Author Archives: (mmcbee)

Watch Here: How to Build a Successful AppSec Program

Cyberattackers and threat actors won???t take a break and wait for you to challenge them with your security efforts ??? you need a proactive application security (AppSec) program to get ahead of threats and remediate flaws quickly. It???s critical that you stand up an AppSec program covering all the bases, from which roles each team member will have to alignment on KPIs and goals, and even a detailed application inventory to stay on top of your code.

But it isn???t enough to simply set ground rules and define your goals; good AppSec programs succeed because they come from the top-down, with stakeholders committed at the executive level. This helps maintain accountability and ensures that developers and security professionals are aligned when it comes to targets for flaw remediation. Part of that effort involves standing up a Security Champions program, too, enabling your developers to work alongside security and take ownership over securing their code.

If you follow these and other recommendations, your AppSec program should run like a well-oiled machine with the flexibility and security you need to keep creating innovative applications. Watch this video to learn about what goes into building a successful AppSec program, andツ?check out the full How-to Series here.ツ?


Veracode Makes DevSecOps a Seamless Experience With GitHub Code Scanning

Developers face a bevy of roadblocks in their race to meet tight deadlines, which means they often pull from risky open source libraries and prioritize security flaws on the fly. In a recent ESG survey report, Modern Application Development Security, we saw that 54% of organizations push vulnerable code just to meet critical deadlines, and while they plan for remediation on a later release, lingering flaws only add to risky security debt. With speed a critical factor in what makes or breaks the success of your application deployments, that means the health of your code ??? and your security ??? is on the line.

GitHub Actions are an intuitive way to solve the need for speed without sacrificing quality, helping your developers stay on schedule by enabling them to build, test, and deploy code directly from GitHub. And with over 50 million developers on GitHub, plus more than 200,000 automated fixes merged into GitHub repositories since May of 2019, it???s clear that GitHub is a hotspot for developers. When paired with the right application security (AppSec) scan types and SaaS-based approaches, this integration makes GitHub Actions an invaluable part of your development team???s workflow.

That???s why we???re excited to announce our new GitHub Action to help streamline your AppSec workflow for the developers on your team. The action is directly embedded within the native GitHub code scanning user interface, ensuring your DevSecOps practices are seamless, efficient, and effective. By making Veracode???s AppSec tools accessible in a familiar interface like GitHub, developers on your team can jump right into secure coding with critical testing and analysis that won???t halt projects or slow production down.

The Veracode solution to enhanced workflows

Developers can perform Veracode???s Static Policy Scan or Pipeline Scan and see the results of that scan within the GitHub Security tab. The ability to invoke Veracode???s Static Analysis (SAST) scans from within their own GitHub projects significantly expands the testing capability for developers leveraging GitHub workflows, and allows them to build security into their DevOps processes to scale development across their team.

That???s less downtime and fewer bottlenecks for faster innovation. With such a high frequency of commits flowing through GitHub (more than 2,000 direct contributors made commit contributions to TensorFlow alone in 2019), Veracode???s multi-scan and SaaS-based solutions mean that our customers have a leg-up when it comes to harnessing GitHub Actions for speed and efficiency.ツ?ツ?

This functionality comes as part of GitHub code scanning launch, with our GitHub Action available in the GitHub Marketplace. ???Veracode is a leader in application security and truly understands the importance of shifting left in the development lifecycle to enable teams to find and fix flaws at scale,??? says John Leon, VP of Business Development at GitHub. ???With software development moving at breakneck speed, this new GitHub Action further enables our joint customers to develop secure software, without compromising speed or quality ??? all within a familiar interface.???

My Code, Our Code, Production Code???

Veracode???s Static Analysis solution was a natural addition to GitHub???s new code scanning feature as it enables DevSecOps with fast, automated, and actionable security feedback. This feedback is delivered directly to developers in their pipeline through each critical My Code, Our Code, and Production Code stage.

Working within the GitHub environment, your developers have the control they need. Scan results are converted into GitHub code scanning alerts and developers receive clear remediation advice to keep their projects moving forward with fewer delays. Once code is at the deployment stage, the Veracode Policy Scan provides a robust assessment of your application code ??? and an audit trail for compliance to prove security efforts.

Veracode scan results (from more than 15 trillion lines of code to date) are highly accurate as a result of the intelligence of our SaaS platform, meaning there???s no need for manual tuning when you need to adjust course. Ready to scale your DevSecOps initiatives for efficiency? Visit the GitHub Marketplace to get started.ツ?

Watch Here: Using Analytics to Measure AppSec ROI

Maximizing the value of your application security (AppSec) analytics not only provides a window into whether or not you???re meeting security requirements but also it helps you prove your ROI. That can be a challenge for a lot of organizations ??? when stakeholders are not close to the data, they may miss milestones like hitting goals for reducing security debt or even how much AppSec program has matured by data.

In this episode of our How-To Series, Anne Nielsen, Principal Product Manager at Veracode, breaks down the ways analytics can help you and your team move your AppSec program forward with data-driven insights. Those insights prove your everyday security efforts to stakeholders and help you see where you may need to give your security procedures a boost, which means they???re mission-critical to your AppSec success.

Like in any industry, analytics in AppSec are critical to demonstrating progress and ensuring that your organization???s stakeholders keep the budget alive for critical AppSec tools and solutions. Veracode Analytics are unpacked in data visualizations and pre-built dashboards so that management and your team members have a clear picture of the results and can use them to guide future investments.

Your AppSec program doesn???t have to fail because you don???t have the right data, or because you???re not looking at your data in the right way and properly assessing your findings to remediate the right flaws. Watch this video to learn about Veracode Analytics and measuring your AppSec ROI, including what that means for the health for your security program, and check out the full How-to Series here.ツ?


16% of Orgs Require Developers to Self-Educate on Security

Theoretical physicist Stephen Hawking was spot on when he said, ???Whether you want to uncover the secrets of the universe, or you just want to pursue a career in the 21st century, basic computer programming is an essential skill to learn.??? It???s no secret that programming is a thriving career path ??? especially with the speed of software development picking up, not slowing down.

But one critical element of modern programming is missing from Hawking???s quote: security. Developers simply aren???t taught secure coding practices in school and so often graduate without the foundational security knowledge required to find and fix flaws before they???re a problem. And at the same time, now more than ever, you???re expected to code with security at top of mind and produce more secure applications without continuous training opportunities at your fingertips.

Secure coding conundrum: Spotty developer training

Recently, we sponsored Enterprise Strategy Group???s (ESG) survey of 378 North American developers and security professionals to gain more insight into the trends in modern application security (AppSec). The results? Developer training is spotty, and it???s often unclear who holds the responsibility of seeing it through.

???While most [organizations] provide developers with some level of security training, more than 50 percent only do so annually or less often.??? The report continues, ???While development managers are often responsible for this training, in many organizations, application security analysts carry the burden of performing remedial training for development teams or individual developers who have a track record of introducing too many security issues.???

Developers participating in formal security training???

There???s a clear disconnect between frequency and educational requirements when it comes to developer training, which leaves most programmers lacking opportunities to learn and grow. Breaking the data down, we see that a mere 15 percent of organizations have the majority of their developers participate in consistent, formal security training.

Security training requirements???

Even more telling about the state of developer education were the numbers that highlighted security training requirements for programmers. For example, 16 percent of organizations say developers are expected to self-educate, while 20 percent only provide training to new developers who join their teams.

If organizations aren???t putting in the effort to expand security know-how, you might (rightfully) see it as a fruitless exercise. Luckily, changing that narrative is often as simple as integrating developer training tools that are clear, engaging, and provide value.

Education that resonates: the right content in the right format

ESG lists the ten elements of the most effective application security programs and it???s no surprise that number five is all about developer participation in security training. While the need is obvious, it???s clear that many organizations still struggle with how to implement developer education ??? and which exercises will even resonate.

As detailed by ESG, security vendors can provide guidance through just-in-time training offerings or remediation advice, but the responsibility still falls on the plate of the developer at the end of the day. Without the right kind of content offered in the right format, it???s more difficult to retain the information you need to code more securely. ???Issue mitigation is often tied to better understanding how and why certain code introduces issues, so developer security training should gradually address this issue,??? ESG states.ツ?

If you want to produce more secure code and reduce risk, it???s no longer enough to simply sit down in front of a tutorial or a multiple-choice quiz and check boxes. The solution? Hands-on secure coding education that takes learning to another level. Real-world training solutions like Veracode Security Labs operate using actual examples you???ll encounter will coding, and that means the lessons are more likely to stick with you from project to project. Veracode Security Labs is different than other training tools, bringing benefits like:

  • Quick and relevant remediation guidance in the popular programming languages
  • Real-world vulnerabilities that you???ll encounter in day-to-day development tasks
  • Enhanced security knowledge to meet compliance needs and build confidence

And while we offer an Enterprise Edition for organizations, we also recently launched Veracode Security Labs Community Edition for developers who are itching to explore the ins and outs of real code on your own time - for free - so that you can start learning secure coding practices and become an active contributor to your organization???s AppSec.

Want more info about shifting your security knowledge left so you can keep cranking out great code? Read the full ESG report here.

43% of Orgs Think DevOps Integration Is Critical to AppSec Success

It???s no secret that the rapid speed of modern software development means an increased likelihood of risky flaws and vulnerabilities in your code. Developers are working fast to hit tight deadlines and create innovative applications, but without the right security solutions integrated into your processes, it???s easy to hit security roadblocks or let flaws slip through the cracks.

We recently dug through the ESG survey report,ツ?Modern Application Development Security, which uncovers some interesting data about the state of DevOps integration in the modern software development process. As the report states, DevOps integration is critical for improving your organization???s application security (AppSec) program, as automating and integrating solutions removes some of the manual work that can slow teams down and moves security testing into critical parts of the development process.

???DevOps integration reduces friction and shifts security further left, helping organizations identify security issues sooner,??? the report says. ???While developer education and improved tools and processes will no doubt also improve programs, automation is central to modern application development practices.???

Level of DevOps and AppSec Integration???

According to the survey results, nearly half of organizations agree; 43 percent believe that DevOps integration is the most important piece of the puzzle for improving their AppSec programs. The report also outlines 10 elements of the most successful AppSec programs, and topping that list is ensuring that your AppSec controls are highly integrated into the CI/CD toolchain.

Integration challenges

For some survey respondents, that???s easier said than done. Nearly a quarter (23 percent) said that one of their top challenges with current AppSec testing solutions is that they have poor integration with existing development and DevOps tools, while 26 percent said they experience difficulty with ??? or lack of ??? integration between different AppSec vendor tools.

AppSec tool proliferation is a problem too, with a sizeable 72 percent of organizations using more than 10 tools to test the security of their code. ???Many organizations are employing so many tools that they are struggling to integrate and manage them. This all too often results in a reduction in the effectiveness of the program and directs an inordinate amount of resources to managing tools,??? they explain further.

So where should organizations like yours start? By selecting a vendor with a comprehensive offering of security solutions that integrate to help you cover those bases and consolidate solutions while reducing complexity. That???s where Veracode shines. We bring the security tests and training tools you need together into one suite so that you can consolidate and keep innovating ??? securely. And your organization can scale at a lower cost, too: our range of integrations and Veracode solutions are delivered through the cloud for less downtime and more efficiency.

Simplifying AppSec

We aim to simplify your AppSec program by combining five key analysis types in one solution, all integrated into your development process. From ???my code,??? to ???our code,??? to ???production code,??? we have you covered with Static Analysis (SAST), Dynamic Analysis (DAST), Software Composition Analysis (SCA), Interactive AppSec Testing (IAST), and Manual Penetration Testing (MPT).

My Code, Our Code, Production Code???

Automating SAST, DAST, and SCA in the pipeline means that you can incorporate testing without needing to wait for your security team to step in, fixing flaws the moment you spot them to keep projects moving forward quickly. In fact, by building and integrating security testing into their CI/CD pipeline, we know that some development teams have reduced their median time to remediation (MTTR) by a whopping 90 percent, driving down risk and freeing up valuable time.

Want to learn more about integrating AppSec into the development process? Check out this short demo video of Veracode Static Analysis.


How 80% of Orgs Can Overcome a Lack of Training for Developers

Developer security training is more critical than ever, but data shows us that the industry isn???t taking it quite as seriously as it should. A recent ESG survey report, Modern Application Development Security, highlights the glaring gaps in effective developer security training. In the report, we learned that only 20 percent of surveyed organizations offer security training to new developers who join their company, and 35 percent say that less than half of their developers even participate in formal training to begin with.

More troublesome, less than half of organizations surveyed for the report require developers to participate in formal training more than once a year. While robust application security (AppSec) tools and solutions help developers learn as they code to get ahead of flaws before deployment, the need to continually remediate only slows teams down and bottlenecks innovation. So how can you get ahead of it? Consistent, engaging training that sticks.

Paired with the right scanning and testing tools, training solutions that go beyond checking boxes and watching tutorials are an effective way to embed the knowledge needed to write more secure code. That means less time spent fixing flaws and more time flexing creative muscles to improve your organization???s digital footprint.

Training techniques that count

Recently, Forrester Research published its Now Tech: Static Application Security Testing, Q3 2020, an overview of Static Application Security Testing (SAST) providers and the various benefits companies can realize with SAST. The report also discussed how SAST can integrate with developer solutions to improve engagement and knowledge. It also calls out the important role SAST plays in tandem with hands-on learning tools to reduce remediation time, enhance predictability, and teach developers about modern secure coding practices.

The Forrester report notes that firms that integrate SAST into their software development lifecycle (SDLC) will see an array of benefits, one of which includes developer education. With fast feedback in the IDE and pipeline, Veracode Static Analysis provides clear and actionable guidance on which flaws you should be fixing ??? and how you can fix them faster to improve efficiency.

SAST is undoubtedly a critical piece of the puzzle for closing knowledge gaps, but as Forrester???s report points out, it shouldn???t be viewed as a standalone tool. To drive engagement and adoption, managers leading this effort should integrate their SAST solution with engaging security training for developers to achieve a well-rounded AppSec program that developers want to participate in.

A Veracode Security Labs solution

At Veracode, we think out of the box when it comes to developer training. Veracode Security Labs closes a lot of gaps for developers looking to get a handle on modern threats and improve efficiency.

It uses real applications in contained, hands-on environments that users can practice exploiting and patching. There???s even a Community Edition, which is a forever-free version that offers some of the same Enterprise-grade tools to all developers interested in improving security knowledge on their own.

Level up without burning out on boring lessons. Veracode Security Labs brings real-world examples into the mix to build muscle memory, which means fewer flaws to fix and an easier path to compliance certifications. Engaging and customizable, there are even creative ways to gamify training with Veracode Security Labs through Capture the Flag (CTF) events and coding contests.

The ???Top Secure Coder??? crown

To highlight the efficacy of hands-on developer training, we recently held a ???Top Secure Coder??? challenge at Black Hat USA???s 2020 virtual event, where participants competed by completing Veracode Security Labs challenges. The results were exciting: over 330 people filled out participant application forms, most of which then attempted to climb the leaderboard and contended for the top prize.

Black Hat Top Coder Contest???

While participants racked up points by completing labs over the course of the Black Hat 2020 conference, two competitors, who happened to be coworkers at the same company, (friendly contending developers within a Veracode customer) skyrocketed up the leaderboard. After several lead changes through the competition, it came down to mere seconds for a tie with 310 points, but user ???th3jiv3r??? completed the labs just a little faster than ???turtl3fac3??? which helped to serves as a tiebreaker on the leaderboard.

While this friendly challenge spurred an entertaining race for all of us, it proves that when there is a fun competition on the line, teams will push harder than they normally might have on their own. Engaging developer training works, and when it uses real-world application coding examples, that knowledge sticks.

Think you have what it takes? If you missed out on our first ???Top Secure Coder??? challenge, we???re bringing it back and hosting another virtual competition during DevOps World that you won???t want to miss.

Register for the conference to see us at DevOps World 2020 and join our next ???Top Secure Coder??? challenge to start improving your security skills.

Breaking Down Risky Open Source Libraries by Language

You work hard to produce quality applications on tight deadlines, and like every other development team out there, that often means relying on open source code to keep projects on track. Having access to plug-and-go code is invaluable when you???re racing the clock, but the accessibility of open source libraries comes with a caveat: increased risk.

In our recent report, State of Software Security: Open Source Edition, we examined the security of open source libraries by studying data from 85,000 applications ??? including 351,000 unique external libraries. From the data, we evaluated the prevalence of flaws in open source libraries as well as how vulnerable they are, gaining insight into the risk that you might carry when you use open source code in your software development process.

While we found that a sizeable 70.5 percent of the applications had an open source flaw on initial scan, some of the most interesting drill-down data came from examining flaws in the top 50 open source libraries broken down by language. The results, highlighted in an interactive infographic, were eye-opening about a few languages in particular.

Languages to keep an eye on

As an example, JavaScript had more libraries in use than any other language, and a handful stood out as containing risky flaws. In the charts below ??? taken from our interactive infographic, which you can view in full here ??? the lighter blue dots represent libraries that have some flawed versions in use and their placement is relative to the percentage of applications that each specific library is used within. The largest light blue dot hovering around 88 percent represents Lodash, with 401 versions of that library containing a flaw ??? something to keep in mind when using Lodash in your code.ツ?ツ?


PHP also raised some alarms as we dug into the data. We found that including any given PHP library in your code increases the chance of introducing a security flaw along with that library by more than 50 percent.

The flaws it carries are dangerous, too. We uncovered that more than 40 percent of PHP libraries contained Cross-Site Scripting (XSS) flaws with Authentication and Broken Access Control vulnerabilities close behind. And as you can see in the chart below, the light blue dot towards the right of the scale represents PHPUnit libraries as a flaw offender, with about 63 versions containing a flaw.


One of the more colorful charts in our data represents Ruby, of which we uncovered three library versions in use that are known to have been exploited. Those three versions include:

  • Rails: Used in 47 percent of applications written in Ruby, with 337 versions containing a flaw and 133 versions exploited.
  • Action Pack: Used in 49 percent of applications written in Ruby, with 343 versions containing a flaw and 85 versions exploited.
  • Active Support: Used in 66 percent of applications written in Ruby, with 235 versions containing a flaw and 117 versions exploited in the wild. ツュツュ


We found over one-fifth of open source libraries have public proof-of-concept (PoC) exploits, which many organizations use to prioritize treating flaws. Alongside PHP, Ruby has noticeable public proof-of-concept (PoC) exploits for some versions in use ??? such as Nokogiri with 24 versions, and Rack with 25 versions.

The bottom line is that it???s important to stay on top of the security of your code, including snippets you didn???t write from scratch. Software Composition Analysis (SCA) will help you identify vulnerabilities in open source libraries, while also providing recommendations on version updating so that you can find and fix flaws in your open source code before they become a problem.

Check out the full infographic to see the rest of the data on the top 50 open source libraries broken down by language, and read the full report here to gain more insight. ツ?

Man vs. Machine: Three-Part Virtual Series on the Human Element of AppSec

In 2011 when IBM???s Watson supercomputer went up against ???Jeopardy??? icon Ken Jennings, the world watched as a battle of man vs. machine concluded in an impressive win for Watson. It wasn???t simply remarkable that Watson could complete calculations and source documents quickly; the real feat was the brainpower it took to create fine-tuned software with the ability to comprehend questions contextually and think like a human.

But Watson wasn???t without fault, struggling to understand some ???Jeopardy??? categories that were a little too specific and reminding us that human beings still play a critical role in the successes (or failures) of modern technology. In application security (AppSec), there is no single set-it-and-forget-it solution that will ensure the health and fortitude of your code. Like Watson, the software can???t operate to its fullest potential without the right brainpower behind it, requiring thoughtful minds to understand where solutions plug in and to check code in ways that software cannot. ツ?

The human element of ingenuity

Automation in AppSec testing tools is a prime example. It plays a critical role in scaling security operations and scanning for vulnerabilities to find them before they become expensive headaches. While that undoubtedly boosts efficiency and speed in the background, there???s a human element of ingenuity and adaptability that you can???t ignore: cyberattackers. They pivot quickly to crack your code whether you automate or not, which means your developers and security professionals need to be just as agile and close knowledge gaps to stay one step ahead as they leverage the right testing tools in the background.ツ?

And while having a full range of scanning solutions integrated into your software development process will help you find and fix common flaws, Manual Penetration Testing (MPT) is crucial for uncovering categories of vulnerabilities - like business logic flaws - that you can???t automate with software. The bottom line: man and machine need to work together in AppSec, because like Watson, it takes a village of brainpower to come out on top.

There???s a lot to explore in the realm of man vs. machine, which is why we???re excited to partner with HackerOne for upcoming virtual events that uncover the ways you can work with technology, not against it. In this three-part series, we???re delving into topics like crowdsourced testing and automation to examine how you can strike the balance between capable software solutions and human-powered security. Here???s the lineup:

Part One | Man with Machine: Adapting SDLC for DevSecOps

To keep pace with modern software development, DevOps must work continuously to deliver applications to various infrastructure environments, automatically pushing code changes as they arise. Traditional security practices bog down development, frustrating development teams and causing unnecessary friction. This talk will cover the ways development and security teams can work together with automation and human-powered security at the speed of innovation. Join Veracode???s Chris Kirsch and Chris Wysopal as they chat with HackerOne???s CTO and Co-Founder Alex Rice to learn:

  • How security and development teams can partner to create a continuous feedback loop without hampering innovation.
  • How security becomes a competitive advantage through balancing speed with risk.
  • How to engage a diverse and creative pool of talent not available in traditional firms to test business-critical applications.

When: August 19th at 1:00 PM EST.ツ?Register here.

Part Two | Hacking Remote: Leveraging Automation and Crowdsourced Testing to Secure Your Enterpriseツ?ツ?

As the world reacts to a global pandemic and the work-from-home model becomes the norm, people are more broadly distributed, and applications, systems, and infrastructures are more vulnerable than ever as a result. In this talk, we???ll discuss the undue strain put on security teams and delve into how leveraging automation and crowdsourced security testing allows your enterprise to scale security to accommodate their newly dispersed workforce. Join HackerOne???s Director of Product Marketing April Rassa and Director of Product Miju Han, along with Veracode???s Brittany O???Shea, to learn:

  • How to implement a security program with the scale necessary to cover a growing attack surface.
  • How to operate security at scale while reducing costs and removing the need for expensive headcount.
  • Trends and insights into the vulnerabilities impacting companies during a time of increased digital connectivity.

When: August 26th at 1:00 PM EST.ツ?Register here.

Part Three | Who Will Win the Fight of Automation?

In this talk, security leaders from Veracode and HackerOne will debate the unique values man and machine bring and discuss why companies need a complete security strategy that takes into account both the strengths of scale and speed technology can provide and the need for creative skills and adaptability only humans can bring.ツ?Join this talk with Tanner Emek and Johnny Nipper, two hackers from HackerOne, along with Veracode???s Ryan O???Boyle to learn:

  • The differences in vulnerabilities found by hackers vs. automated tools.
  • Suggestions for augmenting existing security best practices with a human touch.
  • When to choose between automation and human-powered security for your organization.ツ?

When: September 2nd at 1:00 PM EST.ツ?Register here.

Armed with the right knowledge and tools, creating a well-rounded AppSec program that relies both on technology and human brainpower isn???t as daunting as it may seem. Join these virtual sessions by registeringツ?to gain more insight into the ways man and machine can work with ??? not against ??? each other on the journey to enhanced security. We hope to see you there!ツ?


What Does it Take to be a Rockstar Developer?

If there???s one thing you need to value as you move through your career as a modern software developer, it???s the importance of security. With application layers increasing and the shift left movement bringing security into the picture earlier on the development process, security should be top of mind for every developer working to write and compile successful code.

But many developers leave school without the security knowledge they need to write secure code ??? something nearly 80 percent of developers from our DevSecOps Global Skills Survey can attest to. As with any profession, there???s always room to learn and grow on the job, especially in software development where projects move at the speed of ???I need that fixed yesterday.??? To be a rockstar developer in today???s world, you have to be fast to fix flaws, smart about your prioritization, and quick to release secure software your customers can count on.

For most organizations, hitting tight deployment deadlines without compromising security means shifting scans left in the software development lifecycle (SDLC) by integrating security into the IDE with fast feedback that helps developers learn as they write their code. It also involves bolstering development team members who are passionate about the health of their code and focusing on educating the entire organization about the importance of security.

Treating security as an afterthought is no longer an option, and as a dynamic developer, it???s something you can help change. Shifting security left lessens the risk of needing to fix found flaws down the road (which can cost your business a pretty penny). But there???s a lot that can be done, both by developers and security leadership, to trickle knowledge down and bridge the gap that so often leaves team members siloed. ツ?ツ?

Whether you???re just starting out as a more junior-level developer or you???re wondering how you can take your established career to the next level, there are eight key things that you can do to enhance your security skills ??? from hands-on learning courses to thinking like an attacker and becoming a security champion on your team. Read on:

By arming yourself with the knowledge you need to write more secure code and becoming a security champion you???ll be a more dynamic developer who can help facilitate coding and scanning needs during production, and you???ll stand out as a leader on your team who takes the health of your applications seriously.

Ready to help your organization shift left by unifying security and development? Browse the developer resources section of the Veracode Community to gain more insight into secure coding and help improve your organization???s application security by becoming a rockstar developer.ツ?

New Forrester Report: Build a Developer Security Champions Program

We know firsthand how critical it is for developers and security professionals to have a great working relationship. That extends beyond simply communicating well; for your DevSecOps program to come together so that you can secure your applications, you need to break down silos and improve security knowledge across the board.

Recently, Forrester published a report on this very topic that digs into the challenges organizations like yours face when standing up programs to support security and developer needs. The report, ???Build A Developer Security Champions Program,??? lays the groundwork for standing up a successful program that lasts and improves the health of your application security (AppSec). Key takeaways from the report highlight:

  • The importance of embedding AppSec where developers need it most
  • The need for executive sponsorship and funding for your program
  • Five critical steps to consider when building a program

And according to Forrester, those five steps ??? which cover everything from making the case to stakeholders to training your champions and showing support when they improve their skills ??? are critical to launching an effective security champions program.ツ?ツ?

Security champions: defined

In the report, Forrester defines security champions as follows: ???Extended members of the security team that work in various roles across the organization that translate security-speak into a language that everyone can understand.??? It???s about empowering your developers to become the influencers on their teams, closing information gaps, and escalating issues or concerns to the right people, at the right time.

With an established program in place that has the right tools, solutions, and resources plugged into the right processes, you???ll have an easier time scaling security knowledge within your organization. As Forrester points out, developers in well-rounded security champions programs may even go on to become great security leaders of their own down the road.

Your security team will then have a bridge in place to work directly with developers on prioritizing which flaws to remediate, furthering education on both sides of the aisle, offering more support, and measuring effectiveness.

That has a domino effect: efforts like remediation prioritization can help your developers cut down the risk of security debt by catching and remediating high-severity flaws. It???s especially impactful when you integrate hands-on training tools like Veracode Security Labs that equip developers to tackle modern threats impacting their code.

Want to learn more about setting up a security champions program of your own? Read the full report from Forrester here.

Quality Conundrum: Relying on QA Tools Alone Increases Risk

Quality assurance, or QA, is one of the go-to solutions for organizations looking to enhance their application security (AppSec). But alone, they don???t provide enough coverage and can give your team a false sense of security that comes back to haunt you during audits, or worse: after a breach. QA tools are only the tip of the iceberg when it comes to flagging and remediating flaws that leave your applications vulnerable to attacks.

Why doesn???t QA deliver what you need without requiring more scanning, testing, and remediation solutions? Solutions that are sold solo are often lower quality and lack essential features. For example, some QA tools don???t scan for cryptographic flaws or offer backdoor checks, leaving your code vulnerable to common vulnerabilities and bugs.

And some QA tools have higher than average false-positive rates, which can create unnecessary bottlenecks in the development process, especially if you???re only using a QA tool. Veracode???s false positive rate for Static Analysis is an industry-leading 1.1 percent ??? which helps our customers speed up their DevSecOps programs by not holding them back with false alarms.

Software Engineer and author Steve Maguire said it best: ???Don???t fix bugs later; fix them now.??? Organizations looking to up their security game should focus on speed, accessibility, efficiency, and breadth of security coverage, with customization and automation available to tailor AppSec programs to specific business needs. That means less time spent fixing found flaws closer to (or after) deployment, which QA can???t (and shouldn???t) do alone.

Covering your bases with the right solutions

Beating the quality conundrum is all about having the right tools in the right place, and QA simply can???t cover all the bases when it comes to security.

Effective AppSec tools go beyond simply assessing the severity of vulnerabilities and provide clear guidance on how to fix said flaws with remediation tips and training. Putting in the effort sooner rather than later will save time ??? and money ??? as risk is lowered closer to deployment with frequent scanning and education earlier on.

QA tools don???t hold up against Common Weakness Enumeration categories, or CWEs that cover software weaknesses and vulnerabilities. When examining a leading competitor, we found that over half of CWEs found by Veracode were missed by the competition???s QA tool and that a mere 5 percent of the QA tool???s rules even covered vulnerabilities. That, coupled with higher than average false-positive rates, means development and security teams will either miss dangerous flaws or spend an excessive amount of time digging through false flags if they rely on QA tools alone.

A quick and comprehensive assessment

We know that some QA tools rely on ???Security Hotspots??? when they have a lack of true vulnerability checking tools. ???Security Hotspots,??? or code areas that have a higher likelihood of containing security flaws, are important to acknowledge ??? but QA tools simply don???t test the code to see if it contains a security bug or vulnerability. To maintain greater control over the security health of your applications, you need solutions that detect vulnerabilities throughout the development process quickly and efficiently with a clear path to remediation.

Effective application security goes beyond QA to provide a comprehensive assessment of the application???s landscape and the risks it brings to the table. Veracode???s testing types cover the entire SDLC, with features like automated feedback that speed developers up instead of slowing them down. The proof is in the numbers: Veracode???s IDE Scan provides feedback instantly while the Pipeline Scan takes about 90 seconds, and the Policy Scan about 8 minutes on average.

Solutions that satisfy compliance

It isn???t enough to just have capable tools in your arsenal ??? you need to be able to prove that they???re working. Some of that proof falls on auditing and compliance needs, which is another area where QA solutions simply fall short. These tools rely on the developers themselves to mark issues and flaws as ???reviewed??? and then close them with little to no supervision.

As auditors typically want independent verification of results, that won???t do for most organizations. Veracode???s low false-positive rate, coupled with internal workflows involving security checks, takes a lot of the guessing (and risk) out of the review process.

Reporting is another essential feature for application security solutions, as it helps security teams set clear goals and developers stay on track with remediation guidance so the whole team can maintain compliance. If your QA tool doesn???t deliver clear reports on high-severity vulnerabilities and bugs, your team will miss out on retrospective data that can help guide future security decisions.

QA solutions may provide some peace of mind, but they don???t go the extra mile in helping developers remediate flaws and reduce risk and can introduce higher rates of false positives that slow everything down. Instead, look for an AppSec solution that integrates seamlessly, works quickly, provides accurate results, and guides developers towards remediation. If you do, you???re leaving less room for risk and more room for innovation as your development and security teams to focus on producing quality code.

To learn more, watch a short demo video of the Veracode solution.

State of Software Security: Open Source Edition – Key Takeaways for Developers

The popularity of open source libraries isn???t dwindling anytime soon. They???re critical for developer functionality, allowing teams of developers like yours to work faster so they can meet tight deadlines they face on the regular.

But some developers may not fully understand the risks that come from using open source libraries, just like the risks we found in State of Software Security: Open Source Edition. We took a look at open source libraries and studied reports from 85,000 applications, which included 351,000 unique external libraries. The guide, which delves into the prevalence of open source libraries and how vulnerable they are, sheds light on just how much risk is carried in open source code. Here are some key takeaways.

PHP is a problem

When we broke down the data, we found that the languages with the most open source risk include JavaScript, Ruby, and PHP ??? with PHP taking the cake in most instances. In fact, the numbers highlighted a glaring problem with this programming language: when you include any given PHP library, the chance of introducing a security flaw along with that library is greater than 50 percent.

PHP Flaw Rates???

And when it comes to the most worrisome vulnerabilities, PHP still stands out. We found that nearly half (more than 40 percent) of PHP libraries had Cross-Site Scripting (XSS) flaws, and that Authentication and Broken Access Control vulnerabilities trailed closely behind.

We also examined how organizations prioritize the remediation of their flaws based on the availability of public proof-of-concept (PoC) exploits, and we found that over one-fifth of open source libraries have such an exploit. PHP once again stole the spotlight as the top offender, with 27 percent of flawed PHP libraries showing published exploit code. While we can???t say for sure why these numbers are higher, this may be due to the usage of PHP in web server applications, which is a focus for cyberattackers.

Most flaws are from transitive dependencies

It was important that we peeled back the layers to look at risk-laden facets of open source libraries which are not always obvious to developers on your team. Enter transitive dependencies. While not explicitly introduced during the coding process, these dependencies are often carried over by components within open source libraries and can come with hidden debt that increases workload ??? as well as costs ??? down the road.

Our data showed that 71 percent of applications have a vulnerability in an open source library upon initial scan, with 47 percent of the flaws being transitive. PHP and Ruby are top offenders within applications that have transitive dependencies, though JavaScript takes the lead at 87 percent. The numbers are concerning, especially considering that flawed libraries are used more often than unflawed libraries, and transitive dependencies are common.

This presents a problem; the further removed they are from the creation of the original code the harder it is to manage these dependencies and know how to fix flaws quickly. Additionally, because of the hidden nature of transitive dependencies, large attack surfaces on applications can catch you off guard.

Most flaws can be fixed with a simple update

There???s good news, too. When it comes to reducing the security risks of open source libraries, our data shows that almost 75 percent of known flaws are fixable. Even better, they???re usually fixable by updating the code with minor revisions or patches, which won???t disrupt a developer???s busy schedule too much.

Percent of Flaws with Available Fixes???

Languages in top OWASP categories delivered reassuring results too ??? almost 90 percent of Broken Access Control vulnerabilities (the second most common flaw in applications with PoC exploits) are fixable with a published update. We found the same for Cross-Site Scripting at nearly 90 percent, and Broken Authentication came out on top at 96 percent of flaws with available fixes for you and your team to implement.

Renowned computer programmer and sci-fi writer Daniel Keys Moran said it well: ???You can have data without information, but you cannot have information without data.??? There???s a silver lining to the risk that comes with open source libraries; the more information you arm yourself with, the more efficiently you can shape your DevSecOps program and improve the health of your applications. ツ?

The bottom line is that there are fixes for these issues, and most are minor ??? suggesting that this problem is one of discovery and tracking, not huge refactoring of code. Work with your security team to make sure you are equipped with the tools you need to identify and remediate open source vulnerabilities.

Read the full State of Software Security: Open Source Edition report here for a full analytical picture of what we uncovered in our latest round of research.

What Does it Take to Be an Effective Developer Manager?

If you???re a software engineer you???ve probably seen one or two of your colleagues graduate from Senior Developer to Developer Manager ??? some with the sobering realization that managing a team of developers requires significant cross-functional skillsets.

Foundationally, to be a successful Developer Manager you must know your stuff when it comes to software development, be passionate about the importance of security, and come equipped with communication skills that will enable you to bring siloed teams together. More often than not, these skills will come naturally as you move through your career in software engineering, but it???s never too early to start honing in on what will make you a great Developer Manager down the road.ツ?

We asked a handful of Veracoders to talk about what they think are the most important qualities for Developer Managers to have in their back pocket and ways that managers can effectively lead their teams in the right direction.

Become a supportive advocate. Doug Wilcox, Principal Software Engineer at Veracode, says it???s all about how a good manager supports their team. ???Always be the team's advocate, protect the team from the often-changing priorities and occasional unreasonable demands from higher up,??? Doug says. Those unreasonable demands can cause panic and unnecessary stress that derails an entire project, so it???s important to understand the difference between a five-alarm fire and a fire drill.

Doug elaborates that being supportive includes providing opportunities for professional growth, especially in areas of team leadership. Becoming that anchor for your team will help to keep frustrations down and spirits high, especially if you act as a communication bridge between security and development ??? two teams that are often siloed. ツ?

Be a tank for the team (when it???s right). Dan Murphy, Principal Software Engineer at Veracode, also stresses the importance of managers protecting their teams ???Act as a ???tank??? to shield developers from organization overhead. Push back to give developers the time to do things right,??? he explains. ???But ensure that ???right??? is always aligned with business interests. Security usually is!??? Any team can buckle under the pressure coming from various departments, especially those directly above.

Good Developer Managers can shield their teams while keeping projects on track to meet tight deadlines. Establish boundaries with other team leaders and make sure everyone involved understands how your team functions, which tools they use, and how they prefer to communicate.

Set realistic timeline goals. Kayla Firestack, Associate Software Engineer at Veracode, underscores the importance of timelines and deadlines when racing to produce code. She says, ???Understand that it's very difficult to actually figure out how much time something will take if things are done properly. And ignoring tech debt makes working conditions worse.??? While projects can and do morph on the fly, setting expectations on a sudden change of direction or added steps that slow things down is critical to maintaining a happy (and sane) team of developers.

As Kayla points out, overlooking security debt can also compound these issues and place even more pressure on teams of developers to write quality code under tight deadlines. Work with the security team to set priorities for remediating vulnerabilities so that you know what your developers need to tackle first when new flaws are discovered.

Provide mentorship resources for success. Zachary Estrella, a DevOps Engineer at Veracode, knows firsthand the importance of a manager who also acts as a resource center for growth. ???I think Developer Managers should provide any resource the developer needs for success. A Developer Manager also needs to offer some type of mentorship program to younger developers,??? he says. Becoming a mentor can be as simple as providing opportunities for developers with an interest in security so that they can use their leadership and security skills efficiently.

Consider standing up a security champions program to empower a member of your team who keeps security at top of mind and cares about the quality of the code they produce. The security champion you choose can then help you encourage the team to shift security left in the software development lifecycle (SDLC), reducing the number of flaws potentially discovered later in the development process and saving the organization money. That???s a win-win.

Offer engaging training solutions. Tim Jarrett, Veracode???s Director of Product Management and Strategy, offers concise words of wisdom: ???Support training initiatives.??? These may range from eLearning tutorials and courses on various languages to workshops and webinars that cover professional growth, ideally with content tailored to how your developers work every day. Developer training is essential to the growth of your team, as well as to their impact on the business. As the development process speeds up and security shifts left, developers must be well-equipped to spot and fix vulnerabilities before they become a problem for the organization.

Now, more than ever, this means developers need skills, tools, and ongoing training they may not have had in school or early on in their careers. Look for solutions like Veracode???s self-paced eLearning and instructor-led remote education, secure programming workshops, and hands-on training with Veracode Security Labs that teaches developers how to exploit and fix real-world vulnerabilities. Lead by example and take the initiative to use these training tools as well, showing your developers that they should never stop learning if they want to be successful.

Projects move quickly in modern software development, and the health of your code is more important than ever. Possessing these qualities and skills as a Developer Manager will not only make your team more successful but also it will help your developers set off on the right career path for their skills and goals.

Read our whitepaper to learn more about developer training, including how to boost security knowledge for your team of developers.

Why Fast Feedback Is Critical For Developer Success

In their book Agile Testing: A Practical Guide for Testers and Agile Teams (2008), Lisa Crispin and Janet Gregory wrote that one of the most important factors for success in software development is feedback. ???Feedback is a core agile value. The short iterations of agile are designed to provide constant feedback to keep the team on track.??? The message still rings true: constant feedback is critical to successful deployments. The faster the better.


[aj-uhl] adjective - quick and well-coordinated in movement; lithe: an agile leap.

The word ???agile??? has been a part of software development for years, and today it???s more important than ever. Contemporary programming is all about speed and security ??? can you deploy your software faster than the competition, and will it be secure enough to protect valuable customer data in the face of modern threats? It comes down to how agile you are as a team and just how efficient those feedback loops can be.ツ?

Why is it critical for feedback to be fast and efficient? Today???s developers must often work so quickly to provide code that slowing down for even a day can have a delaying domino effect. In a software-soaked world that relies on websites and their companion applications for many everyday activities, release delays can quickly add up to monetary losses for organizations as finding the same flaws after each build is like watching money (and time) circle the drain. That???s a problem for the whole company, not just your team of developers.

The power of instant feedback

Instant feedback with clear results shows developers what???s working and what???s not so that they can pivot quickly, fix flaws, squash bugs, and reduce overall risk earlier in the software development lifecycle (SDLC). And psychologically, instant feedback is gratifying. There???s less room for impatience and more room for action when feedback rolls in as developers are working hard to write successful code. Learning what common flaws look like and how to avoid introducing them while working away is the epitome of efficient and agile for developers.

In previous years, ???pair programming??? solved some of these feedback issues, but not all. With pair programming, one programmer (the driver) writes code while another programmer (the observer/navigator) reviews the code line by line as it is typed. Even though the two switch roles from time to time, this process is dated and resource-heavy.ツ?

Tools like Veracode Static Analysisツ?come equipped with automated security feedback right in the IDE and the Pipeline, taking on the role of observer/navigator so that the driver can do what he or she does best. And it???s quick; the IDE scan returns feedback instantly, while the Pipeline scan takes about 90 seconds on average, and the Policy scan about 8 minutes at the production stage.

This quick feedback helps developers improve their code while they work by providing guidance that prevents the introduction of new flaws down the road and conducting a full policy scan before deployment to help developers understand which flaws and vulnerabilities they should be focusing on most.

Less time researching, more time writing secure code

Packed schedules leave little room for patience. Of the respondents to Stack Overflow???s 2020 Developer Survey, 54.5 percent said they simply walk away when they hit a wall with coding problems and work on something else for the time being. Developers are just too busy to wait for feedback. Veracode Static Analysis, which integrates with existing tooling, takes out the middleman and provides that fast, guiding feedback so that developers don???t need to shift gears to another project or scramble if a vulnerability is discovered closer to deployment.ツ?

When paired with training tools like Veracode Security Labs, which uses real-world applications to teach developers about exploiting and patching code, scanning platforms with automated security feedback are even more impactful. Solutions that are built to accommodate busy developer schedules go a long way for helping the entire team succeed, especially if they integrate seamlessly as SaaS-based cloud services that do not disrupt workflow.

It isn???t enough to practice pair programming or wait to see what went wrong at different points in the build process. In order to get to market quickly with secure applications, fast feedback is just as critical as good feedback. Good feedback that shows developers what the issue is and how to remediate it is a training tool itself that removes risk from your software development processes ??? and thus removes unnecessary risk from your customers??? shoulders.

Ready to learn more? Check out our eBook on securing your software development pipeline with Veracode Static Analysis.



Secure Development Without Sacrificing Innovation and Speed

If you know the term ???nightly build,??? chances are you???ve been a part of that process before. A nightly build - or code compiled overnight from previously checked code - is a foundational way to find flaws or issues that arise from changes made during long build processes. But while a staple in DevOps, nightly builds also present a problem: if new bugs are discovered the following morning after the build, everything slows down. Additionally, such activity only heightens the wall between development and security by compartmentalizing the tasks developers and security professionals must undertake every day (or night).

The history of the divide between security and development doesn???t fall solely on nightly builds, of course. It comes from a place of misconception, where developers fear that security leaders are ready to stall production at every turn, and security leaders lack the knowledge to fully understand the lingo, processes, or goals of developers. Historically, both teams have worked away in their own siloed departments with little to no direction from leadership on ways to come together.

Unifying security and development

By bridging the lines of communication, both teams can start to have serious conversations about producing more secure code without sacrificing the speed needed to meet tight deadlines. At the core of the issue is education. Both development and security teams need to find a common ground for working together and take it a step further to understand exactly how the other side of the aisle works ??? and how they can plug in their own processes to make that work more effective.

On the developer side of the aisle, that comes down to appreciating the value of security and sharpening the skills they need to write code with fewer flaws and bugs. On the security side, it means understanding developer timelines, tools, and processes, then working with leadership to figure out how to integrate security tools into their existing methods for time-saving automation and valuable coding feedback.

According to a recent report by Securosis, this should be a top-down effort involving members from all the necessary teams. ???With DevOps you need to close the loop on issues within infrastructure, security testing as well as code. And Dev and Ops offer different possible solutions to most vulnerabilities, so the people managing security need to include operations teams as well.???

Once members of these teams come together with open dialogue about current issues and business goals, they???re on the right path to begin discussing which processes and tools will improve the health of their application security without impacting deployment speed.

Know where to start when fixing flaws

Security debt is a real problem that adds up over time and should be addressed with a plan of action to bring it down and reduce risk. But not every vulnerability is mission-critical, whether it sits in a pile of security debt or it was discovered in a batch of new flaws during a recent scan.

According to the Securosis report, deciding which vulnerabilities to tackle first is a common issue for development teams. ???During our research many security pros told us that all vulnerabilities started looking like high priorities, and it was incredibly difficult to differentiate a vulnerability with impact on the organization from one which did not,??? the report says.

Prioritization can speed up the entire development process as little time is wasted going back and forth. While helping to set priorities for developers, security leaders have an opportunity to help developers understand which flaws need to be addressed immediately during development, and which possible threats tie back to unattended vulnerabilities so that developers have a better understanding of how to prioritize flaws in the future.

Automation through integration

Automation brings rapidity and, if used long enough, consistency. With modern software development speeding up and not slowing down, it???s more important than ever that developers have the right scanning tools to plug directly into their existing processes with seamless integration. And while automated feedback and security testing alone won???t catch every flaw, error, or vulnerability, it sets a precedent for incorporating security into the development process, and a baseline for healthy code as the team moves through development.

Complete application security plans incorporate scanning and testing into every stage of the development process, from the IDE to the Pipeline and even review, staging, and production. Veracode Static Analysis has this covered, with automated security feedback in the IDE and Pipeline that alerts (and trains) developers while they work. Veracode Static Analysis conducts a full policy scan before deployment too, showing the vulnerabilities that developers should focus on, and leaving an audit trail for review.

With a tool like Veracode Static Analysis integrated into existing systems and processes, security and development teams will gain clear insight into not only which flaws to prioritize, but also areas where developers need more training and education so that they can produce more secure code in the future. This automated (and peer) feedback helps set a standard for consistency, and improves speed overall ??? those nightly builds can then turn into builds with continuous integration that facilitates faster fix rates.

eLearning tools for continuous education

Continuous education is something that both security and development should embrace if they want to help close the information and communication gaps between the two teams. Security leaders for their part should brush up on developer lingo, tools, and languages ??? especially when a new language is introduced into the development process.

For developers, boosting skills through hands-on courses, virtual workshops, and instructor-led training increases the speed at which developers work and the security of their applications. By bringing continuous education into the mix so that secure code is front of mind, security and development teams will have an easier time shifting security left with each new project. Eventually, it???ll become a regular part of the process to learn from past mistakes, grow to become more innovative and adapt to new security threats.

Tools like Veracode Security Labs take training to the next level by providing developers with real-world examples of threats that they can exploit and patch for practice. This hands-on-keyboard training is unlike cookie-cutter courses, as it is interactive and focuses on real applications with real vulnerabilities.

Security Labs helps meet training and compliance needs, too, with customized education in the languages an organization???s developers use most. That tailored experience becomes invaluable when every hour of the day is dedicated to improving the security of your applications. Developers start learning right away and plug back in when they???re ready for more; it???s a small step that has a big impact.

For more information on speeding up the development process through integration, automation, and feedback, read our eBook on how you can secure your software development pipeline with Veracode Static Analysis.

Frequency, Speed, and Accuracy Are a Match Made in AppSec Heaven

???Make it work, make it right, make it fast.??? These words from renowned software engineer Kent Beck will always ring true for developers, especially with the pace of development picking up, not slowing down. A GitLab survey from last year showed nearly half (43 percent) of respondents deploy software on-demand or multiple times per day ??? that???s nonstop grinding to produce good code. But simply writing good code is not enough. Software developers must work smarter and faster if they want to stay one step ahead of attackers and meet tight deployment timelines in the process.

Aside from looming deadlines and threat actors who don???t sleep, where is the disconnect? In our 10th annual State of Software Security report (SOSS X), we discuss how some developers follow LIFO (Last In, First Out) or FIFO (First In, First Out) methodologies for fixing security flaws that they find when they scan their code. While these methods may work for some organizations, our data paints a clear picture: the chance of a security flaw being fixed in the first month is only about 22 percent for most organizations. It drops to 10 percent for the second month, then 3 to 5 percent the longer teams wait to revisit said flaw.

With the LIFO method, some development teams are prioritizing newer flaws over older flaws, yet their age doesn???t matter in many cases; they???re all threatening in their own way. And with the FIFO method, new flaws may pile up as teams focus on the vulnerabilities that they discovered first by assuming they take precedence. These methods are lacking an essential step: prioritization.

Fixing the right flaws, fast

The better approach is to scan frequently and fix the right flaws fast as they appear on the radar. Data from SOSS X shows us that frequent scanners (300+) have 5 times less security debt than infrequent scanners. Additionally, frequent scanners see a 3 times reduction in median time to remediation (MedianTTR).

The key to this approach? A comprehensive AppSec solution that blends security testing into each stage of the development pipeline and automates tasks wherever possible. It means you???re giving development teams the right scan, at the right time, in the right place so they can keep working, learning, and improving their code without halting projects.

Pipeline ???

That???s where the Veracode Static Analysis family of solutions comes into play, with automated security feedback right in the IDE and the pipeline to improve code as developers work. It also conducts a full policy scan before your team moves forward to deployment, providing a clear window into the flaws that developers should be focusing on directly as well as an audit trail for compliance. Here???s a breakdown:

My code. Feedback in the IDE is fast, showing up immediately while developers code. Not only are they then finding and fixing flaws as they work, but they???re learning what to do differently next time to avoid the buildup of flaws (and security debt) down the road. The Veracode Static Analysis IDE Scan returns results in 3 seconds on average and offers guidance for remediation, code examples, and links to Veracode AppSec Tutorials too, encouraging developers to improve every step of the way.

Our code. Within a median time of 90 seconds, the Veracode Static Analysis Pipeline Scan runs on every build and offers code feedback at the team level. The feedback is fast, pointing out flaws that are introduced on new commits, and providing insight into when teams need to break the build to remediate policy-violating flaws. Even better: it???s easy for development teams to adopt and learn how to use, so it won???t slow them down.

Production code. The Veracode Static Analysis Policy Scan in the CD pipeline is the icing on the cake. It conducts a full assessment of the code in about 8 minutes, on average. This scan provides an audit trail to satisfy compliance needs and gives a clear picture of the overall health of your application. It runs without manual tooling on the Veracode Static Analysis Engine, and it even has an impressive false-positive rate of less than 1.1 percent.

When it comes to false positives, reducing the rate of these pesky alarms is critical to improving speed and developer poise. The industry-leading 1.1 percent false-positive rate (without no tuning required) from Veracode Static Analysis, which is verified by thousands of scanned applications and customer data, is a whole lot faster than our competition???s 32 percent false-positive rate. That accuracy means you???re giving developers back time they would otherwise spend chasing down false flags so that they can focus on what matters most to their team and to the organization.

Upping your AppSec game

Frequency? Check. Speed? Check. Accuracy? Check. Veracode Static Analysis checks all the boxes for improving the security and quality of developer code, and then some. Standardizing on one SaaS solution that leans on automation and easy integration means this isn???t just a pipe dream. It???s achievable ??? even amidst accelerated shifts to digital ??? and we???re pretty sure it would make Kent Beck proud. ツ?

Check out our whitepaper for more information on the Veracode Static Analysis family and how it can help you manage your AppSec risk in world where frequency, speed, and accuracy matter most.

Cyberthreats During the Pandemic Are on the Rise

With the sudden shift to digital that many businesses are facing in response to the pandemic, preventing cyberattacks is more important than ever. According to the FBI, attacks related to COVID-19 have increased 400 percent in recent months. And with data from Gartner showing that 74 percent of companies expect to maintain some level of remote workforce indefinitely, organizations can???t risk faltering when it comes to the health of their application security ??? both for their own business continuity and for the safety of their customer data.

The World Health Organization (WHO), which saw a staggering fivefold increase in attempts to target its own staff in April, warns that businesses and the general public alike are at an increased risk for email phishing attacks, which we know can lead to spoofing attacks. But it doesn???t stop there; malicious actors continue to exploit every angle possible, from brute force threats to manipulating services meant to help the general public. Businesses must be vigilant about how they???re handling security in this new normal, especially when issues with remote work arise. ツ?

The remote access conundrum

Chris Wysopal, Veracode???s co-founder and CTO, believes there may be even more risk on the horizon as organizations continue remote work through the course of the pandemic.

???I think we could definitely see more social engineering attacks with people pretending to be employees having problems with remote access. Also, new phishing attacks that take advantage of so many remote access procedures changing.ツ?Organizations hastily deploying remote access might not be securing it,??? Chris explains. ???There are a lot of companies that don???t make remote access a normal part of their business and may now need to do this.???

The rates we???re already seeing are staggering. Data from Atlas VPN shows a 350 percent increase in phishing sites detected by Google since January. And it???s no surprise that attackers are using a global event for financial gain; Verizon???s 2020 Data Breach Investigations Report highlights that 86 percent of surveyed breaches were financially motivated, with over 80 percent of hacking breaches involving brute force attacks or the use of stolen credentials through phishing.

Pandemic-related cyberattacks

The Verizon report also found that financially motived social engineering attacks are steadily increasing year over year, which means the global pandemic offers even more of an opportunity for threat actors. As everything has shifted to digital during the pandemic, these established trends present a virtual goldmine for malicious behavior. Here are some of the attacks we???ve seen that exploit this new normal:

Microsoft Teams: With increased remote work, organizations of all sizes are relying on communication tools like Microsoft Teams. Researchers from Abnormal Security discovered in April that attackers had been sending fake emails resembling Microsoft Teams notifications, phishing for employee credentials. The platform suffered two separate attacks, the first of which used URL redirects to send unsuspecting users to a domain hosting the attack. The second directed users to multiple YouTube pages before ultimately sending them to the phishing site where they may have exposed their credentials.

DocuSign: Researchers at Abnormal Security also discovered that a phishing email targeted 50,000 to 60,000 DocuSign users through Microsoft Office 365. The email, urging recipients to review a document about COVID-19, used a concealed malicious URL within the text, which brought users to a website phishing for credentials. Abnormal Security notes that this attack was particularly successful as DocuSign is an essential tool for signing online documents, especially at a time with dispersed workforces.

Instacart: As more people began using food delivery services to avoid grocery stores, they became a clear target for threat actors. A research firm recently alerted Instacart of a bug that would allow attackers to send malicious links to shoppers via text message. Attackers have also been sending malicious bots after browser extensions meant to help users grab coveted grocery delivery timeslots for services like Instacart.

10x Genomics: Healthcare organizations are at increased risk, too. In March, biotech research firm 10x Genomics was hit by an attack that resulted in stolen company data. The firm, which is compiling information related to COVID-19 to aid possible treatments, was able to isolate the attack quickly despite losing some sensitive information. Attackers reportedly leveraged REvil ransomware, which is also being used to exploit VPN and gateway vulnerabilities within healthcare organizations that are experiencing higher than usual strain due to the pandemic.

Protecting your business continuity

Malicious actors work hard to manipulate weak security protocols and unfixed vulnerabilities wherever possible, especially during times of widespread change and uncertainty. But there???s good news from Veracode: our Static Analysis scan numbers hit a record high in March and then hit another record high in April. Our customers are remaining vigilant about their security so they can continue to protect their data and the data of their own customers.

If you???re concerned about the state of your AppSec program or need guidance, we???re here to help ensure that you can maintain business continuity during the pandemic. Stay one step ahead of attackers by:

  • Shifting security left to the beginning of the software development lifecycle (SDLC) so that developers can write more secure code sooner rather than later.
  • Scanning earlier in the development process to catch flaws and scanning more often to reduce the risk that comes from security debt.
  • Utilizing penetration testing to locate information that may be used in social engineering or phishing attacks within your organization.
  • Using tools like Veracode Security Labs for hands-on training, and IDE Scan for real-time feedback that helps developers learn as they code.

Learn more about thwarting cyberattacks by future-proofing your application security.