Posted on

Building a Security-First Culture

Application Security Is Like Wearing a Mask

Wearing a face mask to prevent coronavirus is becoming the norm in my city. It was hit heavily by the COVID crisis, and now we have reached an unspoken consensus: wear masks wherever you go.

This is quite different from where we were just a few months ago. Face masks had a bad reputation, and the local health department had a hard time getting people to wear them. What was stopping people from wearing masks? It turns out, people hated masks because they make breathing difficult, make glasses foggy, and can look quite awkward. But the pros of masks outweigh the cons, and by wearing face masks, we protect ourselves and our communities from the virus.

Posted on

Part Two: Secure Coding Urban Myths

In part one of this two-part series, we dug into a few urban myths about the security of open source code and trusting your favorite developer tools. While the myths are common, the reality is clear: taking ownership over your code with the right tools and methodologies means you’re creating applications that carry far less risk than ever before. Keep reading for three more common urban myths about secure coding—and how to go about changing them.

Myth 4: Using More Testing Types Will Just Lead To More Findings and Slow Everything Down, Causing Unnecessary Headaches

Reality: While it might seem like it’s adding extra work on the surface, having more than one testing type embedded into your development process saves time as you’re able to catch more flaws before the production stage. That means you won’t have to remediate a pile of vulnerabilities later on when it’s more of a hassle, and you'll have peace of mind knowing your code is more likely to pass policy checks. 

Posted on

Shifting Left: A Penetration Tester’s Journey to the Code Analysis Camp

Most of you know me as an offensive security gal. The fact that I decided to join a SAST team frankly surprised me, as well. Now that I have officially started my job at ShiftLeft, I am taking this moment to reflect on how I got here and how I see the future of application security.

Confessions of a Newbie Web Developer

I started my career as a web developer. And I absolutely loved it! I loved building tools that solve someone else’s problems. And there is no feeling like seeing your vision materialize right in front of your eyes.

Posted on

5 Reasons Why Security and User Experience Go Hand in Hand

With the mad rush for digital transformation and the need to keep customers content with very easy to use, responsive, and effective applications, it should come as no surprise that the world we live in has made us all dependent on the applications we use to conduct our daily lives, from banking to grocery shopping to how we keep in contact with our loved ones. However, this need for applications and digital services to continually keep pace with evolving user demands is coupled with the challenge of mitigating an unprecedented rise in malicious security threats.

The risk of security threats and cyber incidents are on the rise, with the 2020 State of SecOps and Automation Report finding that the majority of organizations report that increasing alert volumes are creating problems for  IT security teams, and 93 percent are unable to address all alerts the same day. 

Posted on

Protecting Your React.js Source Code With Jscrambler

React.js is one of the most popular JavaScript libraries. The 2019 "State of JavaScript" survey puts React as the front-end framework of choice, with 72% of responders stating that they have used it and would use again.

With its elegant programming style, rich package ecosystem and good documentation, React has found its way into powering the applications of large enterprises. Specifically, the developer survey found that 18% of responders who are using React work for companies with over 1000 employees.

Posted on

Protecting Hybrid Mobile Apps With Ionic and Jscrambler

Ionic is an open source framework designed to build native-like mobile web applications which target the major mobile operating systems. Targeting different systems with the same codebase speeds up the development process while reducing the time to market and maintainability efforts.

Ionic is built upon Apache's Cordova and is framework-agnostic, meaning that it can be used with any front-end framework such as Angular, Vue, Preact, React or jQuery. 

Posted on

The Migration Path To Microservices and Security Considerations

While the move to microservices-based architecture is relatively new, it is already mainstream. A majority of companies are choosing it as their default architecture for new development, and you are not cool if you are not using microservices.

With regards to migrating legacy apps and breaking them down to microservices, companies are showing more conservatism, and rightly so. While the move creates a lot of value, mainly around new features, time to market, and scalability, it also has its complexities and trade-offs. 

Posted on

Shifting Left Is Not Enough: Why Starting Left Is Your Key to Software Security Excellence

appsec-trend-predictionsIn a digitally-driven world, we are at an ever-increasing risk of data theft. With large organizations acting as the gatekeepers of our precious information, many are recognizing the need to implement stringent security standards.

Much of the initiative around shifting left, that is, introducing security much earlier in the development process, simply doesn't move the needle far enough. There is an implication there that we are still beginning the process the wrong way, ultimately backpedaling to achieve the outcome of more secure software. We must start left, enacting a cultural shift that positively engages development teams and arms them with the knowledge they currently lack. However, all training and tools are not equal. In this article, we explain the ways you can truly empower the development team, transforming them into your defensive front-line against costly cyberattacks.

Posted on

5 Tips for DevSecOps Education and Training

Thinking of a master DevSecOps plan...

Whether it was the millions of users left vulnerable by Fortnite, or hackers gaining access to Dunkin’ customer accounts, 2019 has already seen some of the worst data breaches to date. To combat these types of attacks and vulnerabilities, organizations must be more cognizant of their security, and embrace a DevSecOps approach. And to do so, it is imperative that they provide the proper education and training for every facet of the organization.

You may also enjoy:  10 DevSecOps Implementation Principles

But it is important to note when educating organizations about security that some practices and technologies should be encouraged, while others should be avoided. These teachings need to be tailored for different audiences as needed, and new ways of learning and fitting into a DevSecOps scope should be explored in great detail.

Posted on

The Simple Path to Protecting and Controlling Your Application Data

Whether you’re a software development team lead at a prestigious financial institution assigned to redact personally identifiable information (PII) before releasing the next bankruptcy report, or you're part of a development shop that has just been contracted by a large healthcare organization to help update their systems to meet HIPAA requirements, chances are you’ve been asked to obfuscate sensitive data.

Protecting sensitive data is not an uncommon requirement when building applications. In a recent survey, 71% of companies indicated they utilized encryption for some of their data in transit; 53% utilized encryption for some of their data in storage.

Posted on

The Future of AppSec

To understand the current and future state of application security, we obtained insights from five IT executives. We asked them, “What’s the future for application security from your point of view?” Here’s what they told us: 

  • In the IT ecosystem, we have software-defined networks, software-defined infrastructure, software-defined virtual machines, and even software-defined radios. The future is in software-defined security —letting applications secure themselves through an integrated and automated software-security layer.
  • CISO’s fear of the data breach.  The biggest opportunity for improvement is with API breaches, where multimillion records are breached because compromised access to your backend. How do we get better?1) embrace automation and 2) shift in your architectural thought process and realize that we can’t depend on firewalls or agents on operating systems or a serverless app. It’s much better with identity management (2FA, MFA). Analyzer engines will be analyzing apps all the time. When vulnerabilities are found, they are codified into an actionable unit of work.
  • There is no silver bullet for application security in my opinion. The greatest opportunities lie in not looking for a single solution but focusing on visibility into what you’re doing and spreading your efforts to find vulnerabilities from various perspectives.
  • As connected devices continue to expand their footprint, we see opportunities to apply best practices in security to the Internet of Things.
  • It’s not an issue of technology; there’s plenty of great technology, and it’s not being used. We can do 8,000 enterprises if enterprises reach out to us. Business is doing what adds to their bottom line. Only visionary business leaders make security as important as quality. Loss of reputation, penalties for not protecting data will increase. Vendors have the capability to meet the needs of the enterprise, but the enterprise must want to secure their apps.

Here’s who shared their insights:

Posted on

Code Signing Credentials Are Machine Identities and Need to Be Protected

The world is experiencing a digital transformation that is eclipsing all previous technological advancements. As more IT workloads move to the cloud, and as more IT services are containerized, they all need to be authenticated using cryptographic keys and digital certificates, or machine identities. Given the pace and scale of this new world of machines, protecting those machine identities is becoming increasingly critical to security. Although these changes affect every business, many organizations use outdated methods to protect the exponentially rising number of machine identities they now require. Those approaches simply can’t keep up.

How does this impact the security of code? There are many types of machine identities — TLS, SSH, mobile and more — that are used on many types of machines. When you look at it in this light, code is the ultimate "machine" that requires an authorized identity so that we can trust it. That is precisely why machine identities are so critical to the code signing process.

Posted on

AppSec Concerns

To understand the current and future state of application security, we obtained insights from five IT executives. We asked them, “Do you have any concerns regarding the current state of application security?” Here’s what they told us: 

  • Terminology is a concern, where different tools simply claim to be things that they are not and lead to a false sense of integration. For example, WAF vendors are a network tier: security in the front, application in the back. While they may claim visibility into the runtime, they do not actually achieve this and therefore cannot achieve accuracy.
  • Culture. Security has grown up with pen testing and modern tools, the software has grown with cloud and scale. We need to automate security. We need security to embrace automation.
  • 1) Internal threats (nothing new), 2) Machine Identity (due to Internet of Things/containers), 3) Security Vulnerability Administration and Patching strategy (due to more software and microservices, so more runtimes), 4) The risk of a hacker jumping from a low-risk component to a higher-risk component (due to microservices and containers, with bulkhead pattern being an example to safeguard against that).
  • We commonly see application security is only applied to a certain portion of a network, but a truly secure approach applies end-to-end. Our solution secures an application throughout a packet’s journey from source to destination.
  • AppSec is not getting better. Vulnerabilities are not being fixed fast enough. Every code fix has to go back and be tested for vulnerabilities, quality, and performance. Then, the entire application level needs to be tested. It takes a lot of time. There is a lack of understanding of how much testing is necessary, when to use tools instead of services, and how necessary vulnerability remediation is. DevOps is the right approach to develop applications, but today, it results in paying less attention to security. Adopt a security-first mindset.

Here’s who shared their insights:

Posted on

Most Effective AppSec Tools and Techniques

To understand the current and future state of application security, we obtained insights from five IT executives. We asked them, “What are the most effective application security techniques and tools?” Here’s what they told us:

  • Runtime Application Self Protection (RASP) is effective because it actually protects vulnerabilities through automatic remediation without code changes. This leverages insights into applications, applying the right protection where and when it matters.
  • Analyzer engines/scanners tools are continuous watchdogs for production APIs and production applications. We need to always be analyzing. Netflix does 300 production changes per day. They need to constantly look in production. Get away from dependence on operating system agents, proxies, and firewalls. They are non-scalable and are not effective. Automate at scale and look for anomalies. Humans for risk management and policy enforcement (HIPPA, SOX, etc.).
  • There is no single set of effective techniques and tools. As with any field, it is imperative to avoid putting all your eggs into one “technique or tool” basket. You’ll just create a false sense of security. A good security strategy involves looking for vulnerabilities from multiple different angles and handling the risk. Remember the majority of security breaches are done by employees or recent ex-employees, not hackers (source: 2018 IT Risks report). That means effective modeling of your release process and setting up a bulletproof role-based access control scheme is very important for controlling these internal threats.
  • Many of the techniques mandated by PCI are the foundations of a good security posture — regular vulnerability scans, penetration testing, risk assessments, and ethical hacking go a long way. During these processes, open-source tools like Nmap, Wireshark, P0f and Argus can help.
  • Technologies that analyze apps throughout the lifecycle from the beginning to end.
    Three technologies: 1) SAST (static application analysis) analyzes applications for the existence of vulnerabilities, 2) DAST (dynamic application security testing)  analyses application behavior at runtime, and 3) SCA (static code analysis) detects open source components with vulnerabilities. Fewer than 50% of enterprises adopt these technologies. They keep buying firewalls. Those that have invested are not testing the entire portfolio of applications, just one or two, so most vulnerabilities are not fixed. I have not seen any company investing enough to test all of its applications. They keep doing what they’ve been doing for years — buying firewalls. The government is doing nothing to stop the attacks. 140 million records of Americans are available to hackers stealing money and performing malicious actions. This is a direct result of our negligence and our stupidity of not protecting applications.

Here’s who shared their insights:

Posted on

How AppSec Has Changed

To understand the current and future state of application security, we obtained insights from five IT executives. We asked them, “How has application security changed?” Here’s what they told us:

  • Application security is no longer based on strobe-light scanning processes that tell you how secure you were last Wednesday. Modern security is continuous and can act to protect vulnerabilities rather than just making inaccurate lists.
  • Operations and network security have fallen short. Companies are losing millions of records on a regular basis. We used to have a perimeter defense; however, now, the apps are on the public cloud and available on an app store. Because of mobile and cloud, the perimeter is now applications and identity. You have to make sure you have good identity and AppSec controls to protect your data. We’ve moved from static code analysis to new techniques and tools. Old tools do a terrible job of providing tangible vulnerabilities to fix.
  • Application security has been evolving as the amount of data being managed has increased exponentially. In order to respond to the increased threat, we are developing innovative ways of finding vulnerabilities faster and handling the logistics involved in ensuring all of these vulnerabilities are removed in order to protect the world’s ever-growing production environments. There have been even more changes beyond what the public-facing interfaces of services offer. Due to the exponential growth of the number of devices on the Internet (Internet of Things, containers, etc.), safe, walled network gardens (DMZs) are on the brink of becoming obsolete. Managing machine identities and controlling which machine can access which service (both of which are very similar to role-based access control for humans), is becoming a concern that enterprises are starting to have to manage.
  • Security has gone from being an afterthought to central to the success of any application. As digital transformation accelerates, organizations are increasingly relying on applications and networks for the daily operation of critical systems. In the past, an organization could get away with insecure and outdated applications, but in today’s environment application, security is critical to business success.
  • We are not winning the war. One of the most severe vulnerabilities is SQL injections. In 2018, 40% of all apps were vulnerable to a SQL injection. That’s the same percentage we saw in 2017, 2016, 2010, and 2005. Remediation time has increased by either six or 10%. It now takes an average of 139 days to remediate the most severe vulnerabilities and 210 days to remediate moderate vulnerabilities. We are creating microservices that are less secure because they’re delivered faster. Every year, companies spend $12 billion on firewalls and web security gateways, knowing we are not protecting assets any better. We invest a tiny percentage of the IT budget on AppSec, but we’re not really protecting assets.

Here’s who shared their insights:

Posted on

AppSec Key Elements

To understand the current and future state of application security, we obtained insights from five IT executives. We asked them, “What are the most important elements of application security?” Here’s what they told us:

  • Visibility is crucial; if you can’t see what’s going on, you don’t know where to act. This is why our perspective inside the application is so crucial.
  • Have empathy for the developer. 80% of our companies are developers. Remember what developers have to do — make something that’s relevant, useful, popular, with features, scalable, performant, and secure. Start by understanding that developers have a lot on their plate, and think about how to make their lives as easy as possible. Take the AppSec concern. Ensure that it's consumable and actionable by a developer. If you can form the issue as a bug with direction on how to fix the bug, if you create a form like a JIRA ticket, then you’ve gone as far as a security leader to find issues and make it actionable to fix quickly.
  • Application Security improves as you look at your application deliverable from various perspectives. It’s important to shift left so you get feedback on security vulnerabilities as a developer is coding and includes dependencies into their project — this can be done through IDE plugins (like Nexus Lifecycle).

    At the same time, shifting left doesn’t remove the need for centralized static application security testing (SAST) and dynamic application security testing (DAST), since these techniques can bring different violations to light. Monitoring for attacks in production is a very useful technique as well, as on average, companies take about 197 days to identify and 69 days to contain a breach according to IBM, which clearly shows us that there’s significant room for improvement. New, innovative security solutions even allow you to install agents into the runtime of applications running in production, which monitor critical segments in code and put them in a walled garden, so that even if a malicious user manages to trigger an exploit, they’ll be cut off instantly. The most important element is to not ignore application security completely and to use a multi-perspectival approach since each perspective yields subtly different insights.
  • We have found a holistic security mindset is crucial in every aspect of an application’s development and operation. Continually testing, scanning, and verifying applications is the best way to ensure their secure operation.

    Two are tasks: secure the application lifecycle and secure the application operation. The first part is injecting application security in all phases of the lifecycle. We need to test applications at programming and build phases when collecting elements, at deploy, throughout production, and through the decommissioning of the application. It’s all about detecting vulnerabilities. Once it’s up and running, it's less protected. RASP is a technology I defined in 2012. It’s being adopted very slowly, as it requires instrumentation in a runtime environment.

Here’s who shared their insights:

Posted on

Application Security Today

To understand the current and future state of application security, we obtained insights from five IT executives. We asked them, “How is your company securing applications?” Here’s what they told us:

  • We protect applications from the inside, adding sensors that understand the context of what the application is actually doing. This level of visibility beats external controls (e.g., understanding that NoSQL databases are not vulnerable to SQL Injection).
  • We have empathy for the developer since 80% of our clients are developers. We know developers are being asked to make something that’s relevant, useful, popular, scalable, performant, and secure. We begin by understanding that developers have a lot on their plates, and we think about how to make their lives as easy as possible. We make the AppSec concern consumable and actionable by the developer.
  • We can answer this question from two perspectives: how we help users of our Application Release Orchestration platform deliver secure software (including reporting in order to provide a paper trail of the various techniques used to secure the produced applications) and how we help ISVs that are building software that needs to be secure.

    Our platform provides clients with a way to create enterprise pipeline templates to document and execute all steps from code commit to production. These templates can serve as a yellow brick road to production that includes all manual and automated steps, amongst which security scanning is done as part of the process. The “shift left” practice in DevSecOps is helping organizations improve quality and security by moving to test earlier in the release process, and our DevOps Platform makes this process auditable and explicit. We do this by integrating other vendors, such as SonarQube, Black Duck, Checkmarx and Fortify, into pipelines, which can prevent the release from going forward as security violations are identified, even with the new discovery of zero-day vulnerabilities during the release process.

    Additionally, our security and compliance dashboard templates enable release managers and DevOps engineers to track security issues in applications that need to meet IT compliance requirements. We help them identify applications that are failing to meet security standards. The dashboard gives the team a complete overview of test results from the static application security testing (SAST), dynamic application security testing (DAST), and open source security management (OSSM) tools in their release pipelines.
  • We segment applications from each other and give them their own authenticated and encrypted network. Using a full PKI implementation, secure tunnels, dedicated data centers, and direct dedicated connections to cloud application providers we secure applications on a network end-to-end.
  • DevSecOps is the way to secure the application across the entire lifecycle — securing left, programming, building, and production is application security throughout the lifecycle. Development is getting faster, and application security needs to be able to support development.

Here’s who shared their insights: