Veracode’s Latest Developments
The rapid growth and proliferation of cloud usage and adoption is undeniable. According to the 2023 Flexera report, 83% of companies are “intermediate to heavy” users of cloud platforms, while 93% report implementing a multi-cloud strategy. The increased demand for cloud solutions means developers often work to fulfill requests with quick turnaround times, encouraging them to leverage Large Language Models (LLMs) and open-source repositories, rather than developing code from scratch. While this can be effective, Veracode’s Chief Product Officer Brian Roche warns that this could increase the risk of utilizing insecure code and magnify security risks.
The Modern Application Development Security report revealed that 54% of organizations employ vulnerable code as a timesaving measure, with the idea of later rectifying the errors. The side effect is the accumulation of security debt and, of course, risk. Roche also acknowledges that the current landscape of available security tools places an additional burden on developers; rather than enabling secure code development, the complexity of secure tools further adds to the pressure and time constraints, inadvertently affecting the overall quality of code.
Veracode have worked to, figuratively, part the clouds (excuse the pun) through significant upgrades in two of their product offerings, DAST Essentials and Veracode GitHub App, which they announced on day one of the AWS re:Invent 2023 conference. The expected result is seeing developers gain a more collaborative, intuitive feel for cloud security and weaving security protocols within the software development lifecycle (SDLC).
Targeting open source security software
In an attempt to meet project deadlines, developers often turn to open source software (OSS), which is generally considered to be more secure than its commercial counterpart. Like a Google Doc published into the ether, OSS can be viewed and modified by anyone, with the understanding (and hope) that each modification strengthens the security and interoperability of the original code, while also correcting errors and vulnerabilities. Ideally, OSS should be a safer option because developers are crowd-sourcing community expertise to frequently improve code. At the same time, updates to proprietary software are generally slower, and access to updated versions incur additional costs.
The other side of this coin, however, is the risk posed by bad-faith coders. The banishment of the University of Minnesota from contributing to the Linux kernel OSS is arguably one of the most controversial examples of this. The Linux kernel is considered one of the safer open-source codebases, largely due to its funding and size, and its influence cannot be overstated. Linux is the only operating system used by the Top 500 Supercomputers, and the quality and proliferation of the open source software is the primary factor driving this mass adoption. University of Minnesota’s cybersecurity Assistant Professor Kangjie Lu, utilized the Linux community as part of his research; he wanted to see how many bad lines of code could be “snuck in” under the guise of securing the codebase (hypocrite commits). It was only once he published his paper on “stealthily introducing vulnerabilities in open-source software via hypocrite commits” that the community was made aware of the trojan tactic.This resulted in a ban on all students from the university contributing to the codebase community.
This exposes the developer’s dilemma: OSS has readily available, frequently updated, crowd-sourced code that reduces development time, but comes with the significant risk of insecure code. Rectifying this at a later stage can be a clumsy and complicated process. Katie Norton, senior research analyst (DevOps and DevSecOps) at the International Data Corporation, understands this only too well. “Balancing speed of development with robust security is a daunting task, hindered by the time-consuming nature of regular dynamic scans and the disconnect between development and security teams,” she said. She highlights that Veracode’s DAST Essentials plays an integral role in smoothing out the kinks of collaboration by introducing a unified platform that allows for secure development, code remediation, and data protection. Veracode has created an elegant solution that monitors and mitigates risk, while also streamlining developer workflows across the open-source landscape, without compromising speed and security.
DAST Essentials for Cloud Defense
With the increased use of cloud software for operating applications, cybersecurity attacks have surged exponentially. The cost of data breaches in businesses in 2022 averaged $4.35 million dollars, with only one in ten U.S. businesses covered by insurance for cyber attacks. Web applications reportedly account for 60% of breaches, and attacks on API have seen a 137% increase in 2022. Cloud defense is a clear priority for businesses.
Veracode has taken the developer’s dilemma head-on: the upgrades to their dynamic application security testing product, DAST Essentials, have created a unified platform for testing, development, risk assessment, and risk management. The reduction in friction and consideration of developer workflows is evident, with DAST Essentials seamlessly blending into SDLC. As an agile solution, DAST Essentials enables collaboration between developers, security, and operations teams (DEvSecOps), allowing for risk to be addressed at speed and scale.
With a customer-reported false-positive rate below 5%, DAST Essentials has a proven track record of being the security tool of choice for DevOps and DevSecOps teams. The Veracode State of Software Security report revealed that 80% of web applications contain critical vulnerabilities, which are only found through dynamic scanning -traditionally, a time-consuming and complex task. This is where DAST proves invaluable, providing rigorous application security through continuous scanning, and allowing organizations to remediate vulnerabilities quickly and precisely. Cloud-native supply chain industry leaders, Manhattan Associates, utilize DAST Essentials for their cloud security solutions. Executive Vice President (Research & Development and Cloud Operations) Rob Thomas, found that Veracode’s cloud-native technology enables continuous scanning of their software, delivering real-time results. This allows the team at Manhattan Associates to quickly and efficiently solve issues and mitigate risk.
Veracode GitHub App
Developer acceptance of security tools is a key factor in driving adoption within any organization, and the disruption of developer workflows is the primary obstacle to this. In order to test, scan, and remediate code, developers are often required to operate outside of their workflows, and the risk mitigation efforts sit outside the SDLC. This is particularly frustrating as each iteration of software requires security to be tested, diagnosed, and resolved. The Veracode GitHub App has been instrumental in championing seamless integration of security for developer adoption by removing obstacles and complexities.
The recurring theme is reducing friction, and the Veracode GitHub App integration allows developers to remediate code in their preferred development environment. From software composition analysis (SCA) to container security scanning, this tool has resulted in a smoother, faster, more secure development process—once again demonstrating the power of cloud-native intelligent software. Brian Roche emphasizes that the security of cloud-native applications is a key concern for businesses. “Developers are assembling code just as much as they’re writing it, meaning even the most meticulously built applications are susceptible to threat.” He describes the cloud coding environment as a software supply chain that requires protection, and believes that improving security will require significant shifts to meet the evolving needs of developers, security, and IT operations teams.
What’s next for cloud software security?
Veracode is leading the pack, having already tackled the most pressing issues for organizations, developers, security and operations teams; the ability to break down silos and collaborate effectively and easily. Cloud adoption is increasing year-on-year, and experts agree that a cloud-native future is imminent. Naturally, this means that cyber attacks in the cloud can also be expected to increase, and the data has already shown this to be the case. With the increased demand comes the pressure to deliver on project deadlines quicker, all while the threat of data breaches, attacks, and malware dangle threateningly overhead. In short, developers can no longer ignore the overlap between their work and security. The goal for cloud security providers is to facilitate the overlap, painlessly and intuitively.
All through 2024, we can expect to see the buzzwords “integration” and “collaboration” in reference to harmonizing DevSecOps.The reality is that developers will continue utilizing open source software and repositories; it’s clearly the ergonomic solution, optimizing time and saving money. The role of cloud-native security software is to meet developers where they are and make security an easy-to-integrate task within the SDLC. This is what we can expect to see more of in the next few years. Automation and AI will be another major trend to look out for in cloud security. Currently, the toolchain is dominated by manual, time-consuming security protocol; tools that automate testing, scanning, and detection will achieve a much higher developer acceptance and adoption rate.
