Wednesday, November 29, 2017

A solid base

Anyone interested in architecture will know that for a structure to work, good foundations are essential. Studied for centuries, the construction of Venice is an unusual fact that shows that with a solid foundation you can build a city on the sea itself. The secret of the longevity of the wooden bases of Venice lies in the fact that they are submerged under water, out of reach of the microorganisms that cause the wear of the wood. In addition, the constant flow of salt water around and through the wood, petrifies it over time, turning it into a hardened structure, similar to stone.

As happens in architecture, companies also need a solid foundation on which to build their security strategy. And some of those responsible for laying the foundations are the developers. There are several measures that developers can take to accelerate the adoption of best security practices by their organizations, or that reveals a recent analysis conducted by the security provider Veracode. This study includes data from the scanning of 400,000 applications written in Java, Net, Android, iOS, PHP and several other programming languages and operating systems of organizations of all sizes.

One of the measures that is revealed through this article is that developers have the option to change their position when writing code, a slightly more attacking and less passive vision would be a new starting point when fighting the cyber attacks. The use of components is also a point that can be taken into account in this department, open source or third-party components increase the risk of suffering an attack or not being able to cope.

In the security sector there is an elite of experts in the field who have the latest news of the sector, new attacks, new types of malware and, therefore, has the ability to provide valuable information for companies. The developers have an obligation to the company to use these security experts to act as consultants instead of seeing them as adversaries or competitors.

The study conducted by Veracode also showed that many organizations are making progress by integrating security into the life cycle of software development. As an example, more and more applications are being explored for security vulnerabilities on a monthly basis or more frequently than ever before, suggesting greater adoption of DevSecOps practices. This type of practice has as its final objective the greater communication between the operations team and the development team to achieve better results. Encouraging collaboration, not only between departments, but between different companies and security experts promotes the creation of a much more compact sector, capable of facing the hits that are received daily.

Comparing the results, 18% more of the applications of the Veracode study were scanned monthly, while the number of applications scanned weekly increased by almost 50%. The study shows how organizations are scanning more applications written in Java and .Net in particular. This increase in scanning activity leads, as is logical, to better error correction rates in these organizations.

It is significant how the study discovers that applications written in popular web scripting languages such as JavaScript and PHP are not scanned so frequently and the result leads to a higher prevalence of important failure categories such as SQL injection (SQLi), cross-site scripts, cryptographic errors and credentials. About 47% of the applications written in PHP, for example, had a SQLi defect, and 43% had a scripting error between sites, while a relatively low 31% of the applications.

While these data indicate that the long-talked-about trend towards DevOps and DevSecOps is finally happening, according to the study developers can still do more to accelerate application security practices. The incorporation of these changes in the work of the developers is given from the correct formation.

Although the weight of this study lies with the developers, the correct training is the way to strengthen the effectiveness of the company's security. Once again, the establishment of good knowledge bases can be those that avoid the collapse of the entire company.


Post a Comment