Veracode has released its annual State of Software Security Report (SoSS) and it doesn’t pull its punches. Enterprises modernisation is built on greater use of software, more modernisation and a move towards APIs. Additionally there was a substantial increase in the use of open source software, driven by a new generation of developers. The Veracode report does not give comfort to any of them. Even where things are going the right way there is still a need for organisations to step back and look at what they are doing.
According to Brian Fitzgerald, CMO, Veracode: “The prevalent use of open source components in software development is creating unmanaged, systemic risks across companies and industries. Today, a cybercriminal can focus on a single vulnerability in one component to exploit millions of applications. Software components are used by every industry and for software of all kinds, and given our dependence on applications, the ease at millions of applications can be breached has the potential to create havoc in our digital infrastructure and economy.”
Open source in the Veracode cross hairs
Open source is attractive to both enterprises and developers. They can accelerate their software development and reduce their costs by not having to licence the software. There is also the claim from open source advocates that security is higher. That claim is based on the potential number of people looking at the code. In some cases this works but in others it doesn’t. OpenSSL is a perfect example of how security errors are not just missed but become accepted as if they don’t exist. The other side of the coin is the move to professional open source where a vendor undertakes to release an enterprise version of an open source project. The code still belongs to the open source community but the product is few versions behind, has a roadmap and has been is hardened with extra security checks.
Veracode highlights how a popular open source component with a critical vulnerability infected more than 80,000 other software components. These were then used by other developers to build their products, thus exponentially magnifying the problem. The vast majority of open source projects come with detailed manifests showing the components used. Few development teams track those components which means that they are often unaware of the risk in the software they are using. This is a process issue that development teams need to address.
The impact of a single vulnerability is shown through the example of the Apache Commons Collection and the vulnerability of using deserialisation. This lead to five separate exploits against commonly used software. More importantly the component was found in 25% of all Java applications. The report says that in some industries it was found in up to 67% of all Java applications. The Apache Foundation acted quickly to fix this vulnerability once it knew about it. What this highlights is the need for greater testing of components and increased visibility of components to speed up remediation.
A need for greater testing of software
Veracode reports that 60% of applications fail security policies upon their first scan. This is good news in that failures are detected but suggests that organisations need to do more to educate and train their security teams. “Best practices like remediation coaching and eLearning can improve vulnerability fix rates” according to the report. Remediation coaching showed a reduction in flaws of 63.5% when done properly. A similar level of reduction (55%) was also seen where developers had access to an eLearning subscription.
There is a move towards greater testing of software. Developers using Agile processes are adopting the need for testing as part of the accelerated delivery of software. Veracode discovered that: “Where DevOps is taking hold some applications were scanned against security policies as much as 776 times in 18 months.”
One of the problems with software testing is efficiency. Many organisations still test the entire application code base whenever any change is made. This is inefficient, requires a lot of resources and takes time. More focused testing is needed that looks at just those components that have changed.
It is not all bad news. Veracode has seen the emergence of best practices. It reports that the: “top quartile of companies fix almost 70% more vulnerabilities than the average company.” It also notes that: “Developers using sandbox technology to scan apps prior to assurance testing show 2x improvement in fix rates.” This shows there is a lot more that companies can do to learn from the best and improve how they develop their own software.
Software now runs companies. The use of greater automation delivers lower costs and improves the speed of business. The number of vulnerabilities are increasing at the same time as developers are encouraged to work faster. What this report highlights is not that open source or component driven software is inherently bad but that companies need to use a different approach.
To ensure that security loopholes and bugs are fixed earlier better training, testing and processes are needed. Fixing software problems early in the development cycle is many times cheaper than allowing a bug to get into production. It will be interesting to see if the lessons from the top quartile are more widely spread by the time of next years report