Cloud-native software development is a driving force because it empowers teams to build and deploy applications at speed and scale. Along with microservices, cloud infrastructure, and API’s, containers are a crucial part of this development process. Let’s look at the security implications of containers in cloud-native application development and how to manage the security challenges they pose.  What are containers? A container is known as a standard package of software. It bundles an application’s code together with the related configuration files and libraries, and with the dependencies required for the application to run. This allows you to deploy cloud-native applications seamlessly across public, hybrid, or private cloud environments.  For example, just as shipping industries use physical containers to isolate different cargos—for example, to transport in ships and trains regardless of the cargo inside—containers also work in this way as they help us ship self-contained units of…

Containerization is becoming increasingly common due to portability, ability to isolate application dependencies, scalability, cost effectiveness, and ease of use. The ability to easily package and deploy code has changed the way that organizations work with applications. But like with Windows servers years ago, or AWS today, any time one specific technology gains a significant portion of the market share, it becomes a target for attackers. Here’s what you need to know about the security risks of vulnerable containers.  Some Background on Container Vulnerabilities  When containers were first released, an attacker would have to first discover that an organization was using containerization and then try to find a way to exploit those containers. Today, it’s a safe bet that containers are in use, and if an organization’s containers aren’t secured, they can present a quick way into a company’s infrastructure.   To minimize the risk of your company being breached, you can (and should)…

For today’s DevSecOps teams, the demands continue to intensify. Application portfolios and codebases continue to grow, while cyberattacks remain an ever-present danger. More than ever, it’s vital to ensure security gaps are identified and addressed with maximum speed and efficiency. In order to do this, you need to establish a continuous feedback loop on security threats, so you can realize optimized, sustained results – which is exactly how Veracode helps. Here we’ll outline how you can get started with Veracode in a matter of minutes, and we’ll detail all the ways we can help after your initial scans are complete.  How to Quickly Get Started with Veracode  Here's an overview of the process of getting started with Veracode in two environments: GitHub and Azure. For each, we’ll outline the process for doing scans using our Veracode Static Analysis (SAST) and Veracode Software Composition Analysis (SCA) solutions. These solutions offer the fastest way to get scanning coverage in your…

We love open-source software (OSS). Not only does it save time and effort, but it’s also incredibly rewarding to collaborate with other developers on major projects. Plus, it opens the door for innovation that otherwise wouldn’t be possible at this scale. However, with code comes responsibility, and so it’s imperative to understand the risk OSS libraries carry when we’re integrating them into projects. Running a Software Composition Analysis (SCA) scan will help highlight dependencies and any issues in the OSS libraries being used. Here's six reasons why scanning OSS dependencies while you code helps in the long run.  1. Save Yourself from Agitation Later   The longer you wait for security checks, the harder they will be to fix later. Plus, when you do the SCA scan on your own time, as opposed to delaying until a ticket comes in from another team, then you’re not tied to their completion dates.   2. Understand Risk in Your Projects and Potential OSS Libraries You Want to Pull In  By…

It’s one of our favorite times of the year – the unveiling of our annual State of Software Security (SoSS) report. Software security issues can have devastating effects on organizations, damaging their financial stability and reputations. That’s why our research this year centered on a crucial question: what can be done to avoid introducing security flaws in the first place? We dug into 17 years of data and analyzed three-quarters of a million applications to provide security and development teams with concrete steps they can act on together to minimize risk, protect applications, and meet industry regulations. Plus, we turn some conventional wisdom about open source on its head. Let’s dive in.  1. 32 percent of apps contain security flaws at the first scan, and by the five-year mark, this jumps to 70 percent.  By the time they move into production, nearly one-third of all applications have security flaws, and applications grow by about 40 percent year on year irrespective of their…

It’s the end of another year, and we want to take a quick moment to reflect on the debt of gratitude we owe our customers. Thanks to you, we’re all leagues closer to a world where software is developed secure from the start. You constantly astound us with your dedication to securing your apps for your customers, and we are grateful you’ve chosen us as your security partner. You value the competitive advantage of making secure software and have proven it by reaching new heights in 2022. Let’s dive into some of the stories from this year and celebrate what your progress, feedback, and successes have allowed us all to achieve. Scalable and reliable software security are unquestionably valuable, but determining how to achieve it within seamless developer workflows can present a challenge. Cloud-native electronic health records application developer Azalea Health incorporates secure coding best practices with Veracode. VP of Engineering Andrew McCall, told us that rather than treating…

I share a birthday with the Log4j event. However, unlike this event, I’ve been around for more than one year. On December 9th, 2021, a Tweet exposed a zero-day vulnerability in Log4j, a widely-used piece of open-source software. The announcement made headlines everywhere, and cybersecurity was suddenly put in the spotlight. It was a wake-up call for many because, in an instant, software that had been considered secure was suddenly at tremendous risk. Looking back over the aftermath of the past year, here’s what Log4j has taught us about reducing open-source risk.  What Log4j Has Revealed About the Risk of Open-source Libraries  With a CVSS severity level of 10 out of 10, the urgent response to Log4j was warranted. Upon the announcement, we quickly discovered that 58 percent of enterprises were using the vulnerable version of Log4j, and Microsoft shared shortly after the announcement that state-backed hackers around the world had already tried to exploit the Log4j vulnerability.  How…

The United States, United Kingdom and other governments around the globe are making strides to defend against software supply chain attacks and strengthen the cybersecurity resilience of their departments, partners, and stakeholders. Technology companies are following these developments and emerging government guidance closely, understanding that in a post-SolarWinds and Log4j world, their roles in securing the software they create – along with the applications they use to deliver new innovations – are rapidly evolving. This heightened awareness has not fully translated into stronger security measures, however. Our recent State of Software Security v12 (SOSS) report found that, when compared to other industries, the technology sector has the second-highest proportion of applications with security flaws, as well as the highest proportion of applications with high-severity flaws. Given the nature of the industry, it could be argued that tech companies create far more applications –…

After the pandemic upended the retail and hospitality industries, digital transformation became imperative to survival – the key to meeting ever-changing customer expectations and overcoming supply chain complexities. As the landscape continues to shift, 55 percent of retailers say they’re open to improving their innovation capabilities, while 51 percent want to adopt new business models. But as retail and hospitality companies deepen their digital capabilities, cyberattackers are looking for ways to exploit vulnerabilities in eCommerce systems, digital payment platforms, and other software systems.    Our latest State of Software Security (SOSS) Volume 12 found that 73% of all applications in the retail and hospitality sector have a security vulnerability. This is especially concerning as we enter the busy holiday season, a time of historically elevated threat levels.   Yet there is some cause for cheer: Our SOSS findings revealed that when compared to other industries, retail and…

One of the services that Veracode offers is a consultation with an Application Security Consultant – a seasoned software developer and application security expert. In the context of a consultation, my team works with the software engineers of Veracode’s customers to understand and, ideally, remediate security flaws found by the Veracode tool suite. There is a well-defined difference between a security flaw (a defect that can lead to a vulnerability) and a vulnerability (an exploitable condition within code that allows an attacker to attack it). While working with potentially dozens of different customer applications every week, we usually have a strong gut feeling for when a security flaw might constitute an exploitable vulnerability and should receive extra attention. During one of our consultations, a set of similar Cross-site Scripting (XSS) flaws was discovered by Veracode Static Analysis in what turned out to be 3rd party JavaScript files belonging to Apache Spark. After some…

You didn’t change anything in your code, yet the scan is different this time. Here’s advice from an Application Security Consultant on why that may be.  Have you ever wondered why you scan code one day and get one result, and then scan the same code a month later and get different results – even though you never changed anything? As Application Security Consultants at Veracode, we often receive questions from developers about unanticipated differences in findings between one static scan and another. Typically, developers will make some changes in their application between scans, but it is common for changes that appear unrelated to developer activity to be encountered. In this article, we’ll explore four of the reasons why this may occur.   1. Changes in Seemingly Unrelated Code  Obviously, changes in code that remediate findings effectively will result in those findings no longer being reported. Changes that add new functionality may include security defects, and these new findings…

When it comes to protecting software, don’t count on automated testing to find all the vulnerabilities in your code. Here’s why manual penetration testing is more essential (and more accessible) than one might think.  Humans find vulnerable vectors automation can’t.   While it’s not breaking news that any mature DevSecOps programs should include automating application analysis into the software development lifecycle, there is no silver bullet for ensuring the security posture of the entire attack surface. Stopping attackers from gaining access to sensitive information requires a well-rounded program that covers the software development lifecycle from end to end - from static code testing, testing third-party libraries, to dynamic analysis and manual penetration testing. Organizations that want to keep their software as secure as possible can’t afford to leave any stone unturned.   Manual penetration testing or “pen testing” has long been the great revealer of both successes and…

Government agencies are instructed by Executive Order to improve the delivery of digital services to citizens while also safeguarding critical data and systems. Often, this leads to a difficult decision between speed of application production and software security. However, as recent events have shown, sacrificing security in the name of speed compromises the safety of citizens and government infrastructure. Here’s why the government is prioritizing software security and how agencies can reliably secure software development in the cloud and on-premises.  Why is the Government More Focused than Ever on Improving Software Supply Chain Security?  The following executive orders and memoranda make it clear that cybersecurity, and software security in particular, is a national priority. Let’s explore why they were created and what they require from you.  Executive Order on Improving the Nation’s Cybersecurity  In 2021, the Biden administration issued an executive order on cybersecurity that…

OpenSSL released version 3.0.7 with security fixes for High Severity vulnerabilities CVE-2022-3786 & CVE-2022-3602 discussed here. Here's how to know if you're affected and what to do if you are. Am I affected? At this moment it seems that OpenSSL versions between 3.0.0 and 3.0.6 and applications using the OpenSSL library within the affected versions are vulnerable. OpenSSL 3.x was released just about one year ago: OpenSSL 3.0 Has Been Released! - OpenSSL Blog; container images, distributions and software released before this date are unlikely to be affected. OpenSSL can be installed through a package manager that install it in well-known locations and configure it at system level, or it can be downloaded on the system as a compiled binary or even compiled locally from source code. These different approaches don’t allow to list all possible ways to detect the versions of OpenSSL installed on the system. LibreSSL is not affected by this vulnerability (oss-security - Re:…

The final part of this series reveals how Veracode’s FedRAMP authorization is all about supporting the government and its citizens. (Part three in a three-part series.)  Building trust in government is both my passion and part of my character. Last year, when I found myself contemplating my next career move, I knew that I wanted to be at an innovative company devoted to rebuilding trust in federal agencies.  It didn’t take long for me to realize that Veracode and I were a perfect fit. Immediately I saw how the company’s mission and innovative application-security technology aligned with my values. I joined the Veracode team in May, bringing to my new job a wealth of private- and public-sector experience. I also arrived with a mental map for navigating government, a map that was updated during the Covid era.  Indeed, agencies are having to overcome new technological obstacles that emerged during the pandemic. The challenge to advance cybersecurity, for example, has strained the…

The second part of this series is about what’s driving the cybersecurity changes across government. (Part two in a three-part series.)  Throughout my career, I’ve seen a lot of change in the realm of cybersecurity. Whether in private- or public-sectors, from pre- to post-pandemic, I’ve witnessed the struggles of agencies coming to terms with digital transformation and cybersecurity.   What I’ve found is that federal agencies are expected to keep pace with their civilian counterparts while abiding by mandates to add an extra layer of security to digital operations. Factor in upheavals caused by the pandemic, and it's clear why the public sector has been feeling the immense pressure to quickly tighten its cybersecurity practices.  Global Pandemic  Prior to the pandemic, you came into the office, and your network access was granted simply because you were in the building. This all changed when agencies had to figure out how to work remotely with little to no planning. Agencies that were…

Documenting flaws that you don't prioritize today will save you time should they become high-severity flaws in the future. Here's the best way to approach them. The topic of mitigations is a commonplace source of questions and discussion for our Application Security Consulting group. This is a complicated topic, and I hope the following helps to provide some understanding and guidance on how to think about the role and purpose mitigations play in the security posture of an application and in your security program.  What is a mitigation?  In the Veracode system, a mitigation is basically an annotation on a finding - or flaw, typically one detected through static analysis – which explains why the finding does not require code change in order to remediate the risk. In other words, it is an explanation of how the risk reported via the finding is already being addressed effectively.   It is important to differentiate findings that are mitigated from the idea of a false positive finding.…

The first part of this series is about why my return to the private sector is still motivated by American citizens. (Part one in a three-part series.)  Government agencies have critical missions that affect the entire American population. The thing is, their core missions typically aren’t technology; they’re everything from delivering food stamps and stable roads to social security. Veracode’s top mission is technology, and it allows the government agencies to fulfill their critical core missions. That’s why I made the move from the public sector to the private sector by joining the Veracode team.  How it All Started  My experience in government, the private sector, product development, and IT security makes me specifically tailored to fight malicious cyberthreats.  My career began by tracking legislation at Congressional Quarterly (CQ), and I got into product management before it was as prevalent as it is today. I often fell into the marketing and advertising departments and spent…

In 2021, manufacturing became cybercriminals’ most targeted industry as a surge in global ransomware attacks disrupted manufacturing operations and exacerbated supply chain woes. This put even more pressure on manufacturing organizations that were already feeling the heat. Recognizing that ransomware attacks can stem back to software vulnerabilities, many manufacturers are exploring ways to strengthen their software security programs. Our recent State of Software Security report v12 (SOSS), which analyzed 20 million scans across half a million applications, identified several manufacturing-specific trends that may help focus these efforts.   First up, some good news: The manufacturing industry now boasts the lowest number of software security flaws across all sectors, dethroning financial services from last year’s top spot. However, the manufacturing sector is also tied for the lowest number of flaws that are fixed. This means that manufacturing companies have security flaws in…

As head of the product department at Azalea Health, I need to understand what our market needs. Based on the conversations that we've had with hospitals and clinics, enterprise-grade security is something they desperately need but rightfully expect their EHR system to provide . That’s why it’s important for our organization to take the responsibility of securing health data off their shoulders. Because healthcare providers rely on Azalea software to manage patient health records and personal information, our security program starts when the software is being developed. We’ve always been diligent about software security, and we run penetration tests on a regular basis. However, after we moved our 100 percent cloud-delivered model to AWS in 2021, our focus on security intensified. We recognized the need to catch issues earlier in the development process—before they even got to our staging servers. For us, it was important to find a solution that integrates security into every stage of…