Software and application security vendor Veracode has gone through a re-brand and a change of leadership, and Infosecurity recently met with SVP and general manager Sam King to learn all about it...
Eight months after the acquisition by CA Technologies, the company is now named CA Veracode and King confirmed that it is maintaining the product brand of Veracode. Part of the reason is that CA Technologies recognizes Veracode’s stature in the security industry.
“CA Technologies has been very conscious and deliberate in making sure that this acquisition only propels that further, the last thing that they want to do is detract from the strong brand", said King. The company has maintained many of its recognizable researchers and senior staff, and just a few weeks after the release of Veracode’s State of Security Report and the first revision of the OWASP Top 10 in four years, King spoke to Infosecurity about its findings.
In the new OWASP Top Ten, King pointed out that the main addition was related to the Apache Struts vulnerability, which was blamed for the Equifax breach. “This is Insecure Deserialization,” she said. “We reported this in our report and you find insecure components on the vast majority of applications. Eighty eight percent of Java applications scanned included at least one insecure component. Then when we looked at the Struts 2 library component, you can see in our report how many websites still have that component in use more than 30 days after that vulnerability was reported.
“So I can understand why there is a lot of focus being on that as it caused such a noteworthy breach.”
King said that she welcomed the revision of the Top 10, as OWASP has become the standard for so many things, and regulatory bodies will look at it also as a security standard by telling people “this is what you need to watch for”.
“In fact, customers say that they get that they have to do application security better, and ask ‘where do I start?’ The OWASP Top 10 is an easy place to start", she advised, "as you can point them to it, it’s an industry standard. It is the sort of process they should be following as it is not just about scanning one application once, it is about having a methodology where security testing is embedded in the way that you use software and use open source code, and the way in which you buy and run software. You really have to embed it across the full life-cycle and for all of the software assets you may be employing.”
In terms of the 2017 State of Security Report which was released last month, King said that as only 28% of recipients are doing composition analysis to determine what code is being used, there is not awareness around the problem. “If you don’t know about the problem that’s one thing, if you do know about it then it is a big problem as it is still taking people a lot of time to get it addressed,” she said.
“In general, the theme of taking [significant] time to fix does emerge, and we found that 14% of high severity flaws were closed in 30 days or fewer. When the problem is presented to you late, it competes with other production work, so there is competition in the process.”
Moving on to DevOps, King said that evidence from NIST suggests that the cost of fixing a particular flaw is 30 times the cost when the application is already in production. It is 10 times when you’re at the testing stage and it’s the cheapest when you’re actually writing the code. Also, companies that can implement the methodology can see the benefit and weed out a lot of the insecure content.
Has 2017 been a popular year for DevSecOps? King said that most stories relate to software vulnerabilities, and because spending has been directed towards infrastructure and network, software has received less spend. Software security is rising fast, however, as people recognize the size of the problem and the size of the investment.
“Awareness is at a high and there is a time to invest, but the question is how do you do it the right way and how do you get the most out of your investment? That is where I would say you need to focus on the fixing as well.”