One of the most important realities for enterprises to accept is that software security can only happen if developers have both the tools and the training to code securely. Here, we speak to Chris Wysopal, Chief Technology Officer and co-founder at Veracode, about trends in software security and what organizations can do to make developers better at secure coding.
Security magazine: What is your title and background?
Wysopal: I’m Chief Technology Officer and co-founder at Veracode. I oversee technology strategy and information security. Prior to founding Veracode in 2006, I was vice president of research and development at a security consultancy company called @stake, which was acquired by Symantec. I was also one of the original vulnerability researchers at The L0pht, a hacker think tank that helped bring wider awareness of the risks of insecure software.
Security magazine: What are some trends in software security that point to progress, and what are some signs that a lot of improvements still need to be made?
Wysopal: There are several ways to look at it. There are reasons to be optimistic while also pointing out that there remains a lot of work ahead for companies to secure their software in a more holistic way. Veracode recently issued its State of Software Security Vol. 11 report, which is the application security industry’s largest review of AppSec trends and benchmarks. We analyzed scan data from 130,000 applications which revealed some really interesting trends. First, addressing issues with modern DevSecOps practices results in fixing more flaws. One example of an effective DevSecOps practice is using more than one kind of security scan, such as both static analysis and dynamic analysis, to test applications for flaws.
At the same time, 76% of applications have at least one security flaw, and fixing those flaws can take months. However, only 24% of applications have high severity flaws, which is a good sign that most applications do not have critical issues that pose serious risks to the application. We also know that companies that scan more frequently and that use automation can fix flaws much faster. So, while the volume of flaws is still high overall, organizations are implementing practices to find and fix flaws faster.
Security magazine: Developers have more responsibility for owning fixing flaws in code. What are some of the factors they can control to improve the security of their applications?
Wysopal: I am seeing a shift, especially in organizations with more mature AppSec programs, toward development teams taking greater ownership of the tools they’re using to secure their software, and fixing the issues they find. This is something that’s been a long time coming, though most organizations still have the security team overseeing the process of fixing defects in software. In many cases, it’s the security and development teams working together to resolve issues.
There are several things that are within development teams’ control that can help them fix flaws faster and reduce security debt over time. Security debt refers to defects that have been identified but not yet remediated, and just like financial debt, it accumulates over time and becomes problematic for organizations because it increases risk of being exploited. No application is perfect, and the process of writing code is always imperfect. What we’ve found is that developers can take steps to create more secure software, even if the applications they are working with are large and contain a lot of security debt. Even when applications are saddled with a lot of security issues, development teams that use secure coding practices such as frequently scanning for flaws, integrating and automating security checks, and taking a broader look at the application’s health are more likely to have success with secure software development efforts.
Security magazine: It can take organizations months to fix security defects. What are some of the causes behind that delay?
Wysopal: The goal of software security isn’t to write applications perfectly the first time, but to remediate the flaws in a comprehensive and timely manner. Our research also found that 30% of applications have more flaws in their open source libraries than in the code written in-house. The key lesson is that software security comes from getting the whole picture, which includes identifying and tracking the third-party code used in applications. Using multiple scan types helps development teams get a more complete picture as well but has the added benefit of helping teams fix flaws more quickly. Those using SAST and DAST together fix half of flaws 24 days faster. In addition, those who automate security testing in the software development life cycle (SDLC) address half of their flaws 17.5 days faster than those that scan in a less automated fashion. Of course, all of this requires cultural buy-in at an organization and the mindset to continue to shift security left. To be fair, some of the delays are purposeful, in that teams are prioritizing which issues to fix, and there can be an acceptable level of risk for some flaws to remain open for a period of time while other issues are addressed.
Security magazine: Some industries are better than others with software security. Who are the leaders and who lags behind?
Wysopal: There is a lot of variety across industries with respect to how many flaws they’re dealing with and how successful they are at fixing them. For instance, technology firms have flaws in 78% of their apps and the largest quantity of high severity flaws compared to other industries, but they are fixing flaws at a better rate than healthcare, government, and manufacturing. The financial services industry has the best flaw fix rate across six industries and leads a majority of industries in uncovering flaws within open source components. Fixing open source flaws is critical because the attack surface of applications is much larger than developers expect when open source libraries are included indirectly. Government and education organizations have the most applications with flaws, and the second-longest median time for fixing flaws. These sectors are catching up to the progress we see in other industries. Lastly, healthcare ranks somewhat low in how many flaws it fixes but is the second fastest industry to fix flaws. The healthcare industry deals with a large amount of sensitive information and is highly regulated. It’s good news that the data suggests that healthcare organizations are moving quickly to address security flaws in order to keep their security debt from getting out of hand.
Security magazine: What can organizations do to make developers better at secure coding?
Wysopal: Taking steps toward integrating security throughout the software development lifecycle via automating scans and scanning for flaws, including open source flaws, with multiple types of scans is critical for DevSecOps. Developers can also continue along their software development journey to make applications better and more secure with a higher cadence of scans. Frequent security scanning of their code can help development teams fix half their flaws more than three weeks faster than those who don’t scan frequently.
But it’s not just that – developers are increasingly being tasked with taking on more responsibility for securing their applications but aren’t provided training on secure code. Developers learn best from hands-on training with real-world applications that developers can hack and patch, and apply those practical skills to their own applications as they write them. Providing access to training is a key component to taking a broader look at the application’s health. This makes it more likely that organizations will have success with their secure software development efforts.
One of the most important realities for companies to accept is that software security can only happen if developers have both the tools and the training to code securely.