Author Archives: (mmcbee)

Secure Development Without Sacrificing Innovation and Speed

If you know the term ???nightly build,??? chances are you???ve been a part of that process before. A nightly build - or code compiled overnight from previously checked code - is a foundational way to find flaws or issues that arise from changes made during long build processes. But while a staple in DevOps, nightly builds also present a problem: if new bugs are discovered the following morning after the build, everything slows down. Additionally, such activity only heightens the wall between development and security by compartmentalizing the tasks developers and security professionals must undertake every day (or night).

The history of the divide between security and development doesn???t fall solely on nightly builds, of course. It comes from a place of misconception, where developers fear that security leaders are ready to stall production at every turn, and security leaders lack the knowledge to fully understand the lingo, processes, or goals of developers. Historically, both teams have worked away in their own siloed departments with little to no direction from leadership on ways to come together.

Unifying security and development

By bridging the lines of communication, both teams can start to have serious conversations about producing more secure code without sacrificing the speed needed to meet tight deadlines. At the core of the issue is education. Both development and security teams need to find a common ground for working together and take it a step further to understand exactly how the other side of the aisle works ??? and how they can plug in their own processes to make that work more effective.

On the developer side of the aisle, that comes down to appreciating the value of security and sharpening the skills they need to write code with fewer flaws and bugs. On the security side, it means understanding developer timelines, tools, and processes, then working with leadership to figure out how to integrate security tools into their existing methods for time-saving automation and valuable coding feedback.

According to a recent report by Securosis, this should be a top-down effort involving members from all the necessary teams. ???With DevOps you need to close the loop on issues within infrastructure, security testing as well as code. And Dev and Ops offer different possible solutions to most vulnerabilities, so the people managing security need to include operations teams as well.???

Once members of these teams come together with open dialogue about current issues and business goals, they???re on the right path to begin discussing which processes and tools will improve the health of their application security without impacting deployment speed.

Know where to start when fixing flaws

Security debt is a real problem that adds up over time and should be addressed with a plan of action to bring it down and reduce risk. But not every vulnerability is mission-critical, whether it sits in a pile of security debt or it was discovered in a batch of new flaws during a recent scan.

According to the Securosis report, deciding which vulnerabilities to tackle first is a common issue for development teams. ???During our research many security pros told us that all vulnerabilities started looking like high priorities, and it was incredibly difficult to differentiate a vulnerability with impact on the organization from one which did not,??? the report says.

Prioritization can speed up the entire development process as little time is wasted going back and forth. While helping to set priorities for developers, security leaders have an opportunity to help developers understand which flaws need to be addressed immediately during development, and which possible threats tie back to unattended vulnerabilities so that developers have a better understanding of how to prioritize flaws in the future.

Automation through integration

Automation brings rapidity and, if used long enough, consistency. With modern software development speeding up and not slowing down, it???s more important than ever that developers have the right scanning tools to plug directly into their existing processes with seamless integration. And while automated feedback and security testing alone won???t catch every flaw, error, or vulnerability, it sets a precedent for incorporating security into the development process, and a baseline for healthy code as the team moves through development.

Complete application security plans incorporate scanning and testing into every stage of the development process, from the IDE to the Pipeline and even review, staging, and production. Veracode Static Analysis has this covered, with automated security feedback in the IDE and Pipeline that alerts (and trains) developers while they work. Veracode Static Analysis conducts a full policy scan before deployment too, showing the vulnerabilities that developers should focus on, and leaving an audit trail for review.

With a tool like Veracode Static Analysis integrated into existing systems and processes, security and development teams will gain clear insight into not only which flaws to prioritize, but also areas where developers need more training and education so that they can produce more secure code in the future. This automated (and peer) feedback helps set a standard for consistency, and improves speed overall ??? those nightly builds can then turn into builds with continuous integration that facilitates faster fix rates.

eLearning tools for continuous education

Continuous education is something that both security and development should embrace if they want to help close the information and communication gaps between the two teams. Security leaders for their part should brush up on developer lingo, tools, and languages ??? especially when a new language is introduced into the development process.

For developers, boosting skills through hands-on courses, virtual workshops, and instructor-led training increases the speed at which developers work and the security of their applications. By bringing continuous education into the mix so that secure code is front of mind, security and development teams will have an easier time shifting security left with each new project. Eventually, it???ll become a regular part of the process to learn from past mistakes, grow to become more innovative and adapt to new security threats.

Tools like Veracode Security Labs take training to the next level by providing developers with real-world examples of threats that they can exploit and patch for practice. This hands-on-keyboard training is unlike cookie-cutter courses, as it is interactive and focuses on real applications with real vulnerabilities.

Security Labs helps meet training and compliance needs, too, with customized education in the languages an organization???s developers use most. That tailored experience becomes invaluable when every hour of the day is dedicated to improving the security of your applications. Developers start learning right away and plug back in when they???re ready for more; it???s a small step that has a big impact.

For more information on speeding up the development process through integration, automation, and feedback, read our eBook on how you can secure your software development pipeline with Veracode Static Analysis.

Frequency, Speed, and Accuracy Are a Match Made in AppSec Heaven

???Make it work, make it right, make it fast.??? These words from renowned software engineer Kent Beck will always ring true for developers, especially with the pace of development picking up, not slowing down. A GitLab survey from last year showed nearly half (43 percent) of respondents deploy software on-demand or multiple times per day ??? that???s nonstop grinding to produce good code. But simply writing good code is not enough. Software developers must work smarter and faster if they want to stay one step ahead of attackers and meet tight deployment timelines in the process.

Aside from looming deadlines and threat actors who don???t sleep, where is the disconnect? In our 10th annual State of Software Security report (SOSS X), we discuss how some developers follow LIFO (Last In, First Out) or FIFO (First In, First Out) methodologies for fixing security flaws that they find when they scan their code. While these methods may work for some organizations, our data paints a clear picture: the chance of a security flaw being fixed in the first month is only about 22 percent for most organizations. It drops to 10 percent for the second month, then 3 to 5 percent the longer teams wait to revisit said flaw.

With the LIFO method, some development teams are prioritizing newer flaws over older flaws, yet their age doesn???t matter in many cases; they???re all threatening in their own way. And with the FIFO method, new flaws may pile up as teams focus on the vulnerabilities that they discovered first by assuming they take precedence. These methods are lacking an essential step: prioritization.

Fixing the right flaws, fast

The better approach is to scan frequently and fix the right flaws fast as they appear on the radar. Data from SOSS X shows us that frequent scanners (300+) have 5 times less security debt than infrequent scanners. Additionally, frequent scanners see a 3 times reduction in median time to remediation (MedianTTR).

The key to this approach? A comprehensive AppSec solution that blends security testing into each stage of the development pipeline and automates tasks wherever possible. It means you???re giving development teams the right scan, at the right time, in the right place so they can keep working, learning, and improving their code without halting projects.

Pipeline ???

That???s where the Veracode Static Analysis family of solutions comes into play, with automated security feedback right in the IDE and the pipeline to improve code as developers work. It also conducts a full policy scan before your team moves forward to deployment, providing a clear window into the flaws that developers should be focusing on directly as well as an audit trail for compliance. Here???s a breakdown:

My code. Feedback in the IDE is fast, showing up immediately while developers code. Not only are they then finding and fixing flaws as they work, but they???re learning what to do differently next time to avoid the buildup of flaws (and security debt) down the road. The Veracode Static Analysis IDE Scan returns results in 3 seconds on average and offers guidance for remediation, code examples, and links to Veracode AppSec Tutorials too, encouraging developers to improve every step of the way.

Our code. Within a median time of 90 seconds, the Veracode Static Analysis Pipeline Scan runs on every build and offers code feedback at the team level. The feedback is fast, pointing out flaws that are introduced on new commits, and providing insight into when teams need to break the build to remediate policy-violating flaws. Even better: it???s easy for development teams to adopt and learn how to use, so it won???t slow them down.

Production code. The Veracode Static Analysis Policy Scan in the CD pipeline is the icing on the cake. It conducts a full assessment of the code in about 8 minutes, on average. This scan provides an audit trail to satisfy compliance needs and gives a clear picture of the overall health of your application. It runs without manual tooling on the Veracode Static Analysis Engine, and it even has an impressive false-positive rate of less than 1.1 percent.

When it comes to false positives, reducing the rate of these pesky alarms is critical to improving speed and developer poise. The industry-leading 1.1 percent false-positive rate (without no tuning required) from Veracode Static Analysis, which is verified by thousands of scanned applications and customer data, is a whole lot faster than our competition???s 32 percent false-positive rate. That accuracy means you???re giving developers back time they would otherwise spend chasing down false flags so that they can focus on what matters most to their team and to the organization.

Upping your AppSec game

Frequency? Check. Speed? Check. Accuracy? Check. Veracode Static Analysis checks all the boxes for improving the security and quality of developer code, and then some. Standardizing on one SaaS solution that leans on automation and easy integration means this isn???t just a pipe dream. It???s achievable ??? even amidst accelerated shifts to digital ??? and we???re pretty sure it would make Kent Beck proud. ツ?

Check out our whitepaper for more information on the Veracode Static Analysis family and how it can help you manage your AppSec risk in world where frequency, speed, and accuracy matter most.

Cyberthreats During the Pandemic Are on the Rise

With the sudden shift to digital that many businesses are facing in response to the pandemic, preventing cyberattacks is more important than ever. According to the FBI, attacks related to COVID-19 have increased 400 percent in recent months. And with data from Gartner showing that 74 percent of companies expect to maintain some level of remote workforce indefinitely, organizations can???t risk faltering when it comes to the health of their application security ??? both for their own business continuity and for the safety of their customer data.

The World Health Organization (WHO), which saw a staggering fivefold increase in attempts to target its own staff in April, warns that businesses and the general public alike are at an increased risk for email phishing attacks, which we know can lead to spoofing attacks. But it doesn???t stop there; malicious actors continue to exploit every angle possible, from brute force threats to manipulating services meant to help the general public. Businesses must be vigilant about how they???re handling security in this new normal, especially when issues with remote work arise. ツ?

The remote access conundrum

Chris Wysopal, Veracode???s co-founder and CTO, believes there may be even more risk on the horizon as organizations continue remote work through the course of the pandemic.

???I think we could definitely see more social engineering attacks with people pretending to be employees having problems with remote access. Also, new phishing attacks that take advantage of so many remote access procedures changing.ツ?Organizations hastily deploying remote access might not be securing it,??? Chris explains. ???There are a lot of companies that don???t make remote access a normal part of their business and may now need to do this.???

The rates we???re already seeing are staggering. Data from Atlas VPN shows a 350 percent increase in phishing sites detected by Google since January. And it???s no surprise that attackers are using a global event for financial gain; Verizon???s 2020 Data Breach Investigations Report highlights that 86 percent of surveyed breaches were financially motivated, with over 80 percent of hacking breaches involving brute force attacks or the use of stolen credentials through phishing.

Pandemic-related cyberattacks

The Verizon report also found that financially motived social engineering attacks are steadily increasing year over year, which means the global pandemic offers even more of an opportunity for threat actors. As everything has shifted to digital during the pandemic, these established trends present a virtual goldmine for malicious behavior. Here are some of the attacks we???ve seen that exploit this new normal:

Microsoft Teams: With increased remote work, organizations of all sizes are relying on communication tools like Microsoft Teams. Researchers from Abnormal Security discovered in April that attackers had been sending fake emails resembling Microsoft Teams notifications, phishing for employee credentials. The platform suffered two separate attacks, the first of which used URL redirects to send unsuspecting users to a domain hosting the attack. The second directed users to multiple YouTube pages before ultimately sending them to the phishing site where they may have exposed their credentials.

DocuSign: Researchers at Abnormal Security also discovered that a phishing email targeted 50,000 to 60,000 DocuSign users through Microsoft Office 365. The email, urging recipients to review a document about COVID-19, used a concealed malicious URL within the text, which brought users to a website phishing for credentials. Abnormal Security notes that this attack was particularly successful as DocuSign is an essential tool for signing online documents, especially at a time with dispersed workforces.

Instacart: As more people began using food delivery services to avoid grocery stores, they became a clear target for threat actors. A research firm recently alerted Instacart of a bug that would allow attackers to send malicious links to shoppers via text message. Attackers have also been sending malicious bots after browser extensions meant to help users grab coveted grocery delivery timeslots for services like Instacart.

10x Genomics: Healthcare organizations are at increased risk, too. In March, biotech research firm 10x Genomics was hit by an attack that resulted in stolen company data. The firm, which is compiling information related to COVID-19 to aid possible treatments, was able to isolate the attack quickly despite losing some sensitive information. Attackers reportedly leveraged REvil ransomware, which is also being used to exploit VPN and gateway vulnerabilities within healthcare organizations that are experiencing higher than usual strain due to the pandemic.

Protecting your business continuity

Malicious actors work hard to manipulate weak security protocols and unfixed vulnerabilities wherever possible, especially during times of widespread change and uncertainty. But there???s good news from Veracode: our Static Analysis scan numbers hit a record high in March and then hit another record high in April. Our customers are remaining vigilant about their security so they can continue to protect their data and the data of their own customers.

If you???re concerned about the state of your AppSec program or need guidance, we???re here to help ensure that you can maintain business continuity during the pandemic. Stay one step ahead of attackers by:

  • Shifting security left to the beginning of the software development lifecycle (SDLC) so that developers can write more secure code sooner rather than later.
  • Scanning earlier in the development process to catch flaws and scanning more often to reduce the risk that comes from security debt.
  • Utilizing penetration testing to locate information that may be used in social engineering or phishing attacks within your organization.
  • Using tools like Veracode Security Labs for hands-on training, and IDE Scan for real-time feedback that helps developers learn as they code.

Learn more about thwarting cyberattacks by future-proofing your application security.

Realigning Priorities and Building a Bridge Between Security and Development

It???s a common conundrum for application security (AppSec) teams??ヲhow can developers and security professionals work together to release software faster? It takes a working relationship, good communication, and the right tools, which most teams don???t have.

Even more discouraging, stigmas follow both teams around the office; developers often worry that security is there to slow down or halt their projects while security is concerned that developers aren???t prioritizing secure code. As modern software development becomes faster with tighter deadlines and an array of cyberthreats awaiting vulnerable code, there???s little room for misalignment.

It???s a multifaceted issue that should be understood from both angles. Misaligned business priorities and processes can create an array of problems, from a lack of innovation for fear of increased risk to unforeseen vulnerabilities falling through the cracks during the development process. And when developers aren???t empowered to improve their skills with educational tools like Security Labs, there???s less of a chance that they???ll feel prepared or appreciated when security comes knocking.

To begin addressing these concerns, changes must come from the top-down, trickling through each team to impact their goals and methods for an overall healthier AppSec program. When they have direction, developers and security leaders can find a common ground by building a working relationship that benefits both teams (and ultimately, the entire organization). Three key steps to fixing the misalignment between security and development include:

  1. Shifting to a security-focused mindset across the business.
  2. Implementing a security champions program to encourage developer participation.
  3. Making it easier for the development team to write secure code.

Once security leaders understand the tools and methodologies developers are most comfortable with, and developers have the opportunity to learn more about security practices, closing the gap between these two otherwise siloed teams isn???t as daunting. With the right tools, processes, and communication methods in place, security and development will have an easier time falling into the right working cadence to produce more secure applications. ツ?

Watch our video "Tips for Unifying the Security Professional and Developer Roles" below to hear from Veracode???s Chief Technical Officer Chris Wysopal and Chief Product Officer Ian McLeod on how these roles became misaligned, and how organizations can tackle the problem head-on.

What Caused the SBA Flaw that Exposed Business Owners’ Personal Info?

Current events are reshaping the way we live our everyday lives, and taking a heavy toll on the business world, with organizations of all sizes feeling financial disruption. Business continuity is more essential than ever during the pandemic; not just for customers who rely on products and services, but also for companies that need to keep funds flowing.

This has, foreseeably, led to thousands of loan applications for the Small Business Administration (SBA) in the United States, placing an overwhelming demand on the Economic Injury Disaster Loan Emergency (EIDL) program. The program currently provides up to $10,000 in financial assistance to small businesses suffering financial loss from the pandemic, but has unfortunately come with a security risk for some applicants seeking loans in order to maintain their business health.

During the recent influx of loan applications, the SBA acknowledged that the personal information of nearly 8,000 business owners might have been exposed to others accessing the program online. The flaw in the program simply required a user to hit the ???back??? button while in the loan application portal, which in some cases may have shown sensitive information belonging to another applicant.

Possible causes of the SBA flaw

While we can???t be certain which flaw is plaguing the SBA loan application system, we can make an educated guess based on similar behavior we???ve seen. Jamie Rougvie, a member of Veracode???s Manual Penetration Testing team, believes this flaw may be a combination of redirects and access control misconfigurations. Here is how this flaw may have impacted the SBA loan application process:

The Flaw

A company signs up to the loan portal and is given a unique Identity relating to that loan. Let???s say ???Company A??? signs up and gets a LoanID of 1. ???Company A??? then signs into the application and starts to fill in the application form. They then notice that they made a mistake on the previous page, so they click the back button within the application.

This back button then redirects them to the previous page. Now, let???s assume the code behind the button redirects them to the following URL:ツ? (it should be noted that on the Loan site this would be a more complex than a hard coded URL). We would assume that the value may be coming from a variable which is being dynamically changed based on a number of factors.

You can see here the LoanID has changed from 1 to 2. This means that instead of showing ???Company A??? data, it will attempt to show the data of LoanID 2 which is ???Company B.???

What should happen here is when ???Company A??? is redirected, a check should be done to make sure they have permission to access the page that they are being redirected to. If they have permissions to access the page, the redirect occurs. If they do not have permissions to access the page, either an error is displayed, or they are redirected elsewhere.

It seems like in this case no checks were performed on the request, and as such ???Company B???s??? data was displayed to ???Company A??? ??? meaning sensitive PII information was leaked on the webpage.

It???s not clear if ???Company A??? only had access to ???Company B???s??? data, or if this data changed each time a new request was made via the back button. This would mean that each time the back button was pressed, another company???s data would be leaked to a standard user. If an attacker found this type of flaw, they could within a small amount of time be able to obtain PII information of all companies in the loan application.ツ?ツ?ツ?ツ?ツ?

The seriousness of this issue depends on the type of application, and the information that is disclosed via the vulnerability. ???In an application like a loan website where the vast amount of information would be sensitive, this would be a critical severity issue and we would jump on call with the customer straight away to discuss the problem,??? Jamie further explains.

The SBA loan application issue potentially exposes sensitive information like an applicant???s name, Social Security Number, tax identification number, address, date of birth, financial insurance information, and more ??? which means a threat actor could then take that information and use it in any number of additional threats, like social engineering attacks or potential identity theft.

That???s why it???s important to stay one step ahead. Situations that entail building applications or websites quickly to amplify communication and provide services are not unique to current events; they should always involve security measures like regular scans and testing procedures. ???When you combine the power of Veracode automation tools and our MPT (Manual Penetration Testing) services, these types of issues can be identified early on and can be mitigated before pushing the application into production,??? Jamie explains.

Being proactive instead of reactive will set your organization up for preventative security measures so that you???re not faced with the cleanup that comes from worrisome vulnerabilities like IDOR and Session Management flaws.

Reducing risk with healthy AppSec

Cyberattacks and security threats are on the rise, which only amplifies vulnerabilities like the one we saw from the SBA in early April. Ultimately, this combination of rapid digital acceleration, and an uptick in cyberattacks, has left many organizations vulnerable. This situation stems in part from organizations adopting reactive, rather than preventative, security strategies.

What does preventative AppSec look like? Companies that are concerned about the health of their applications should scan early and scan often to identify problems before an issue arises. The mentality of shifting security left, bringing it into the development process sooner rather than later, can save money and time down the road. It helps eliminate security debt, too, which piles up over time and is carried as a constant risk from project to project. ツ?

Data from our 10th annual State of Software Security Report (SOSS) shows that when organizations scan their code frequently (more than 300 times a year), they carry five times lessツ?security debtツ?than those that scan the least.

Having a suite of SaaS solutions in the cloud to scan application code is essential for remote teams, but even more so today with entire companies going digital. Veracode???s application security solution combines five analysis types in one for a comprehensive look at your code as developers work. Every step of the way in the software development cycle (SDLC) ??? from the IDE to production ??? these scans ensure that your team is working smartly and efficiently to produce secure applications and stay ahead of potential issues.

And with hands-on training tools like Security Labs, developers are better equipped to write secure code, saving their organization from needing to remediate flaws down the road. Using Security Labs, software developers can exploit and fix an application in a contained environment with fast feedback, helping them learn in the languages that they need to know inside and out. Not only does it help developers satisfy compliance requirements, but also, they walk away with the training and skills needed to write more secure code and remediate flaws faster.

You don???t have to compromise between the race for swift deployment and the need for better application security. With the right tools and training, your organization and your team of developers will be well-equipped to handle what comes next as more of the world continues to take on a digital transformation and new security threats emerge.ツ?ツ?ツ?

Future-Proofing Your AppSec With Veracode SaaS Solutions

Global events that force the world to go digital can put business needs into perspective, and fast. We???ve been impressed by how our customers are hitting the work-from-home curveball; with a little ingenuity and some help from Veracode solutions, their businesses are carrying on. In fact, ourツ?Static Analysisツ?scan numbers reached an all-time high in March, and then again in April. That tells us our customers are buckling down, concentrating on software security, and making sure they are there for their customers, too.

Organizations around the globe are continuing to put customers first, even when unexpected and sudden shifts change the way the world works. We???re proud of that same business continuity at Veracode, helping our customers start, improve, or expand AppSec programs in order to thrive in a digitally transformed world. The best part? It doesn???t have to be a complicated process that disrupts everyday business needs.

Get started swiftly and securely

Now more than ever, it???s vital that installation processes are fast and seamless. If your organization can start scanning from day one without worrying about manual patching or updating down the road, that means you can hit the ground running with peace of mind for the future. It???s simple to get started with Veracode and provision access to begin using our SaaS solutions in the cloud. You can set off securing your applications right away without halting projects or missing tight deadlines. That???s the way AppSec should be.

Our comprehensive offering is built for scale so that you don???t have to miss the opportunity to deploy the secure software your customers rely on. And with a wide range of SaaS products ??? including Static Analysis, Dynamic Analysis, Software Composition Analysis, Security Labs, and IAST ??? there???s minimal to no installation needed across the board when you???re ready to ramp up production with Veracode.

Scale up, scale down, and save money

For businesses on top of their digital transformation, having aツ?healthy SaaS AppSec solutionツ?at their fingertips means staying innovative and shipping secure code on time. Our solutions integrate directly into your SDLC, with scalable offerings like automated testing that won???t get in the way of the work your developers are already doing.

In addition, accessing all application analysis types through one solution streamlines testing and reporting too, which means it???s easy to stay on top of goal setting and progress, while guiding development teams on which flaws to target first. Veracode conveniently combines all testing types???Static Analysis, Dynamic Analysis, Software Composition Analysis, and Pen Testing???in one place for easy access, covering web and mobile apps as well as microservices in most major programming languages.

Secure your applications anywhere, anytime

Since these powerful solutions are cloud-based, development and security teams collaborating around the world can keep pace with competitors in the digital go-to-market race. The ability to work from anywhere is essential for many businesses, especially today. You can access Veracode???s tools and solutions without bogging down your VPN???s server, reducing the risk that comes from potential breaches and cyberattacks no matter where you are in the world. If you???re working from home as a lot of us are right now, that???s a gamechanger for efficiency.

Whether you???re looking for ways to ramp up your security or you simply want to expand your existing solutions, no matter what???s happening out there in the world, Veracode is here to help. Tune in to our webinarツ?for a deep dive into maintaining business continuity and controlling AppSec costs during turbulent times.

Introducing Capture the Flag Puzzles!

Remember those boundless summer days playing ???Capture the Flag??? over the scent of freshly cut grass? No other care in the world aside from finding and seizing that victory flag with bragging rights for the rest of the day? ???Capture the Flag??? wasn???t just an intense physical exercise to release energy; it was a fun mental escape, too. That???s something many of us need now more than ever.

We know a lot about work-hard-play-hard here at Veracode. Every year, Veracoders intermingle practice and play in our ???Innovation Hackathons,??? encouraging each other to think outside of the box and flex our creative muscles. Veracode???s yearly Hackathon activities span the gamut of energizing challenges and perplexing puzzles - the latter of which we???re excited to share with all of you through

What is It???s ???Capture the Flag??? (CTF) for anyone looking to challenge their mind (and perhaps take a mental break from current events, too). is a series of puzzles ranging from simple to complex. Some require paper and a pencil while others involve advanced abilities and divergent thinking. Pick and choose which puzzles you want to tackle, then work in teams to solve them or fly solo and test your skills.

Signing up is easy and anyone can do it. Register here, confirm your account (note: we will not use your information for anything other than activities), and then dig into the challenges. You can also check the scoreboard to monitor your progress against others and see where you stand ??? there???s nothing wrong with a little friendly competition!

Ready, set, solve

Let???s get down to the nitty-gritty of how to solve puzzles on For each puzzle you open in the challenges section, you???ll need to solve the clues or work through the exercises to find a concealed password. That???s the ???flag??? we???re after. Once you???ve solved a puzzle and ???captured??? the hidden password, type it in as the solution on the puzzle???s page and instantly see if you???re right. If not, you???ll need to go back to the drawing board.

The puzzles are grouped into three basic levels:

Level 1: These are more common (think crossword puzzle) but might have another layer to them. If you get stuck, look for clues within clues.

Level 2: These are slightly trickier and might require some searching beyond your skillset, or information on specific types of puzzles and how to solve them.

Level 3: These are the most challenging puzzles that often require skills in programming or might push you to take basic skills to another level.ツ?

If you get stuck or need help, some of the puzzles offer guidance in the form of hints. You can also reach out to us on social media using #veracodepuzzles or post in our community to share tips, ask for clues, and celebrate victories.ツ?

Ultimately, we hope you have fun and can use these Hackathon puzzles to sharpen a skillset or spark creative inspiration just like we do.

Ready to get solving? Show us what you???ve got.

Lessons From the Accelerated Shift to Digital

Entering 2020, digital transformation was already at the top of the to-do list for many organizations. For those who lagged, it???s quickly becoming priority number one.

As much of our daily life and work goes virtual to during the pandemic, some markets are getting hit hard. In addition, the bad guys won???t take a break ??? we???ve seen an uptick in cyberattacks while IT systems and processes are stretched thin to handle this new normal. Cyber criminals are even pretending to be the World Health Organization (WHO) in an effort to gain private information.

Companies are finding that they must act quickly to keep up with both the new digital demand and the increased risks caused by malicious actors. For many, it means a herculean effort to combat service interruptions and data leaks that have forced them to become reactive instead of proactive in their efforts.

While it???s positive that this is prompting security self-awareness, the situation leaves a looming question of how other organizations can approach AppSec in today???s world and highlights the ongoing struggle between development speed and security.

Shift left to stay secure

It???s an age-old tale for organizations big and small: security should never sleep. Acknowledging application security issues and working on improving safety is a step in the right direction, but recent events serve as a reminder that prioritizing AppSec from day one is critical. Reacting to security issues is simply not a sustainable model; prevention is key.

Part of the solution is teaching developers to find and fix flaws sooner. ???When companies consistently review their product for flaws and train their developers to spot these flaws earlier ??? or to avoid introducing such vulnerabilities in the first place ??? they can save a lot of time and effort, and ultimately better serve their customers,??? explains Fletcher Heisler, Director of Developer Enablement at Veracode.

Shifting left to include security at the beginning of the software development lifecycle (SDLC) is one way that many organizations are tackling this issue to ensure their developers are writing more secure code. Hands-on interactive training tools like Veracode Security Labs help teach developers to code more securely as they work by using real-world exploits that they can learn to patch. By sharpening their skills, your developers are part of the frontline defense against malicious actors.

Scan early, scan often

The cadence and speed of security scans are other important pieces of the puzzle when closing gaps in security. Our 10th annual State of Software Security report (SOSS) highlights why this is so crucial ??? our analysis found that organizations that scan their code the most frequently (more than 300 times a year) carry five times less security debt than those that scan the least. That???s five times less risk organizations (and their customers) carry.

The key? Embracing DevSecOps and that important ???shift left??? mentality. When DevSecOps processes and best practices are implemented, development teams see a security flaw fix rate that???s 11.5 times faster than teams that haven???t embraced a proactive DevSecOps approach.

Tackling software development with this mindset not only reduces the number of flaws during production and speeds up fix rate, but also it saves money and time down the road. Without mounting security debt and the growing risk of a breach, organizations are able to focus on innovating to improve features and enhance their products. This way, they build trust in their brand and deploy better solutions with confidence.

We're fortunate to live at a time when technology is an enabler ??? many businesses continue to support their customers while driving innovation and change. We've seen it in our own data: our Static Analysis scan numbers reached an all-time high in March. That tells us our customers are buckling down, concentrating on software security, and making sure they are there for their customers, too.ツ?Read on for more information about how we're here to help.ツ?

New Cyberspace Solarium Commission Report Offers Words of Warning for AppSec

A recent report from the Cyberspace Solarium Commission (CSC) includes detailed plans for guiding cybersecurity policies in the United States, which the commission feels is necessary to prevent catastrophic fallout from breaches and attacks for corporations and citizens alike.

The report, released to the public in early March, embraces recommendations based on six pillars that the commission feels will help the United States implement a strategic approach to defending the country against cyberattacks ???of significant consequences.??? These pillars include:

  1. Reform the U.S. Government's Structure and Organization for Cyberspace
  2. Strengthen Norms and Non-Military Tools
  3. Promote National Resilience
  4. Reshape the Cyber Ecosystem
  5. Operationalize Cybersecurity Collaboration with the Private Sector
  6. Preserve and Employ the Military Instrument of National Power

Section 4.2 of the report caught our eye as it pertains to the private sector and supply chains, both of which are lacking a stipulated working relationship with the government. Part of this sweeping initiative includes an effort to ensure that companies that are assembling and selling software, hardware, and firmware are ???liable for damages from incidents that exploit vulnerabilities??? known at the time of shipping goods and not fixed in a reasonable period.???

This, the commission says, would establish a ???duty of care??? in law to make final goods assemblers responsible for producing security patches that cover products for the duration of their life and support needs???or for a year after the most recent patch release.

Why did the commission feel this effort is important? According to the report, ???To date, there has not been a clearly defined duty of care for final goods assemblers in their responsibilities for developing and issuing patches for known vulnerabilities in their products and services, the timeliness of those patches, and maintaining a vulnerability disclosure policy.???

It???s essential that organizations are covering their bases to keep their products secure. Implementing these regulations would be a huge leap forward in lessening the fallout from inevitable cyberattacks.

Chris Wysopal, Chief Technology Officer and co-founder of Veracode, explains:ツ?ツ????We have long known how to build more secure systems and many market leaders do build this way, but it is often impossible for the customer to understand if they are getting secure software with strong security maintenance backing it up or a lemon where the vendor will drag their feet issuing patches.ツ? Standards and transparency can give customers and regulators a choice.???

Transparency is critical here. A mandate from the Federal Trade Commission would ultimately make it easier for end-users and buyers to understand how companies find, record, disclose, and retain vulnerabilities???including the disclosure of known and unpatched vulnerabilities.

One of the potential recommended incentives for encouraging organizations to better handle patches includes placing a cap on insurance payouts for cybersecurity incidents involving unpatched systems. As we know well, these incidents are often very expensive and disruptive to business. The key is getting ahead of application security and preparing the best plan of attack for known and unknown vulnerabilities.

If this law (and other regulations in the report) take effect, companies will need to be much more proactive about how they handle security. Sending out software with vulnerabilities could mean a financial death sentence if organizations are not thorough about patching vulnerabilities and sending this information to their customers.

Becoming a security-minded organization starts with shifting left. Incorporating security processes early and often reduces risk and can even help train developers to code more securely at the start of a project. Down the road, that saves businesses from damaging liability and fines that so often come from unnecessary breaches.

Interested in learning more? Read the report here and get in touch with us to chat about how Veracode can help you prepare for this and other regulations on the horizon.

We’re All WFH Too – Here’s What We’ve Learned

Veracoders, like many of you, are facing the new reality of working from home, all day, every day. We have some employees who were already working 100 percent remotely, but also many who were accustomed to life in the office and are making the big shift to remote life.

So, it???s not surprising that some Veracoders are completely prepared for this new way of life and some are, well, working with what they have.

ツ?My desk setupツ? ツ? ツ?ツ?ツ?Office Setup

Yes, that???s my cramped workstation on the left, compared to a seasoned remote Veracoder with a pretty epic office setup on the right.

I should add, our life in the office was great. Before this global problem, I worked out of our office in Burlington, Massachusetts, and it???s a pretty special place, so this has been an adjustment. We???re a collaborative bunch ??? from bagels in the cafテゥ on Mondays, Wednesdays, and Fridays,ツ?to 404s on Friday evenings, monthly town halls, and twice a year Hackathons ??? you get the idea. We hung out together a lot!

And now we???re asking ourselves, how do we keep that spirit alive? How do we stay sane, productive, and connected ??? especially when all the kids are home too? We???ve all been sharing our tips, tricks, and advice over Slack, so we thought it might be good to share so everyone can learn from our experiences. We???ve also been asking our more experienced remote workers to share their best practices.

Keep up with your normal morning routine

When you don???t need to head into an office building every day, keeping up with your regular morning routine can help you level-set your mind. Whether that means taking a shower and getting dressed (in something other than pajamas) or sitting down in a comfortable chair to go through your morning email-checking tasks, practicing these regular routines is a great way to set the tone for the day. You may not need to go to an extreme like this gentleman, but any semblance of normalcy will help.

Make your workspace functional and comfortable

As Veracoder Marcus Watson shared, it???s important that you treat your back right when you???re working from home. ???Look after your back. If you're going to be working from home for an extended period of time, a comfy chair is essential,??? Marcus says. ???Dining chairs are great for a 30-minute meal, but if you're at your desk for a while, consider investing in an office chair with good back support. I have a local company that sells second-hand office supplies and that's where I got my desk and chair from.???

It???s important, he says, to also see if there???s a way toツ?use a proper monitor so that you???re less likely to slouch and add lumbar support to your chair by using a pillow or rolling up a towel.

Marcus's Setup???

Marcus has an impressive at-home desk setup with a microphone for clear calls and a light that he can adjust during video chats. And he keeps a friend with him, too. Notice the yellow duck? Rubber duck debugging is something Marcus practices while at home; it helps him debug code by explaining it line-by-line to the duck, which is especially handy when programmers don???t have a coworker nearby.ツ?

Don???t stress about inevitable interruptions

We???re all in the same boat as we adjust to working from home, and that comes with everyday distractions like noisy family members or pet interruptions. These are inevitable. Don???t stress if your daughter pops up in the background of a video call (unless you're beingツ?interviewed by BBCツ?news, that's not good)ツ?or your dog barks at the Amazon delivery driver when you???re on the phone with your boss. These things will happen, and your coworkers should understand.ツ?

Veracoder Ryan O???Boyle has a great tip for combatting interruptions: ???I have a smart bulb in my office that I use to let my family know I???m on a call. When I???m joining a call I trigger my ???ON AIR??? scene and it lights up red. Haven???t had much luck with it preventing pet intrusions though.??? What a bright idea.

If you have a jam-packed meeting schedule one day and you know you???ll need that peace and quiet, try taking shifts with your spouse, partner, or another family member. They can keep the kids and pets busy if need be and give you a break in the process. Mimicking your office environment will help you set boundaries, too. Veracoder David Buckle not only has a similar equipment setup at home as he does at work, but also his Veracode-branded desk necessities came with him.ツ?

David's Officeツ? ツ?ツ? ツ?ツ?David's WFH office

David explains: ???I have tried to make my temporary WFH office as much like my normal office desk including Veracode branded/themed items.???

Try new learning techniques with your kids

The luster of school closures can wear off fast when kids sit down to open the same books day after day. If they get fussy over the material, try alternatives like interactive educational video games that will keep them engaged and busy. Check your online communities too. Teachers and parents alike are sharing ideas, tips, and even frustrations with each other. You can also browse hashtags like #homeschooling on social media to gather inspiration for keeping kids productive and interested.

Display a schedule in your personalized workspace

At home, it???s all too easy to work past normal office hours. You can skirt around this issue by following a clearly defined work schedule for yourself, even if it means setting alarms on your phone so that you remember when it???s time to shift gears. This will prevent you from working at night, too, which can disrupt your sleeping schedule ??? unless you???re naturally a night owl.ツ?

Veracoder Jim Jastrzebski shares this great tip for leaping over scheduling hurdles: ???Someone very smart once told me that most people don't schedule their work, they schedule interruptions to their work - like meetings. Scheduling the important, no matter what it is, is a good practice.???

Personalizingツ?your workspace just like you tailor your schedule to daily tasks and to-dos can help you get into the groove. It'll feel more like home???or in some cases, more like your home-away-from-homeツ?office space, which I know I'm missing right now just like many of you.ツ?

Doug's officeツ? ツ? ツ?ツ?ツ?Doug's home office

Veracode's ownツ?Doug Wilcox sharesツ?the above photos of his too-cool office desk (left) and equally awesome home workspace (right).

Set a defined schedule for your kids, too

Schedules are essential for kids, pandemic or not. Use a whiteboard or piece of paper to write out their schedules for schoolwork, food breaks, playtime, and other essential activities. If you set these items with clear time commitments, it???s easier for kids to stick to a structured schedule and check off their to-do boxes every day. Everyone wins.

Veracoder Darren Meyer shares this tip: ???Don???t try to work the normal whole day through. Schedule work blocks followed by hanging out with, playing with, etc. the kids. I work about 2-3h and then take an hour with my kids. I still get 8-9h a day, my day just ends later.???

And if you decide not to follow a schedule, word to the wise???your kids may try to scare you with the latest ???smoking toilet??? meme that???s floating around the internet.

Overcommunicate with family and set physical boundaries

Overcommunication and clear boundaries are essential when uncertainty and isolation begin to take their toll. Make sure that children and partners recognize your work schedule and understand that you???re sticking to it every day. If need be, designate a defined ???private space??? that you can claim should you need to escape for an important call or focus on finishing a project. Those physical boundaries might be just what you need to get through daily distractions.

Rob's Office???

Veracoder Rob Layzell carved out a workspace for himself at home, and it looks cozy!

Remember to take physical breaks throughout the day

Physical activity can change drastically when you???re isolated at home. Get some fresh air and go for a walk, do some exercises, or take up a virtual yoga class. If your coworkers are struggling to remember their own physical breaks, set up group chats on Slack or Teams and encourage each other to step away from the screen every so often.

You can even break for housework tasks that you rarely get the chance to tackle; you???ll feel more productive throughout the day and reduce the risk of uncomfortable tension and pain that comes from makeshift desk setups at home. ツ?

Schedule calls and video chats with coworkers to catch up

When the lines start to blur between work and home life, you might forget to check in on the coworkers that you regularly catch up with at the office. Reaching out and having non-work-related conversations with your coworkers helps shake the cobwebs of isolation and brings a sense of normalcy to your schedule (cats optional).

Toshi the helper???

Veracoder Suzanne Ciccone enjoys breaks with her furry coworker Toshi (when he???s not sitting on the keyboard, that is).

Some Veracoders are making it a point to schedule morning coffee catchups that are helpful for boosting morale and setting the tone for the day. If you???re feeling extra disconnected, consider having lunch with coworkers over Slack or Zoom video chat to regroup and break up the workday. It???s a small gesture that will make a big impact.

We???re all in this together

Maybe a little clichテゥ, but it???s true. We???ve seen it here at Veracode ??? despite the uncertainty, stress, and sudden shift in routines, Veracoders as a group have been incredibly positive and supportive of each other and our customers over the past week (and surely, beyond). I said at the beginning of this blog that Veracode is a special place. Clearly, that applies regardless of whether we???re sharing an office or not.

We???ve also seen the support and idea-sharing across the country and world. In that spirit, we???re thinking about more blog posts on working in this new reality ??? if you have any tips, stories, or best practices, send us a note on Twitter, Facebook, or LinkedIn.

Stay safe out there, everyone!ツ?


To Scan or Not to Scan? Why Frequency Matters for DevSecOps

Frequency matters. We know from our 10th annual State of Software Security report (SOSS) that when development teams scan their code for security more than 300 times per year, they can reduce their security debt by five times. That???s five times less risk carried around by developers, freeing them up to focus on improving processes and tackling the most dangerous vulnerabilities.

Recently, Veracode???s Chris Wysopal and Paul Farrington sat down with IDG for a podcast deep dive into these and other findings from our 10th edition of SOSS. In Frequency Matters: The Case for Scanning Early and Often, Chris and Paul discuss what scanning frequency means for creating a security-minded culture, and best practices for bringing regular scanning into DevSecOps processes.

So, what???s at the heart of this growing problem with security debt? On top of irregular scanning cadences, more organizations need to prioritize establishing clear processes and ask business decision-makers to take application security seriously. That, in part, means giving developers credit for their work and showing that they???ll be rewarded for making positive shifts in application security.

Encouraging business leaders to pour more time and resources into development teams only supports the objectives and goals that lead to more secure software. In part one of Frequency Matters, Veracode???s EMEA CTO Paul Farrington explains that when the technical aspects and processes of DevSecOps are embraced by internal teams, their fix rate is 11.5 times faster than teams that don???t embrace DevSecOps.

What does that mean in the long run? Faster fixes and fewer flaws lead to less security debt, which is a big problem plaguing organizations across all industries. In the second part of Frequency Matters, Veracode CTO Chris Wysopal sheds more light on the mounting security debt caused by persistent flaws that build up over long periods.

???We saw that medium severity flaws actually got fixed faster than high severity flaws, which seemed a little strange,??? Chris explains, speaking of the findings in SOSS X. ???But we did see the correlation between scan cadence and scan pattern; that correlation was much stronger.???

In order to build secure software, organizations can???t rely on prioritization alone. Instead, Chris says, businesses should have practices in place that are built into the software process to get ahead of vulnerabilities and stifle security debt.

Moreover, it???s essential that security and development teams break down their silos to build relationships across departments. With frequent scanning early and often, open discussions with management across departments, and a shifted focus on prioritization, reversing security debt is possible.ツ?

Want to learn more? Listen to both parts of Frequency Matters and the other episodes in this series to learn about the state of application security.


One Veracoder’s Climb Over the Glaring Gender Gap in Tech

"It is amazing what a woman can do if only she ignores what men tell her she can???t." ???ツ?Carol K. Carr

It???s no secret that there???s a gender gap in technology. While the wage gap is languidly closing between male and female computer programmers, it looms large as an indicator that there is still work to be done. According to Girls Who Code, by 2027, only 22 percent of computer scientists will be women ??? that???s a drop from 24 percent in 2017 and 37 percent in 1995. Reversing this trend comes down to acknowledging it and encouraging young women to look beyond what society tells them they???re meant to pursue in life.

As more schools integrate programming and coding course requirements early on, it???s vital that young women can clearly see their seat at the table. So how do we prepare them for the fight they???ll inevitably face if they enter the world of programming, or introduce them to computer science altogether? By sharing the stories of women who came before them and understanding that some must build their own seats from scratch.

Take Mary Allen Wilkes for example, who fell into a computer programming job at the Massachusetts Institute of Technology in 1960. Mary was unsure of which direction to take her career after graduating from college and recalled that, by chance, her high school geography teacher had suggested she become a computer programmer. Mary didn???t even know what a computer was at that point, but after graduating from Wellesley College in 1959, she headed straight to MIT to inquire about computer programming jobs. Before long, Mary was a programming prodigy working on the IBM 704 and later the LINC computer, which is considered the first ???personal computer??? by many in the industry.

Mary???s story isn???t far off from how other women enter the world of computer science today. One of Veracode???s own employees, Lupita Carabes, was introduced to programming by happenstance and discovered firsthand just how large the gender gap in software engineering is. We asked Lupita to share her story for Women???s History Month in hopes that it will help inspire the next generation of girls and women to uncover otherwise unseen male-dominated career paths. ツ?

What is your role at Veracode and which roles have you held in Engineering in the past?

I???m currently an Application Security Account Executive at Veracode, though previously I was an Application Security Software Developer. I was also a firmware/software developer intern during my senior year for the connectivity team at HP, working with WiFi-Direct and BLE technologies. I was the only one with Android mobile app development experience on the team at the time and helped prototyped concepts that would normally be outsourced to a third-party application development firm to validate technical feasibility.

What did you study in school that brought you to a career path in Software Engineering?

I never knew Engineering was a career option until my senior year in high school. I was in AP Calculus 2, AP Physics, and AP Computer Science. I was naturally good at mathematics, so those subjects intrigued me more. English is my second language, so I found reading and writing more challenging. Through the Boys and Girls Club mentorship program, I was fortunate to attend LaSalle Catholic College Preparatory on a scholarship. I graduated with honors and earned first place in a competition for a full ride scholarship to the University of Portland, where I earned my degree in Electrical Engineering and a minor in Computer Science.

In what ways were you exposed to computer science growing up?

My parents have always been very entrepreneurial as a result of having to make their own way.ツ? They instilled core values that drove me to seek out opportunities. My dad ran his own local non-profit television show to educate the Latino community, so I spent a lot of time volunteering and it inspired me to learn about film and photography. I joined a program that helped me save money to buy my own camera; for every dollar I put in they put in two through a local bank. Then, my dad took out a loan and we started a wedding/special occasion video and photography business.

I loved the arts. Before discovering my capabilities in the mathematical world, I applied and was admitted to a very competitive arts magnet school, Da Vinci Arts. During my time there, I kept skipping math levels and I was encouraged to explore that talent. I ended up transferring back to my local neighborhood school in the 8thツ?grade and competed for a full ride to the private Catholic Prep.

The same program I was admitted to also provided the opportunity to compete for a full ride to college upon graduation. While I excelled at math and loved the Arts, not having the reading and writing skills necessary to stand out amongst my peers meant that I needed to think of ways to be financially independent in case I couldn???t afford college.

That???s how I signed up for a web development course. I wanted to create a website to market my family???s photography and video services at a greater scale. There was a mix-up with enrollment, and I ended up in AP Computer Science 101 instead. The rest is history.

What are a few of the biggest reasons you feel a lot of young girls and women don???t decide to follow a career path in computer science?

I think it comes down to the lack of role models. I had no idea that my love for mathematics would lead me down this path. I knew I could never be a nurse; I couldn???t spell or correctly pronounce half the words in biology. I knew about occupations like teacher, lawyer, etc. but I read too slowly, writing wasn???t my forte, and I was very shy. The list could go on. I didn???t see women around me in programming careers, so it never occurred to me that I could branch out beyond other common roles. I think this is a problem a lot of young women face.

"Each time a woman stands up for herself, without knowing it possibly, without claiming it, she stands up for all women." ???ツ?Maya Angelou

We???ve seen that there is a gender gap between front-end and back-end developer roles. Why do you think that is, and what are some ways you think we can close those gaps?

It comes back to the stigma of left brain vs. right brain. Creativity vs. logic. Front-end is ???visual and easy,??? while back-end is ???complex and too difficult.??? The stigma around gender roles in technology is clear in most cases: there???s an assumption that women should take on the ???easier??? creative and visual roles, while men should take on the complex and ???difficult??? roles. I think we can close these gaps by sharing more stories like mine. The first coders were women. As a society, we have made progress, but we have a long way to go.

How can male developers become allies for female developers in the workplace?ツ?ツ?

My personality has evolved significantly over the years, but Engineers typically spend more time thinking than talking (at least I did before I gained the confidence to speak up). This environment makes it difficult to collaborate. So, often it???s hard to show off your strengths or work on your weaknesses. I think collaboration solutions like Slack lessen the anxiety a bit because they open the lines of communication. Male or female, it???s important to understand differences and be open to learning more about each other as people. That???s how we break down walls and close gender gaps.

What is some of the best advice that former managers have given you? Were there times when former managers could have given you better career guidance or support?

My career path has taken some interesting turns, but it all kind of makes sense when you look at the bigger picture. The best advice I???ve received is to seek out mentors. I???ve had some instrumental people in my life that have guided me through my journey. I could???ve been better supported when I went against the grain and challenged social norms. I???ve had people tell me to do as I am told, speak less, not admit when I don???t know something, and so on. To me, that is very counterproductive for any work environment, let alone for women in a male-dominated industry.ツ?

Can you talk about how Veracode handles these issues, from your experience?

Veracode does a wonderful job putting female role models in leadership positions, which in turn translates into a culture that inspires women to seek new heights in their careers. I???ve said it before, and I???ll say it again. When I grow up, I want to be Sam King.ツ?

Veracode???s culture has allowed me to cultivate every aspect of my brand in this industry. I???ve never felt so confident and empowered. Never in a million years did I think I would be working with million-dollar companies, providing consultative advice to C-level executives and Engineers with accolades and patents galore, helping secure their software.ツ? The girl who didn???t even know what software was is now seen as someone with a demonstrated history of working in this space. I couldn???t be more grateful!

"Step out of the history that is holding you back. Step into the new story you are willing to create.??? ???ツ?Oprah Winfrey

Stay tuned for more blog posts in this series as we explore the gender gap many female developers face, and discuss how we, as a community, can reverse the trend. ツ?


AppSec Analytics and Reporting Tools Give You the Edge of Insight

As DevSecOps takes hold, more developers are taking on security-minded responsibilities. Instituting strong AppSec governance with policies backed by analytics and reporting enables developers to focus on real-world problems and deliver secure code ahead of schedule.

It???s all in the numbers. When development and security teams invest in the right tools to speed up their processes and improve their AppSec, data and insights only help demonstrate success to management while also proving compliance with clear reporting on defined criteria. That???s where the right solutions with proof-positive results come into play.

Merge inputs and manage expectations with metrics

Durable governance frameworks make all the difference when it comes to streamlining and consolidating AppSec efforts for multiple teams. They incorporate input from numerous stakeholders and sources to best address the practical needs and requirements of the AppSec program. Not only does this ensure that everyone is on the same page for hitting goals and desired outcomes, but if done correctly, it places the focus on security as a group effort rather than individual, siloed teams.ツ?ツ? ツ?ツ?

Leaning on metrics, organizations can better manage their departments and programs by gaining visibility into what works and what doesn???t work, where efforts need to scale up or down, and how to best achieve the goals they set with defined policies in mind. This way, developers know exactly which issues require attention and which ones are not mission-critical to hitting deployment dates.

Optimize efforts through data-driven visions

Without the right data on-hand to optimize efforts in a meaningful way, it can be difficult to guide developers and make the best decisions about future investments. Veracode Analytics makes it easier for organizations to mature their programs with insights into the best ways to scale efforts and hit AppSec goals. Analytics pave the way to ensure that resources are used in the most cost-efficient ways by weighing remediation against mitigation so that teams can make vital decisions about developer skills and where there may be gaps in training.

Additionally, data-driven insights help businesses decide which tools and solutions are best for their needs. Analytics can simplify the creation of SLAs and policy rules, too, defining when developers should scan and how quickly they should remediate vulnerabilities. By shining a light on gaps in training and skills, analytics help ensure that development teams have everything they need to find and address issues without halting production.

Demonstrate success and prove compliance

When unable to demonstrate success, any dedicated AppSec program is at risk of failure. Analytics, metrics, and policy reporting provide the insight organizations must have to show proof-positive progress and give stakeholders the confidence they need for decision-making and budget setting. Dashboards and data visualizations in Veracode Analytics make the information easy to consume, with trackable metrics that prove compliance, show flaw rates, highlight fix rates, and give companies the edge for achieving business goals.

Now more than ever, regulations around software security are essential to complying with government guidelines and customer requirements. Inclusive results from penetration testing, coupled with automated scans, can help meet compliance regulations like GDPR (Article 32), PCI DSS (Requirement 11.3), Sarbanes-Oxley, HIPAA, and regional laws that impact businesses locally. ツ?

Organizations have the ability to leverage data from Static Analysis, Dynamic Analysis, Penetration Testing, and Software Composition Analysis in one dashboard or report.

Data compiled from customized or standard policy reports is easily reported directly into an organization???s governance, risk, and compliance (GRC) system too, ensuring that each stakeholder and decision-maker has the information they need to guide future AppSec decisions.

Gain the edge of insight

When it comes to facing and fine-tuning old AppSec governance policies that must accommodate modern security needs, organizations should adjust course with analytics, metrics, and policies that help developers deliver better code.

Veracode AppSec Governance solutions are built to enhance programs when it???s time to realign. Get in touch to learn more about Veracode???s solutions.

Four Critical Steps to Speeding up DevSecOps Programs

The power of DevSecOps is undeniable. As more organizations adopt this methodology, it???s clearer than ever that writing secure code isn???t more time-consuming or complicated than writing insecure code???it all comes down to the right tools, training, and integrations. Incorporating security-minded processes into the development cycle early and often exposes developers to flaws and vulnerabilities sooner, which means they???re empowered to adjust course and plan resourcefully while sharpening their skills. ツ?

The main principles that help organizations successfully secure their DevSecOps programs embrace a few key themes: automating security, maintaining operational visibility, and reducing false alarms. When paired with powerful tools that help developers work smarter, these crucial steps can speed up your DevSecOps program and set your development team on course for smooth sailing to deployment.

Have an array of capable solutions at your fingertips

Overcoming DevSecOps challenges to combine developer enablement with security governance can be tricky if you have a hodgepodge of solutions that are difficult to scale. It???s even harder when teams lack the bandwidth or essential skills necessary to manage these DevSecOps programs. Organizations need tools that work smarter, allowing developers to focus on the tasks and projects that propel development forward instead of slowing it down.

For most businesses, this means a robust SaaS solution that provides a scalable service at a lower cost. In addition, having all application analysis types in one solution streamlines testing and reporting. Veracode combines all testing types???Static Analysis, Dynamic Analysis, Software Composition Analysis, and Pen Testing???in one place.

Opt for seamless integration and simple automation

Successful application security strategies weave automation into testing processes early and often to find flaws fast. It???s also essential to keep development and security teams working with the tools they have, integrating application security into their existing solutions and processes.

When development teams are tasked with delivering high-quality code faster than ever before, automated code testing tools bridge the gap to seamlessly and efficiently integrate security into the software development lifecycle (SDLC). Veracode???s solutions are built to keep up with the demand for automation and speed, with APIs and plugins that don???t interrupt the coding process.

For instance, Veracode???s Pipeline Scan directly embeds into teams??? CI tooling and provides fast feedback on flaws being introduced on new commits. Teams can break the build if policy-violating flaws, based on severity or CWE category, are introduced on a commit or net-new security issues are found. Because this scan is built in line with best-in-class CI tooling, there is no learning curve for developers. Another example: Veracode???s defect-tracking integration with Jira can automatically create a defect for each new security finding with no buttons to push.

Minimize false-positive rates to speed up development

False positives slow everything down. They erode developer confidence and chip away at speed, with rule tweaking and manual reviews only compounding the issue. Veracode Static Analysis offers an industry-leading 1.1 percent false-positive rate???verified by our customers and the thousands of applications we???ve scanned.

That???s a lot faster than the competition???s 32 percent false positive rate, and as a SaaS-based platform, there???s no need to manually fine-tune or suppress rules. Developers are free to focus on real flaws and won???t need to spend as much time chasing down false positives.

Stay on top of analytical data

Many organizations see their AppSec programs struggle because they do not have data-driven insights to help develop, manage, and mature their programs. Veracode???s analytics provides customers with visibility into data that helps them overcome common challenges, including reporting the success of their AppSec program, determining future investment paths and ROI, and how to optimize and mature their program over time. AppSec analytics allow stakeholders and decision-makers to benchmark success and determine where developers may need more training to improve their remediation skills.

The proof is in the numbers, right? Veracode analytics give our customers the edge of insight, providing data from Static Analysis, Dynamic Analysis, Penetration Testing, and Software Composition Analysis all in one place.

Organizations can implement standard or fully customized policies that meet their own business needs and have one clear report in hand to prove compliance with pass or fail results based on their defined criteria. That data can then be reported directly into an organization???s governance, risk, and compliance (GRC) system without missing a beat. That???s a big step forward in achieving security goals by working smarter, not harder.

Ready to learn more? Schedule a demo to discover how you can implement and supercharge your DevSecOps program.

Veracode Wins Three Awards for AppSec Excellence as a Leader in DevSecOps

We???re excited to announce that we have received three awards for our innovative solutions in application and information security!

Info Security Products Guide Silver Winnerツ?ツ? ツ?ツ? ツ?ツ?Cyber Security Excellence Awards Winnerツ?ツ?ツ?ツ? ツ?Cyber Defense Magazine InfoSec Awards Winner

Info Security Products Guide, the industry???s leading information security research and advisory guide, named Veracode a Silver Award winner in their Application Security and Testing category for the 16th Annual 2020 Info Security PG???s Global Excellence Awards. This honor recognizes cybersecurity and information technology vendors who offer advanced and innovative products, solutions, and services that help propel the industry forward.ツ?ツ? ツ?ツ?

Additionally, the 2020 Cybersecurity Excellence Awards named Veracode a gold winner in their software category as a leading SaaS-based AppSec platform that empowers developers and accelerates DevSecOps. Recipients of this award were selected both on the strength of their nomination and on a popular vote by members of the information security community.

We???re also honored to receive an award from Cyber Defense Magazine (CDM), the industry???s leading electronic information security publication, which named Veracode the winner of their Best Product for Application Security award.

For the past six months, CDM surveyed 3,200 pioneering companies that are changing the InfoSec game with advanced security products and services. Submissions were open to any startup, early-stage, later-stage, or public organization, and judges ultimately selected just 10 percent of those candidates to receive a coveted InfoSec Award during RSA Conference 2020.

???With cybercrime heading into the tens of billions of records stolen and potentially trillions of dollars in damages, we are proud to recognize Veracode as an award-winning innovator that offers a new approach to defeat these criminals,??? said Pierlugi Paganini, editor-in-chief, Cyber Defense Magazine.

This is Cyber Defense Magazine's eighth year honoring InfoSec leaders from around the world. When selecting winners, judges looked for forward-thinking leaders in InfoSec that offer cost-effective solutions and help propel the industry forward in unexpected ways.

???These winners are the most innovative and proactive cybersecurity companies and service providers on the planet who are working to bring tomorrow???s cybersecurity solutions to market, today,??? said Gary S. Miliefsky, Publisher of Cyber Defense Magazine.

Like CDM, Veracode is dedicated to thinking about the future of information security. This award exemplifies our dedication to creating groundbreaking solutions that help organizations secure the software they need to power their world.ツ?ツ?

You can find the full list of CDM's winnersツ?here and visit us at RSA Conference 2020 (booth N-5553) to learn more about our application security platform.

What Our Data Reveals About Security Debt

It???s a habitual practice we learn from an early age; keeping track of loans and credit card bills reduces overall debt and makes it easier to bring debt down quickly, avoiding those pesky spikes in interest. That very same practice applies to software security testing. Software is tested, vulnerabilities are revealed, and unaddressed vulnerabilities build up over time as interest in the form of extra work, which compounds into security debt that???s increasingly difficult to reduce the longer you wait.

Often, the solution is reprioritizing flaws and improving fix rates to reduce liability over time. In our 10th annual State of Software Security (SOSS X) report, we discuss how some of our findings from over 85,000 application scans correlate with mounting security debt???and why you should pay attention.

Debt dwindles with frequent scanning

Just as making consistent payments on your credit card reduces debt over time, a frequent scanning cadence can lower the amount of debt your organization carries. When surveying the findings in our SOSS X report, we saw that frequent scanners (300+) have 5x less debt than infrequent scanners and they see a 3x reduction in median time to remediation (MedianTTR), or the amount of time it takes to fix flaws.

Scanning Cadence

Misaligned remediation priorities add to interest

In SOSS X, we talk about how some developers operate on LIFO (Last In, First Out) or FIFO (First In, First Out) methods for fixing flaws. Standard remediation procedures are not one size fits all???what works for your organization may not work for another. But the data we studied shows the likelihood of a flaw being fixed in the first month is only about 22 percent. That number drops down to 10 percent for the second month and 3 to 5 percent as time goes on.

Remediation Time

It???s clear from this data that developers are prioritizing the most recently found flaws above all else. The problem with this process is that it doesn???t take into account what is actually increasing risk. Ultimately, an older Cross-Site Scripting vulnerability is just as dangerous as a more recently discovered one. However, this chart sheds light on the relationship between scanning cadence and security debt; if we???re paying more attention to recently discovered flaws, frequent scanning means additional newer flaws to address. Boosting your scanning cadence and sitting down as a team to figure out your approach to prioritizing flaws can help set you on the right path.ツ?

Some industries are more prone to debt than others

Security debt doesn???t discriminate. It shows up in every industry, though some are more likely to accrue debt than others depending on how they prioritize fixes over time, as previously discussed. Data from SOSS X shows us that the Manufacturing and Government/Education industries carry more debt on average than other prominent industries.

Security Debt by Industry

What???s most important to note, though, are the trends over time. For example, we can see that around month four, organizations in Government and Education have an uptick in average fix rates. While Retail doesn???t carry much debt overall, companies tend to remediate the bulk of their flaws by month six or seven and contribute to debt reduction. ツ?

Security needs vary (capturing quick payment information versus storing robust patient histories and treatment plans, for example), but data from your specific industry will help you keep a pulse on average fix rates for security debt. You and your team can then review this data on a consistent basis when creating long-term plans for eliminating flaws.

PHP and C++ build up debt the fastest

Your plans for fixing flaws and reducing debt should factor in the languages you???re using. Why? The average security debt for PHP and C++ is huge and tends to grow over time, especially when compared to .NET, Android, Java, Android, and JavaScript.

Language Flaw Debt

Issues with these two languages are the results of simplicity and age: PHP is suited for beginners and is thus susceptible to insecure coding, while C++ is a powerful language that requires some hands-on management of memory and stack control ??? vulnerabilities that are easier to introduce in C++ than in more common languages.

It???s difficult for most teams to change the language they???re using at work, but it???s important to keep in mind which languages easily add to security debt. Carrying this awareness and understanding changes in language trends will help you prepare efficient security processes throughout your career.

Cross-Site Scripting carries the heaviest liability for debt

When we look at the layers of flaw percentage by application age, it???s apparent that Cross-Site Scripting (A7-XSS) carries the largest amount of debt across applications. There???s also a slight rise in percentage as we inch closer to the 7-month mark, which tells us that XSS (among others) is a notable contributor to security debt.

Cross-site Scripting

XSS attacks occur when a malicious script is injected into a webpage and it alters the way that page behaves, opening the site up to damaging security holes open to unwanted activity, like bypassing authentication or stealing sensitive information. This prominent flaw is not picky when it comes to language, either, with notable findings in .NET, iOS, Java, JavaScript, PHP, and Python. Spanning languages with prevalence and risk, XSS is one to keep an eye on as you work towards reducing your security debt.

Read the full SOSS X report

Want more info? Check out ourツ?SOSS X pageツ?for the full report andツ?additional data to absorb as we head into 2020. You can also listen to our podcast series with IDG, in which three of the episodes dig into security debt to drill down on different industries, why security debt grows deeper, and what's behind the buildup of unfixed flaws.ツ?


Stay Sharp and Squash Security Debt with Veracode’s Security Labs

???Tell me and I forget. Teach me and I remember. Involve me and I learn.??? This renowned quote from Benjamin Franklin is a powerful mantra for refining skills in any craft, coding included.

When it comes to developer training, nothing beats hands-on experience with real code customizable to the way a business runs. That???s why we???re excited to announce our new online training platform, Veracode Security Labs, crafted for developers and organizations eager to learn best practices in modern application security, deliver code on time, and reduce security debt. Whether developers lack the time for training or simply want to stay sharp, Security Labs empowers them to learn and grow backed by application security.

It isn???t a simulated experience; developers can log into the program to access a real application in a contained environment. From there, they learn how to exploit that application and practice fixing vulnerabilities with exercises on modern web applications, in their preferred languages, for a tailored and comprehensive hands-on training that helps them establish best practices. Ben Franklin would be proud.

Fast and effective learning

When a breach hits, employees can find themselves in a mad dash to patch security holes and remediate damage. Being prepared is all about incorporating security-minded processes earlier in the development cycle to avoid such headaches down the road. The interactive Security Labs experience ensures developers leave the training module ready to hit the ground running with fresh new skills that help them not only fix flaws quickly, but also write better code. ツ?

???The future of AppSec depends on enabling developers to create more secure code from the start,??? says Fletcher Heisler, Veracode???s Director of Developer Enablement and one of the minds behind Security Labs. Using Security Labs to directly exploit and patch real code means developers can begin improving in just 10 minutes.

???Through this hands-on practice, developers gain practical AppSec skills that can be applied immediately,??? Fletcher explains. ???For Veracode customers, this means more secure code, less time spent on security debt, and developers who are overall more engaged in supporting security.???

Through progress reporting, email assignments, and a leaderboard, teams of developers feel inspired by each other to advance their secure coding skillsets. Managers can set required modules and deadlines too, with tools for tracking team completion and exporting progress reports so that they have results in hand to prove capability and compliance.

Best practices and beyond

Veracode Security Labs isn???t solely about preparing developers to tackle vulnerabilities and stay on top of compliance. At its core, this training platform bridges the gap between development and security to empower organizations with the tools they need to keep AppSec at the forefront of their operations. And with the average cost per data breach incident hitting 3.29 million in 2019, staying sharp can save money and bandwidth in the long run.

???It???s so much more costly, in terms of both dollars and time, to fix a security flaw once it has already made its way into production code,??? says Fletcher. ???Meanwhile, security teams can???t scale to the time and expertise required to review every line of code from every developer. If developers have the foundational training to write secure code from the very start, an organization will be able to deliver ??? andツ?continueツ?to deliver ??? applications and features on time without getting bogged down in security debt.???

Practical lessons from this hands-on program can help an organization from the ground up. And when paired with Veracode???s Static Analysis IDE Scan solution to quickly identify and remediate flaws at scale, development teams have every opportunity for risk reduction at their fingertips.

Interested in trying it out? You can find more information about Security Labs here, and request a demoツ?to see how this solution can benefit your organization.

6 Noteworthy Data Breaches in 2019

2019 was a banner year for breaches. Some of the biggest victims included social media heavy-hitters Facebook and TikTok, as well as financial dynamo Capital One. They???re just the tip of the iceberg: according to Forbes, over 3,000 breaches in 2019 tallied up to 4.1 billion compromised data records. That???s a whopping 22.5 million records stolen by cyberattackers every day of last year.

We know from our 10th annualツ?State of Software Securityツ?(SOSS) report that security debt is a major contributor to the risk of such breaches and attacks. We also learned that those who scan their code for security issues more frequently (300+ times per year) vastly reduce the amount of debt (and risk) they carry. DevSecOps programs that institute more frequent application scanning cadences and break down silos between security and development teams can be a leap forward for organizations like the ones that fell victim to attacks last year.

As cybersecurity becomes a more complex issue, businesses that handle sensitive data ??? from passwords to Social Security numbers, banking information, and even medical records ??? should take this ever-prevalent problem seriously in 2020 and beyond. Here???s a look at six of the biggest breaches we saw in 2019.

Report: A Cyberattack Could Severely Disrupt the US Financial System

A new staff report from the Federal Reserve Bank of New York highlights the risk and potential fallout that a sophisticated cyberattack might have on the United States.In the report, analysts examined a scenario in which a single-day shock hits the country???s payment network, Fedwire, measuring the broad impact it would have on the economy. The results? A significant 38 percent of the network would be affected on average by significant spillovers to other banks, damaging the stability of the broader financial system in the United States.

How an attack might unfold

According to the analysts, this hypothetical situation would unfold swiftly. It begins with a cyberattack that allows financial institutions to continue receiving payments but prevents them from sending any payments throughout the operating day. In this scenario, because payments are actualized when Fedwire receives requests from senders, an institution???s balance in the system immediately reflects those changes???yet the targeted financial institution is unable to interact with Fedwire, causing a backup in the system. Essentially, impacted banks would become black holes that absorb liquidity without distributing any money.

Timing matters too and can magnify the impacts of a breach. ???Attacks on seasonal days associated with greater payment activity are more disruptive relative to non-seasonal days, with average impacts that are about 13 percent greater,??? the report says. ???We estimate that, on average, attacking on the worst date for a particular large institution adds an additional 25 percent in impairment relative to the case of no specific knowledge.???

The domino effect of liquidity hoarding

An important point to consider from this analysis is that the consequence of hoarding cash and forgoing payments during a breach can worsen the situation. The report explains, ???We find that liquidity hoarding amplifies the network impact of the cyberattack, both increasing the average impact on the system and increasing the maximal risk.??? As banks are not necessarily perceptive of daily liquidity conditions because they have ample reserves on hand, they likely will not react to these irregularities very quickly. Thus, all institutions other than the one impacted by a breach will continue to make payments as usual, resulting in substantial interruptions in the network.

It???s a domino effect that could shake up the whole system. Analysts uncovered a correlation between assets and payments over 80 percent, finding that a smaller subset of banks plays a vital role in markets like equity and Treasury. A cyberattack on a single institution could impede the day-to-day functions of the payment network and cause quite a headache that extends beyond the impacted institutions, reaching into the economy.

Failing to respond to these issues strategically as they unfold can lead to that previously mentioned black hole of liquidity. This problem may be worsened if financial institutions use the same third-party service providers, which offers less incentive for banks to monitor activity and spot abnormalities that can cause liquidity interruptions.

Strengthening security for financial institutions

Considering the above scenario, data from our most recent State of Software Security report (SOSS) indicates that the financial industry has some work to do to shore up its application security. The figures reveal that, in the financial industry specifically, the median time to remediate security flaws in code (MedianTTR) is 67 days, which is higher than nearly every other industry we measured. Information leakage also has a high prevalence at 66 percent as opposed to 63 percent across all industries.

Our data uncovers best practices that are dramatically improving remediation times and reducing overall security debt. The analysis for this year???s report found that when organizations scan their applications for security more than 260 times per year their median fix time drops from 68 days to 19 days???a 72% reduction.

Get more details on the application security trends and best practices in the full SOSS report.


State of Software Security v10: 5 Key Takeaways for Developers

In case you missed it, this year we launched our 10th annual State of Software Security (SOSS X) report! Armed with a decade of data, the Veracode team analyzed 85,000 applications to study trends in fix rates, mounting security debt, shifts in vulnerability by language, and more.

What did we uncover? At the core of our research, we found there???s still a need for better remediation processes and more frequent security scans. But we also uncovered some best practices that are leading to significant application security improvements. Read on for a snapshot of key takeaways that can help set you and your organization up for AppSec success in 2020.

Most apps still don???t pass crucial compliance tests

OWASP Top 10 vulnerabilities and SANS 25 software errors represent consensus listings of the most critical flaws in the industry, and while we???ve seen some changes in compliance rates across past editions of our SOSS report, the 10-year trend shows us that things haven???t shifted much as of late. Today, 68 percent of apps fail to pass OWASP on initial scan (down from 77 percent in volume one of SOSS), and 67 percent of apps fail to pass SANS on initial scan ???the same figure in volume one as volume ten.

The fact that these common and serious vulnerabilities are still prevalent in code underscores the fact that we are not creating environments where developers can code securely. The absence of proper secure coding training, as well as the lack of access to the right tools, is clearly creating risk.

Android, PHP, iOS, and C++ have a high frequency of flaws

This year???s data analysis found that over 90 percent of Android, PHP, and iOS applications contain security flaws on initial scan. Ranking over 80 percent were C++, .NET, and Java, while Python and JavaScript came in with the lowest flaw rates.

Language Scans

Why do we see a higher rate of flaws in mobile languages? Perhaps the reason Android and iOS are two of the top offenders is that many mobile applications aren???t properly scanned before they???re uploaded to the Apple App Store and the Google Play Store.ツ?Benツ?Greenwald, Director of Software Engineering at Veracode, explains further:ツ?

???One reason Android and iOS applications may tend to have more security flaws on first scan is because mobile developers believe they are already covered. Developers might assume that Apple and Google thoroughly test apps before they???re released, or they rely on Apple and Google for testing under the assumption that a security infrastructure is already in place.???

This issue only further highlights the need for thorough internal and third-party testing processes to ensure that your applications are secure.

Language also adds yet another layer to the issue of unfixed flaws piling up on developer plates; the average security debt for PHP and C++ is massive compared to that of .NET, Android, Java, and JavaScript.

Language Flaw Debt

As two of the top languages for flaw rates, it makes sense that unchecked issues in PHP and C++ can spin out of control for development teams. So, what???s their deal? PHP???s start in the mid 90s came with a basic design that works well for smaller applications and beginners learning to code, but it has since been so widely adopted and stretched beyond its means that it is left highly vulnerable to flaws.

C++ is an incredibly robust language that powers many of the operating systems, browsers, and productivity apps that we use in our daily life. But with that great power comes the great responsibility to manage memory, guard against use-after-free, and keep stacks from exceeding the fill line. These flaws tend to accumulate over time and are easier to introduce than in many of the today???s more commonly used higher-level languages.

While some applications are prone to debt buildup because they use multiple languages or a basic flaw-heavy language like PHP, it???s important to consider the steps your team can take to counterbalance the prevalence of flaws???like reprioritization.ツ?

Remediation priorities are misaligned for top vulnerabilities

Out of the 85,000 applications tested (including 1.4 million individual scans), our data shows that 83 percent of apps have at least one flaw when they???re initially scanned. That???s an 11 percent increase from volume one to volume ten of the SOSS report - but the good news is we also saw an overall 14 percent decrease in applications with high-severity flaws.

The bad news? Focus is, it seems, not always placed on fixing the right flaws. For example, we found that A10-Logging is ranked the lowest in flaw prevalence but is at the top of the list for fix rate, the bottom of the list for incidents, and doesn???t rank for exploit risk. A5-Access Control is another mystifying trend. It ranks low in prevalence but towards the top of exploit and incident rankings, falling right in the middle of the list for fix rate.

Some flaws and fixes are consistent, though. Both A1-Injection and A2-Authentication sit toward the top of the list across the board, while A8-Deserialization is reliably stable in the bottom half of each category. This discrepancy sheds some light on which flaws are neglected, deferred, targeted, and prioritized, and how DevOps teams can more efficiently rank issues.

Flaws that can be remediated quickly on a small scope are naturally resolved ahead of flaws that are slightly more complicated, but often those severe issues are less difficult to fix, underscoring the need for a more comprehensive plan of attack.

Developers favor recency, adding to security debt

SOSS X shows us that developers typically follow a LIFO (Last In, First Out) method instead of a FIFO (First In, First Out) approach. With LIFO, developers run the risk of contributing to security debt when older flaws are stacked underneath newer issues. As time goes by, the probability of remediation drops significantly, and any unmitigated remnants slide into the land of security debt.

This trend highlights an ongoing battle with security debt across the industry and draws attention to how it muddies the waters of remediation. Fortunately, we have revealing data on scanning cadence that can help reduce an organization???s debt over time.

Bursty scans contribute to security debt???but it???s reversible

We mention security debt throughout the SOSS X report (and this post) because it can leave organizations vulnerable to attacks in the backlog of flaws, and slower to mitigate issues that arise out of the blue.

The good news is, this year we also uncovered evidence of practices that are chipping away at security debt. It???s all about scanning frequency. We know that ???bursty??? scanning cadences result in a higher prevalence of flaws over time, as opposed to steady and early scan processes with fewer flaws open at once. Sometimes bursty scanning simply fits your waterfall development cycle or pairs with testing schedules that are event-driven, but this can leave security holes where flaws are missed month to month.

Bursty Scans

Based on our data, we know that development teams can improve their median time to remediation (MedianTTR) by about 70 percent with established procedures and consistent testing schedules. Automating your processes to increase scanning tempo and improve prioritization reduces the security debt that your organization carries.

Read the report

Want to see all this data in one complete package? Read the full SOSS report to learn more about the state of DevSecOps, discover additional data highlights by industry, and more.

The Consequences of Security Breaches Are Becoming More Severe

With the prevalence of cyberattacks, breaches, and data leaks heading into 2020, it???s becoming commonplace for employees to part ways with their organization after a security incident. Although the consequences from a breach were less severe in the past, reactions are shifting as data leaks are deemed more dire than ever before.

A 2018 report from Kaspersky Lab surveyed 6,000 people in 29 countries and found that, globally, 31 percent of cybersecurity incidents resulted in the layoff of employees at impacted companies. In roughly a third of these cases, those employees holding senior IT positions were most often let go from their roles after a breach or security incident.

The results from Kaspersky???s survey also revealed that 32 percent of C-level managers and CEOs in the United States were laid off post-breach. That number is lower in other countries but still higher overall than most functional roles within and outside of IT, representing a growing trend in how organizations respond to breach backlash. As cybersecurity professionals are in high-demand and C-level managers cost a pretty penny, making the decision to part ways is not always easy.

Weathering the post-breach storm

With great power comes great responsibility. In 2017, the CIO of Equifax U.S. Information Solutions, Jun Ying, was sent to jail and forced to pay $55,000 for insider trading after it was discovered that he shared information about a breach before it was made public by the company. In the same year, Uber???s CSO Joe Sullivan was let go after he allegedly helped cover up a bug bounty pay-out for over $100,000, paying attackers in exchange for the deletion of stolen data on 57 million drivers and passengers. Both Sullivan and security lawyer Craig Clark were fired from the company.

Sometimes privacy-minded employees clash with their own organization???s policies and can eliminate a role altogether. For example, Facebook???s former CSO, Alex Stamos, left a security role at the social media powerhouse after he allegedly disagreed with how Facebook handled the very public Cambridge Analytica scandal. In 2018, Facebook made the decision not to replace Stamos and to instead rely on introducing security engineers, analysts, investigators, and other specialists into their engineering and product teams. It was a testament to how fast things can change within an organization???s security team.

In other situations, ex-employees can cause unanticipated headaches with ripple effects of their own. Capital One fell prey to cyberattacker Paige Thompson when she infiltrated the company???s third-party cloud server to access 106 million customer records in 2019. Thompson, previously an Amazon Web Services software engineer, allegedly built a scanning tool that looked for misconfigured cloud servers on the web providing easy access to username and password credentials.

These examples lead to a logical question: if your business is unable to fortify its internal processes and protect sensitive information, is it trustworthy to consumers? With a solid plan for security and remediation in place, the risk of job loss and consumer distrust diminishes.

Getting serious about your security

As breaches and cyberattacks lead to high-profile firings that play out in the media, the public is paying attention. A recent IDG Survey Report, Security as a Competitive Advantage, found that 66 percent of respondents are more likely to work with a vendor whose application security has been validated by an established, independent expert.

Additionally, 99 percent of those surveyed for the report welcome the advantages of working with a certified and secure vendor, such as improved protection of IP data that leads to peace of mind for their customers. There are measures your organization can take to boost customer confidence, give you a competitive advantage, and potentially prevent the loss (monetary or otherwise) from a breach or cyberattack.

In addition to incorporating security testing into your software development, third-party validation of your security efforts shows prospects and customers alike that securing data is a top priority in your organization???s application development process.

Independent security validation comes with a number of benefits, enabling vendors to:

  • Proactively address any questions a prospect might have about security
  • Instill confidence in buyers that they???re choosing a vendor who cares about their data
  • Speed up sales cycles by eliminating the need for back-and-forth validation
  • Stay one step ahead of security concerns from customers and prospects
  • Integrate more efficiently with development teams to improve security

With third-party validation in place, you not only have proof positive that your organization cares about security, but also a roadmap for maturing your application security program. The risk of losing employees to high-profile incidents also diminishes. Eliminating concern and doubt sets you apart with a competitive advantage in the marketplace that sends a clear message to buyers: you???re serious about security.ツ?ツ?

Learn how the Veracode Verified program can help position you as a trusted and secure vendor so that you???re ready when a prospect comes calling.

Work in Healthcare? This is Why You Should Give Your Security a Checkup

Most patients practice preventative care through regular trips to the doctor, catching minor issues before they turn into major medical problems. So, why don???t more organizations follow suit with security testing to prevent breaches and fortify the safety of patient information?

Too often, remediation is an afterthought as developers scramble to patch holes in their systems post-breach. A recent report in the journal of Health Services Research suggests that this herculean effort can put a strain on patient health when things slow down after a breach and new security measures are introduced. However, preventative care can work in the security world just as it does for your health.

Less isn???t more in healthcare cybersecurity

Some experts and industry thought leaders see unfortunate breaches as opportunities to better understand what went wrong and how it can be prevented in the future. Unfortunately, information from these breaches sometimes muddies the tumultuous waters of cybersecurity and can cause panic over increased security procedures.

Josephine Wolff, assistant professor of cybersecurity policy at Tufts Fletcher School of Law and Diplomacy, found that the 2019 report published in the journal of Health Services Research draws dangerous conclusions about the negative impacts of mitigating cyberattacks in healthcare. The HSR paper proposes that lost passwords and associated security measures???like two-factor authentication???hold up patient care with increased wait times for ECGs and result in higher rates of fatal heart attacks. A point, they suggest, that should lead to less aggressive security efforts.

In her article, Wolff proposes that a slower remediation process is precisely why more medical institutions should view this as a crucial pivot point, not a nuisance. She explains, ???Undoubtedly, IT upgrades and updates can inconvenience workers and slow down operations in any workplace, but that is a reason to develop techniques and processes for implementing them more smoothly???not to write them off as harmful and counterproductive.??? Even the most basic preventive actions are crucial best practices, and they???re just a starting point.

The cyberattack epidemic in healthcare

Data from the last decade shows just how damaging breaches can be for institutions and patients alike. According to HIPAA Journal, there were 2,546 healthcare breaches from 2009 to 2018 that exposed over 180,000,000 patient records to attackers, resulting in costly settlements and fines for HIPAA violations. Additionally, figures from the Protenus 2019 Breach Barometer report reveal that in 2018 alone, the healthcare sector saw a whopping 15,085,302 patient records breached???a number that nearly tripled from 2017 to 2018.ツ?

These trends are alarming but important to watch. Our 10th annual State of Software Security (SOSS) report examines trends in various industries, including healthcare, and the data sheds some light on why it???s so crucial for organizations to get a jump on security measures.ツ?

Healthcare Security Rank

We found that healthcare institutions have the highest prevalence of severe flaws at 52 percent and are the slowest to fix said flaws, with a median time-to-remediation (MedianTTR) of 131 days. All this typically contributes to security debt, which accumulates over time as more and more flaws are left uncorrected.

Daunting security debt is a problem that your DevOps team can tackle with the right processes in place, including a steady cadence of scans. Our SOSS report found that those who conduct up to 12 scans per year have a MedianTTR of 68 days, while those who scan more than 260 times per year have a MedianTTR of just 19 days (that???s a substantial 72 percent reduction in remediation time).

Increasing the regularity of your scans can have a lasting impact on security debt. In fact, we found that frequent scanners carry 5x less security debt than sporadic scanners who lack a reliable testing process. The remedy is clear: scanning often and speeding up fix rates to mitigate severe flaws will cause far fewer headaches in the future and, ultimately, prevent downtrends in patient care.

A process-minded prognosis

The good news in this year???s SOSS report is that healthcare institutions have a fix rate of 72 percent, which is decent when compared to other industries. Still, hospitals and healthcare providers must stay on top of application scanning to increase frequency and efficiency, cutting down their MedianTTR.

The solution? Shifting DevSecOps behaviors from reactive to proactive through keener code management and more thorough remediation processes. This entails making sure security programs:

  • Include a trained team of security-minded developers
  • Cover all applications across your health organization
  • Include a frequent and steady scanning cadence
  • Have ample resources developers can tap into for testing and fixes
  • Are adaptable enough to handle shifting landscapes in cybersecurity
  • Are equipped to cover third-party vendors used by the organization

Taking steps towards a well-rounded security program not only bolsters your defense against attacks but also sheds light on wrinkles in your remediation process that need ironing. With these measures in place, if a breach or a cyberattack occurs, your healthcare organization will be better equipped to handle issues with minimal to no impact on patient care.

Learn more about cybersecurity in healthcare

Like what you see? Find more info about the state of cybersecurity for healthcare by downloading our SOSS Volume 10 Industry Snapshot, and then check out the full report to keep a pulse on the shifts in DevSecOps over the last ten years.ツ?