Application SecuritySoftware Security

Securing Code and Apps with Veracode

Securing Code and Apps with Veracode

Securing Code and Apps with Veracode

Ensuring bespoke applications that are written by in house development teams, or external development companies, are secure and follow the latest best practices is essential. Similarly, the security for any third-party or commercial applications used within an organisation needs to be assured. Application and code security are as vital as network security and other cyber protections. Veracode provides tools that organisations can use to check in-house development project code for issues in real-time, and also to scan binaries and code libraries used in custom and commercial applications. Renaissance can provide the tools and services that Veracode delivers within Ireland and the UK.

Veracode releases a highly respected report each year on the State of Software Security (SOSS). The tenth annual report was released towards the end of 2019 and provides an excellent review of where application security is at the start off the new decade. Read on for an overview of the key findings, and contact Renaissance for more info on the Veracode tools and solutions that can make your applications more secure.

State of Software Security Report

The Veracode SOSS report is a goldmine of information on application vulnerabilities and how to address them. With over 50 pages of comprehensive data and analysis, we can't capture all of the information it contains in this article. Here we present a flavour of what the report includes that will hopefully inspire you to read the full thing. There is a link to the Veracode SOSS page in the Conclusion section of this article. Everyone involved in security and senior management should read it.

For the tenth SOSS report, Veracode did security scans on 85,000 applications and code bases. This is a large and likely fair representative sample that reflects the overall application development landscape. From those scans, it was found that 83% had a least one flaw that could compromise the application. For high-severity defects, they found that 20% of the applications had flaws that are exploitable in a serious way. Two-thirds of the applications tested didn't pass tests that checked them for the vulnerabilities in the OWASP top 10 list or made mistakes in code that are in the SANS Institute top 25 coding errors list.

Clearly, more work and focus is needed to ensure that some developers write safer code and applications. Veracode tools are like a "spell-checker" for code that can highlight code errors in real-time, and well as scanning built applications and third-party and open source code libraries for known errors. It's not all bad news though. Progress is being made on the application safety front.

Frequent Scanning Improves Fix Times

The SOSS report contains data on fix times for flaws, and indeed if flaws get fixed at all! They found that 56% of all discovered flaws get fixed eventually. But not all flaws have the same impact, and the fix rate for high-severity flaws came in at 76%. This still means that 24% of these high-severity flaws never get fixed and are left present in applications and open to attack by cybercriminals. To complete the picture on fixes for flaws Veracode report that 16% of applications never get any fixes for flaws, while 29% of applications are in the set where all flaws are fixed eventually. The median fix time for a flaw from discovery to fix is 59 days. Interestingly this is the same fix time as reported in the first SOSS report a decade ago, but today there is a lot more code being written.

Automatic scanning for flaws, vulnerabilities, and errors in code demonstrably improved fix times across the board. For organisations that used code and app scanning once a month, then the average fix time for a flaw was 68 days. However, organisations that scanned their apps and code at least daily had a 19-day fix average. The results are unambiguous: building security into DevOps workflows to create a DevSecOps process that scans all code on submit, compile, and even as it is written makes for better and more secure applications.

Is Progress Being Made in Application Security?

Yes, in the majority of cases. Between the ninth and tenth release of the SOSS report, 50.4% of applications tested had a reduced number of flaws. Coupled with another 19.5% that had no defects at all, or had the same amount, this means that just under 70% of all application tested were either better or the same as the 2018 report period. Which still leaves 30% who had more flaws this time. Their developers and senior managers in the organisations commissioning and writing these apps should definitely check out Veracode's tools!

One final data point worth noting. The most common flaws found lead to data leakage from applications. This is bad news in the era of GDPR, where data breaches and data loss can lead to bad outcomes for businesses and other organisations. The second most common flaws were in the area of cryptography. Pointing to issues with encryption that could lead to unauthorised data access. This, and the other flaw types discussed in the SOSS report, need to be addressed.

Conclusion

Developing applications is hard. Developing secure applications is even harder. Veracode makes this latter task more straightforward for all involved from product managers, developers, security professionals, and others through the application development workflow. Contact Renaissance to find out more. You can find the Veracode SOSS report here.