You are here

You are here

App Sec Research Update: How to bolster your software security

Rob Lemos Writer and analyst

If your development teams are not closely tracking their use of open-source and common components, your applications most likely contain vulnerabilities.

That's one of the conclusions of Micro Focus' Application Security Research Update for 2017-18, which found that 83% of software contains open-source components and that 91% of those components contained a critical or high-severity vulnerability.

These vulnerabilities represent a significant risk for companies, which often do not have good visibility into the code that goes into their products, said Alex Hoole, principal researcher for software security at Micro Focus.  The first question: How many of them are analyzing their dependencies for vulnerabilities, in addition to their own code, he said.

"The majority of companies now are using open-source dependencies. Everyone needs to double-check and ask if their dependencies are vulnerable."
—Alex Hoole

More mistakes, but faster resolution

While software security has become a higher priority for companies, developers continue to make the same mistakes. The likelihood of finding a vulnerability in applications increased for five of the eight broad classes of software weaknesses, which Micro Focus calls "kingdoms," after their biological counterparts. Overall, more than 80% of applications had at least one critical vulnerability, the report said.

Yet the report also found that developers have improved their ability to quickly remediate vulnerabilities in code. The majority of security issues were fixed within 30 days of their being identified, with almost all medium-severity vulnerabilities fixed within 15 days. High- and critical-severity vulnerabilities required almost two months to be remediated, Micro Focus found. 

Focusing on fixing either the easiest-to-patch vulnerabilities or the most severe issues is not always the best strategy, said Zane Lackey, co-founder and chief security officer of Signal Sciences.

"It is not always that high-severity vulnerability that is used by attackers. Sometimes they chain together a bunch of low and mediums, while other times they abuse legitimate functionality in a way that the developers did not consider."
Zane Lackey

Security features are the least secure

Vulnerabilities most often occurred in security features, such as incorrect use of SSL or keychains, and encapsulation code, according to the report. Mobile applications were far more likely to have weaknesses than web applications.

In addition, some relatively new classes of vulnerabilities are becoming more significant. Deserialization—the process of decoding a series of bytes into a data structure—has been a known potential security weakness for over 10 years. But problems with deserialization in Java have created an increase in vulnerabilities since 2015. In 2016, some 323 applications were found vulnerable to unsafe deserialization flaws during nine months of testing. The issues required, on average, 99 days to patch.

The various software security maturity models "include health checks to see if we are doing the right things," Micro Focus' Hoole said.

"We need to make sure that developers are not adding in vulnerabilities and causing costs."

The report suggests that companies should be paying attention to a few broad areas to head off vulnerabilities. Here are three key areas to focus on to secure your company's software.

1. Focus on the supply chain

With so many applications using open-source components, companies need visibility into their software supply chain, said Hoole. Security issues are often quietly patched in software, and if developers do not keep up, their applications can inherit vulnerabilities from out-of-date libraries.

"There are many vulnerabilities in these components that are silently fixed when a new version comes out, but the companies who consume that code never even know about it," Hoole said. "And that is a bit of a hidden risk, because the companies don't know that they need to patch the code."

This is a significant issue because the root cause of many data breaches is the failure to upgrade software components to the latest patched versions.

In addition, knowing what components make up software can help companies identify—and take steps to minimize—their risks. Libraries are often slow to be patched: Software projects took at least five times longer to patch a vulnerability as to acknowledge the issue. In some cases, projects took almost 20 times longer. For example, access-control issues took 8 days to acknowledge and 155 days to patch.

2. Teach developers secure coding patterns

Another of this year's findings is that developers continue to make the same mistakes. The incidence of flaws in five of the eight software-vulnerability kingdoms increased for apps, while decreasing for three kingdoms. However, in all but two cases, the change was small.

"This dovetails into the fact that there is always going to be more bugs," Signal Sciences' Lackey said. "It is not really about finding technologies to move the needle from the security perspective, but how you get the right information to the developers."

Developers need to be taught the right design patterns for secure coding so they can learn the proper ways to program and avoid costly mistakes. The earlier errors are fixed, the less they cost the company. The earliest possible time to catch and fix errors is before the code even leaves the developer's system, Lackey said.

3: Adopt agile and practice frequent testing

The report also found that companies still are not incorporating testing into development. Only 20% of firms engaged in DevOps surveyed in the 2016 report Application Security and DevOps did testing during development. A quarter relied on network security to make their apps secure, while 38% used the more traditional approach of checking the code before releasing it to production. Around 17% of companies did no testing. 

The earlier that software is tested, the sooner in the development process that companies can find software bugs and fix them, reducing costs. Adding security to agile development does not mean adding it to the end of the process. Instead, frequent testing is needed to catch coding errors as soon as possible, and in a way that does not hurt productivity.

Part of the problem is that security tools are not designed for DevOps, said Signal Sciences' Lackey. 

"Security tooling was really built for the previous era of waterfall development, when you found a bunch of bugs and then kicked those bugs over the wall and expected the developers to fix them all."

In the end, companies that focus on gaining visibility into and maintaining their open-source components, educating developers on the best programming patterns to create secure code, and testing for vulnerabilities as often as is practical will have faster development and fewer costs from fixing coding errors.

Keep learning

Read more articles about: SecurityApplication Security