malware Attacks

On Wednesday, Louisiana Governor John Bel Edwards declared a state of emergency following a series of cyberattacks impacting the computer and phone systems of several of the state’s school districts. The declaration, which will remain in place for the entire state until Aug. 21, is out of concern that the attacks could spread to affect other organizations in local and state government.

According to Gov. Edwards’ office, the attacks were directed at school systems in the Sabine, Ouachita, and Morehouse districts, and are described as "severe, intentional cybersecurity breaches" that "may potentially compromise other public and private entities throughout" the state in the emergency declaration.

The declaration, which is the state’s first cybersecurity emergency activation, allows several resources to be devoted to the ongoing investigation. This includes cybersecurity experts from the Louisiana National Guard, Louisiana State Police, the Office of Technology Services – and others – to determine how best to resolve and prevent future cyberattacks. The state is also coordinating with the FBI on the issue.

According to CNN, there have been at least 22 reported breaches of public sector networks in 2019. Recently, ransomware hackers have taken over the computer systems of several cities, including Atlanta, Baltimore, Albany, and at least two cities in Florida.

In 2017, Gov. Edwards created the Louisiana Cybersecurity Commission – a 15-member board inclusive of state officials, private-sector executives, and academics – in anticipation of such attacks on its government-run organizations and systems.

“This is exactly why we established the Cyber Security Commission, focused on preparing for, responding to and preventing cybersecurity attacks, and we are well-positioned to assist local governments as they battle this current threat,” Edwards said in a statement.

The State of Software Security for Government and Education Sector

In a world where the threat landscape is always evolving, public sector agencies around the U.S. are taking steps to ensure that their technology and critical infrastructure systems have the right protections in place – just as they’re ensuring that they have the right policies and processes in place when a cyberattack cannot be prevented. A great example of this is how Colorado created the standard for best defense following the 2018 SamSam ransomware attack on its public transportation system, and additional examples of cyberattacks impacting critical infrastructure can be found in the Policymakers’ Guide to the State of Software Security.

It’s true that there is plenty to celebrate according to Veracode’s State of Software Security Volume 9 (SOSS Vol. 9), which showed that the Government and Education sector improved significantly over the previous report. In SOSS Vol. 8, the industry was dead last in latest scan OWASP pass rank. This year, it came in second only to healthcare.

In examining flaw persistence – or how long it takes to close a flaw from first discovery – the analysis curve shows that while these organizations are slower than usual out of the gate, they pick up speed with resolving vulnerabilities as they dig into the second half of remaining flaws.

 

It’s understood that the reliance on digital technologies and software will continue to increase, just as the threat landscape will remain fluid and ever-changing. With approximately one quarter of breaches occurring through web application attacks, it’s imperative that government organizations and agencies ensure their applications are protected.

After seeing the rise in data breaches at all levels of government, the State of Missouri enlisted Veracode to create and implement an application security program that fixed more than 28,000 flaws in the first year of the program, and scaled to 360+ applications within three years. Curious to learn more about how Veracode helped the State of Missouri build and scale its application security program? Read the case study – which covers the process from start to finish – by clicking here.

British Airways Faces £183m Fine Following Data Breach

Veracode British Airways GDPR Data Breach Fine

The Information Commissioner’s Office (ICO) has handed British Airways what it claims is the biggest penalty – and the first to be made public under new rules – since the General Data Protection Regulation (GDPR) came into play last year. According to the ICO, 500,000 customers had their personal information compromised during the 2018 breach, and the airline needs to pay up – to the tune of £183 million.

According to the BBC, British Airways, owned by IAG, has said that it is “surprised and disappointed” by the penalty, following an attack by hackers who allegedly carried out a “sophisticated, malicious criminal attack” on its website. The airline first disclosed the incident on Sept. 6, 2018 and had initially reported roughly 380,000 transactions had been affected.

The ICO, which believes the attack began in June 2018, found that user traffic to BA’s website was re-routed to a fraudulent website that gave hackers the ability to steal customer information. As a result of the airline’s poor security posture, customer log in information, payment card and travel booking details, and names and addresses were compromised.

In a statement, Information Commissioner Elizabeth Denham said, “People's personal data is just that - personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience. That's why the law is clear - when you are entrusted with personal data, you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

Ensuring that your organization is in compliance with GDPR is critical for both your customers’ protection and your bottom line. To learn more about how Veracode DevOps Penetration Testing can be used to meet compliance requirements, check out this blog post.

Business-Focused Approach to Security Assurance Is More Evolution Than Revolution

Veracode Information Security Forum Security Assurance Research

According to a new research report from Information Security Forum (ISF), only 32 percent of its membership is satisfied with their security assurance program – though 80 percent say that they want to take a more business-focused approach to security. Given the ever-evolving threat landscape, security leaders understand that they always need their finger on the pulse of how secure their organization’s information is. This can prove to be challenging if the right processes and controls are not in place across development, IT, and security in your organization.

Often times, communicating the security of your organization –and communicating it well – comes down to asking the right people the right questions, and taking smaller steps to achieve the desired outcome. In the report, Establishing a Business-Focused Security Assurance Program, ISF proposes that organizations build on existing compliance-based approaches instead of recreating the wheel. To map out where the program needs to go and begin evolving it with business in mind, IFS notes that security leaders should:

  • Identify what business stakeholders want from security assurance
  • Break down the requirements into manageable tasks to move from current to future approaches
  • Apply repeatable security assurance process across multiple target environments (i.e. business processes, projects and supporting assets where appropriate in your organization)

“Taking a business-focused approach to security assurance is an evolution. It means going a step further and demonstrating how well business processes, projects and supporting assets are really protected, by focusing on how effective controls are,” said Steve Durbin, Managing Director, ISF. “A business-focused approach requires a broader view, considering the needs of multiple stakeholders within the organization: what do they need to know, when and why? Answering these questions will enable adoption of testing, measurement and reporting techniques that provide appropriate evidence.”

Including Secure Coding in the Security Control Discussion

According to the 2019 Verizon Data Breach Investigations Report, 62 percent of breaches and 39 percent of incidents occur at the web application layer. While it is unclear exactly how the web applications were compromised in some cases, it’s assumed that attackers are scanning for specific web app vulnerabilities, exploiting them to gain access, inserting some kind of malware, and harvesting personal data to create a profit.

An often-overlooked way to tighten security in your organization is to provide developers with the tools they need to code securely, and to continue learning about different vulnerabilities as they work. When development teams are able to scan for vulnerabilities in their code while they work, they’re less likely to be introduced in the QA and production stages. The State of Software Security Report Volume 9 shows that organizations that are conducting application security scanning more than 300 times per year are able to shorten flaw persistence by 11.5 percent.

This means that development leaders must be included in security control discussions. Their team may work in a different way than others across your organization, so understanding how to support them to make security a seamless priority in their day-to-day processes is a necessary step for security assurance. Once the DevSecOps approach to application development has been adopted, it’s even easier to verify for your executives – as well as customers and prospects – that you really do take security seriously.

The Right Analytics to Tell the Right Story

Analytics are useful for determining exactly what the right metrics are for AppSec managers to share with executives and their board. Given that policy compliance is often the number one priority for this audience, AppSec managers need to set their threshold for what they’re willing to accept and what they’re unwilling to accept when it comes to the appropriate level of risk and the type of data involved.

The Veracode Platform includes Veracode Analytics, which empowers our customers to set up custom analytics once they’ve determined their risk threshold and application criticality. With an easy-to-use dashboard view, AppSec managers can review their AppSec program to make sure that development and security teams alike are scanning all of their applications – and fixing what they find.

The Veracode Platform and Veracode Analytics can be a game-changer for your business, as it helps you to stay focused, motivate your teams, ensure better resource allocation, and help you more strategically communicate your security posture to the executive team.

For more on getting executive support for application security, see Everything You Need to Know About Getting AppSec Buy-In.

For more on measuring your application security program, see Everything You Need to Know About Measuring Your AppSec Program.

How Veracode Supports DevSecOps Methodologies With SaaS-based Application Security

Veracode Kuppinger Cole Report

Most legacy applications were not developed with security in mind. However, modern businesses and organizations are continuing to undergo digital transformation in order to pursue new business models and revenue channels, as well as giving their customers or constituents a simplified experience. This often means selecting cloud-based tools and solutions that allow for the scalability necessary to provide applications and services to a broad customer base.

For example, in 2013, the UK government adopted a Cloud First, or Cloud Native, policy for all technology decisions, making it mandatory to consider cloud solutions before alternatives. This means that government IT professionals must first consider public cloud options, including SaaS models for enterprise IT and back-office functions, as well as Infrastructure as a Service and Platform as a Service.

But this dramatic expansion of the application layer introduces new security challenges. In one engagement, Veracode worked with a High Street bank to secure its web application portfolio and uncovered 1,800 websites that had not been inventoried – making its attack surface 50 percent bigger than originally thought.

With the growing complexity of IT infrastructures and a shortage of qualified security experts, businesses and government agencies alike need to enlist application security specialists with a deep understanding of the complexity of modern applications.

Veracode pioneered static binary analysis to address the security of modern applications, which are often comprised from different teams, languages, frameworks and third-party libraries. This approach allows security and development teams to assess the security posture of entire applications once they’ve been built, rather than analyzing individual pieces of source code and missing some of the potential “cross-platform” exploits.

Yet the Veracode Platform offers so much more than its signature static binary analysis.

“With a growing number of integrations with CI/CD tools and development environments and expanding its coverage to the full software supply chain, Veracode clearly shows the commitment to fully embrace the modern DevOps and DevSecOps methodologies and to address the latest security and compliance challenges,” writes KuppingerCole Lead Analyst Alexei Balaganski. “With the SaaS approach, the company can ensure that customers can start using the platform within hours, and a wide range of support, consulting and training services means they are ready to guide every customer towards the application security best practices as quickly as possible.”

To learn more about our approach to supporting modern DevOps and DevSecOps methodologies, and how the Veracode Platform is even easier for software developers to use, download the KuppingerCole Report, Executive View: Veracode Application Security Platform.

What the AMCA Data Breach Teaches Us About Modern Supply Chain Security

The State of Software Security Volume 9 (SOSS Vol. 9) found that the healthcare industry, with its stringent regulations, received relatively high marks in many of the standard AppSec metrics. According to Veracode scan data, healthcare organizations ranked highest of all industries on OWASP pass rate on latest scan, coming in with a rate just over 55 percent. Our flaw persistence analysis shows that the industry is statistically closing found vulnerabilities far faster than any other sector.

However, the recent American Medical Collection Agency data breach has brought attention to the fact that breaches involving subcontractors and business associates, particularly in the healthcare industry, are on the rise. As both Quest Diagnostics and Laboratory Corporation of America Holdings (LabCorp) have filed 8-Ks with the Security and Exchange Commission (SEC), as many as 11.9 million people may have had their personal and payment information stolen by an unauthorized user.

Earlier this year, Moody’s Investor Service ranked hospitals as one of the sectors most vulnerable to cyberattacks. In a press release, Moody's Managing Director Derek Vadala said, “We view cyber risk as event risk that can have material impact on sectors and individual issuers. Data disclosure and business disruption are the two primary types of cyber event risk that we view as having the potential for material impact on issuers' financial profiles and business prospects.”

Ensuring the security of patient data

Healthcare organizations appear to be doing their part to ensure the safety of their patient and customer data. Recently, the Wall Street Journal’s Melanie Evans and Peter Loftus published a story about how hospitals are asking device makers to let them under the hood of their software to look for flaws and vulnerabilities – and opting out of doing business if they’re not granted access. The article cites how, in 2017, NewYork-Presbyterian dropped plans to buy infusion pumps manufactured by Smiths Group PLC after the Department of Homeland Security issued a warning that hackers could take control of pumps (a fix has since been released).

That same year, many hospitals were forced to cancel appointments and surgeries when their operations were stunted by WannaCry and NotPetya cyberattacks – so it’s no wonder hospitals began enlisting the help of cybersecurity pros, including penetration testers.

Evans and Loftus spoke with corporate counsel at Boston Scientific who noted that negotiations with hospitals are more complicated and drawn out than ever before as a result of cybersecurity demands.

Where is the gap in the modern healthcare supply chain?

Given the sensitivity of the data involved, it’s reasonable for hospitals and healthcare IT companies to be more inquisitive. But it’s not just the healthcare-related technologies that they need to look into.

SOSS Vol. 9 shows that the financial industry, while boasting the largest population of applications under test and with a reputation of maintaining some of the most mature AppSec programs, is struggling to meet AppSec standards. The industry ranks second to last in major verticals examined for OWASP pass rate on latest scan, and based on flaw persistence analysis, it’s leaving flaws to linger longer than other industries do.

In order for hospitals and healthcare organizations to ensure the security of those they care for, they need to be able to trust that the third-party vendors and service providers that they enlist to take payments and process claims are taking the appropriate precautions when it comes to software security.

Awareness begets progress

In 2017, Veracode conducted research with YouGov to better understand how well business leaders understood the cybersecurity risks they are introducing to their company as a result of digital transformation and participation in the global economy. What we found was that awareness was low – even following the Equifax breach that occurred that year. The research showed that only 28 percent of respondents had heard of the attack.

Since then, we’ve seen a number of CEOs and other executives paying the price after a breach. Veracode CTO, EMEA, Paul Farrington, said it best:

“Ultimately, this is merely an extension of expectations on the C-Suite when responding to serious events. If CEOs violate environmental, health, or safety standards, they can be fined, and even jailed in many countries. Perfect security is not possible, but with data about our entire lives now being stored and processed by businesses, it is essential that employees and customers alike are afforded a certain standard of cybersecurity. When such standards aren’t met, there out to be accountability at a senior level.”

As healthcare organizations and hospitals are doing an increased level of due diligence before making a purchase or partnering with third parties, we can expect that other industries are likely to follow suit. Executives will begin to add security to their list of priorities, because it will be demanded by the board in an effort to protect their brand and bottom line.

Give your customers confidence that your software is secure

Given that perfect security isn’t possible, organizations should consider reviewing their software development processes to ensure that security is embedded in each stage. One of the reasons that we created Veracode Verified, which helps your organization prove at a glance that you’ve made security a priority, is to help organizations stay ahead of customer and prospect security concerns and speed up sales cycles – without straining limited security resources. The program provides you with a proven roadmap for maturing your application security program, as well as an attestation letter you can share with customers and prospects.

Curious to learn more about how your organization may benefit from Veracode Verified? Have a look at this infographic to get the details.

Quest Diagnostics Breached Through Third-Party Billing Collections Vendor

veracode-quest-diagnostics-breach-june-2019

Quest Diagnostics has reported that nearly 12 million patients’ may have been impacted by a breach into American Medical Collection Agency (AMCA), the medical testing company’s third-party billing provider. According to a data breach filing with the Security and Exchange Commission, as many as 11.9 million patients may have had their credit card, banking, medical information, and other personal details stolen.

Quest has confirmed that because AMCA does not handle lab results, this information was not affected by the breach. It has also stopped sending collections request through AMCA while the breach is under investigation, and has hired outside security experts to get a better sense of the damage.  

On May 14, AMCA alerted Quest of the potential breach through its web payments page. The data breach filing indicates that between August 1, 2018 and March 30, 2019, an unauthorized party got access to AMCA’s system that allowed them to inject malicious code into the payments pages. They were then able to skim and collect the information users inputted.

According to TechCrunch, this is the second breach affecting Quest customers in three years. In 2016, the company announced the breach of its MyQuest patient portal, which allowed access to the test results and personal information of 34,000 patients.

Your company takes the security of its software seriously. If you want to prove to your customers that you make it a priority, you have to check out Veracode Verified.

WhatsApp Releases Update Following Breach via Remote Code Execution Vulnerability

Veracode WhatsApp Vulnerability May 2019

On Monday, The Financial Times reported that attackers have been exploiting a buffer overflow vulnerability in the popular messaging service WhatsApp. The vulnerability has been fixed, and updates were released on Friday. WhatsApp, owned by Facebook, is urging both iPhone and Android users to update the app as soon as possible.

Veracode’s State of Software Security Volume 9 found that buffer overflow was the 25th most common vulnerability, found in 3 percent of applications. Although not as prevalent as some other flaw categories (like XSS or SQL injection), it is a highly exploitable flaw, and organizations should be aware of it and addressing it quickly. Yet our data also reveals that organizations are taking a troubling amount of time to fix buffer overflow flaws – it took organizations an average of 225 days to address 75 percent of these flaws.

According to theWhatsApp, the vulnerability (CVE-2019-3568) in the VOIP stack allows remote code execution. The RCE vulnerability on WhatsApp is exploited by sending malicious codes to targeted phone numbers. Attackers can exploit the vulnerability by using the WhatsApp calling function to call a user’s mobile phone and then install surveillance software on the device. According to The Financial Times, a user doesn’t need to answer the call to be infected, and the calls seem to disappear from logs.

NSO Group, part-owned by private equity firm Novalpina Capital, is an Israeli company that created Pegasus, the software that is believed to be an integral element for successfully pulling off the attacks. The BBC reports that NSO’s flagship software can gather personal data from a targeted device using the microphone and camera, as well as capturing location data.

WhatsApp has reported the vulnerability to its lead regulator in the Europe Union, Ireland’s Data Protection Commission (DPC), though it is still investigating whether or not any EU user data has been affected as a result of the incident. The company also reported the vulnerability to the US Department of Justice last week.

WhatsApp is one of the most popular messaging tools in the world, with a sizeable 1.5 billion monthly users. It’s favored for its high level of security and privacy, as messages are encrypted end-to-end. This news adds to a turbulent period at Facebook, which bought WhatsApp in 2014 for $19 billion. Last month, a security research firm revealed 540 million Facebook accounts were publicly exposed, and a co-founder, Chris Hughes, recently advocated in The New York Times that the company should be broken up for fear that it has too much influence and power.

2019 Verizon DBIR Shows Web Applications and Human Error as Top Sources of Breach

Veracode App Sec Verizon DBIR 2019

According to the 2019 Verizon Data Breach Investigations Report, there was a noticeable shift toward financially motivated crime (80 percent), with 35 percent of all breaches occurring as a result of human error, and approximately one quarter of breaches occurring through web application attacks. These attacks were mostly attributable to the use of stolen credentials used to access cloud-based email.

Another fun fact: social engineering attacks are increasingly more successful, and the primary target is the C-suite. These executives are 12x more likely to be targeted than other members of an organization, and 9x more likely to be the target of these social breaches than previous years. Verizon notes that a successful pretexting attack on a senior executive helps them to hit the jackpot, as 12 percent of all breaches analyzed occurred for financially motivated reasons, and their approval authority and privileged access to critical systems often goes unchallenged.

“Typically time-starved and under pressure to deliver, senior executives quickly review and click on emails prior to moving on to the next (or have assistants managing email on their behalf), making suspicious emails more likely to get through,” the Verizon DBIR states. “The increasing success of social attacks such as business email compromises (BECs, which represent 370 incidents or 248 confirmed breaches of those analyzed), can be linked to the unhealthy combination of a stressful business environment combined with a lack of focused education on the risks of cybercrime.”

Retailers Are Most Vulnerable at the Application Layer

The good news for consumers and retailers alike are that the days of POS compromises or skimmers at the gas-pump appear to be numbered, as these card breaches continue to decline in this report. The not-so-good news is that these attacks are, instead, primarily occurring against e-commerce payment applications and web application attacks. Indeed, the report shows that web applications, privilege misuse, and miscellaneous errors make up 81 percent of breaches for retail organizations.

What’s more, 62 percent of breaches and 39 percent of incidents occur at the web application layer. While it is unclear exactly how the web applications were compromised in some cases, it’s assumed that attackers are scanning for specific web app vulnerabilities, exploiting them to gain access, inserting some kind of malware, and harvesting payment card data to create a profit.

The report notes, “We have seen webshell backdoors involved in between the initial hack and introduction of malware in prior breaches. While that action was not recorded in significant numbers in this data set, it is an additional breadcrumb to look for in detection efforts. In brief, vulnerable internet-facing e-commerce applications provide an avenue for efficient, automated, and scalable attacks. And there are criminal groups that specialize in these types of attacks that feast on low-hanging fruit.”

Overall, Veracode’s State of Software Security Vol. 9 shows that retail organizations are quick to fix their flaws, ranking second in this regard as compared to other industries. With this in mind, it may mean that retail organizations need to keep a closer eye on third-party software and open source code in their own applications to ensure they’re not the next to sign a cyberattacker’s paycheck.

At Veracode, we help our customers to ensure that every web application in their portfolio is secure through each stage of the SDLC. Check out this case study to learn about how Blue Prism implemented Veracode Verified to ensure the strength of its application security program and protect its most sensitive data.