The sorry state of software security: Secure development is key

Developers are getting better at creating more secure software, but about the same proportion of programs are vulnerable as a decade ago, according to CA Veracode's most recent security report.

Meanwhile, the risks have only increased. The impact of a security breach has dramatically increased because applications are the custodians of more critical data and functions than ever before.

Recent events highlight this. An unpatched vulnerability in the Apache Struts framework led to the theft of sensitive credit information on more than 143 million Americans. Software exploits stolen from the National Security Agency allowed ransomware attacks to spread widely earlier this year. This shut down some extremely large businesses, including the shipping giant Maersk, pharmaceutical maker Merck, and car manufacturer Renault-Nissan.

As these attacks demonstrate, the status quo is not good enough.

A failure to make security a priority has resulted in widespread vulnerabilities, because vigilance and focus are essential to prevent software flaws before they evolve into a breach. But even the most vigilant companies can't prevent every bug, so you need to constantly test, fix, and learn about a plethora of security issues

To reverse these trends, organizations must integrate security into development. Here are four lessons to take away from the security report.

The State of Security Operations

1. Don't blame developers

Many security professionals blame developers. That's wrong.

Given today's business priorities, developers are doing their jobs: creating software as fast as possible. Bugs appear in the code not because developers are lazy or don't care about code quality, but because businesses prioritize the quick delivery of working code over the delivery of more secure code at a slower pace.

That's why security mandates that interfere with the pace of deliver are met with pushback from the development teams: they reduce the teams' effectiveness at delivering code quickly, as the organization has demanded.

For companies to better secure software, however, they need to take two parallel paths: Empower developers to write less buggy code, and incorporate testing and feedback into the software development lifecycle (SDLC).

2. Evaluate and patch components from libraries

Almost every company uses open-source or third-party components to build their software. The problem is that most companies do not regularly evaluate and patch those components during development.

Of the Java applications evaluated for the report between April 2016 and March 2017, 88% had at least one flaw in a component. Following the disclosure of a critical vulnerability in Apache Struts 2, for example, we found that more than two-thirds of Java applications using the library had an older version that was vulnerable to attacks.

Managing open-source components can have a significant payoff. One respondent reduced the number of applications with high-severity vulnerabilities by 13% by focusing on identifying and managing its open-source components.

3. Agile programming can help

DevOps appears to help companies close vulnerabilities more quickly. Organizations invested in DevOps—and that frequently tested code with sandbox scanning—fixed vulnerabilities 50% faster than those scanning at the end of the development cycle.

This is further proof of the importance of DevSecOps. If security isn't baked into the software development lifecycle from the start, the development and security teams won't be aligned, and vulnerabilities are more likely to slip through the cracks.

Compare that to the average company. In surveys we conducted during the year, 36% of organizations did not use static testing to check code—or did not know whether they did. Similarly, almost half did not use dynamic testing. Overall, 83% of organizations had released code before testing for or resolving security issues.

A regular testing program helps companies chip away at their flaws. In addition, testing often has the benefit of keeping developers focused on fixing flaws, and acts as a teaching tool: A developer who fixes a coding problem soon after making the error will be less likely to make the same error in the future.

4. Prioritize critical vulnerabilities

For some companies, bug-fixing efforts focus on closing the easiest-to-patch security holes first, mostly for the sake of convenience. However, that approach is changing. In CA Veracode's latest State of Software Security report, we found that companies fixed high-severity vulnerabilities at about twice the rate of low-severity ones, 37% to 19%.

That's a positive change. While the percent of applications that have a flaw of any severity remains constant at just under 77%, the number of applications with high-or very-high-severity vulnerabilities decreased by 26% between the first scan and the latest scan.

However, very-low-severity vulnerabilities still had the highest close rate, likely because they are simple to fix. Very-high-vulnerability flaws are, in many cases, architectural issues that require more effort to fix, especially if left for the end of the development cycle.

The never-ending battle for security

Over a 12-month period starting in April 2016, CA Veracode conducted 400,000 scans of our clients' software, and found 12.8 million flaws. Our annual State of Software Security report summarizes the findings.

Overall, even organizations that use software to scan their code—arguably the more security-conscious developers out there—find at least one vulnerability on the initial scan. About one in eight find a high- or very-high-severity vulnerability.

The general software vulnerability picture remains grim. In 2016, companies closed only 58% of vulnerabilities in the same calendar year in which they were found. And the percentage of companies that successfully passed checks for weaknesses on the OWASP Top 10 list declined to 35% for internally developed software, down from 39% in last year's report.

Third-party code, which typically has more vulnerabilities, also performed worse year over year: only 23% passed the OWASP Top 10 check, down from 25% the previous year.

Overall, the data shows that companies that are proactive about security are taking the right steps. Yet the fight against software flaws never ends, and organizations need to empower developers to write secure code as early in the SDLC as possible.

The State of Security Operations
Topics: Security