Over a million developers have joined DZone.

Reemergence of Open Source Increases Security Vulnerabilities

DZone's Guide to

Reemergence of Open Source Increases Security Vulnerabilities

Developers need to test all open source code that they add to their code and not fall into the trap of assuming it is free of vulnerabilities.

· Security Zone ·
Free Resource

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

Thanks to Pete Chestna, Director of Developer Engagement and Jessica Lavery, Senior Manager, Security Strategy at CA Veracode for taking the time to speak to me at CA World 17.

Pete and Jess were excited that CA Veracode Greenlight was now available as a free trial to help developers accelerate velocity and quality. Developers can produce vulnerability-free code with instant feedback on security defects in their IDEs. This enables them to speed the SDLC without compromising security while fulfilling the promise of DevSecOps.

They were also excited about the development of Blue Lantern in the CA Accelerator which provides security to the container by giving Veracode APIs access to what's been deployed as well as code repositories.

Q: What's going on with API security given the importance of APIs?

A: Veracode dynamic analysis is securing APIs through the interfaces you put on top of it. We're performing dynamic analysis at the UI level and looking at things inside out with static analysis. Selenium is still driving UI testing. When we look at web applications, Selenium directs where we need to go.

Q: What's been the biggest change on the security front?

A: The reawakening and adoption of open source. Use of open source makes development faster and easier but it also increases vulnerabilities. Development needs to take a more active role to ensure the open source code they are using is secure. Find the tools that work best for them to test this code while achieving their goals.

Q: What steps do developers need to take to ensure the code they are writing is secure?

A: Find tools you are comfortable with that are going to help you get the job done. Do security testing the same way you do functionality testing. Learn in the privacy of your own IDE. Open source is now 85-95% of code used in development. Do not integrate open source code into your code until you test it. Know what bill of materials makes up your code. Run a static analysis to get the current state of software security -- 54% still have a vulnerability from struts. Think about your biggest unknown risk. Respond rapidly to vulnerabilities – product security should have an instant response team but the developer should be responsive as well. Security is everyone's responsibility.

Q: How does Veracode protect its clients from the ever-changing threat landscape?

Veracode reaches out to clients when we know they had version 2 of this software with this vulnerability. We help all clients with customers that have software composition analysis which creates the bill of materials. We let them know about Heartbleed and Struts.

We ask four questions four questions to determine the severity of the vulnerability and the need to reach out to clients:

  1. Is it remotely executable?

  2. How widespread is it?

  3. Can we detect it?

  4. Can we identify the level of criticality?

We then use our security research team to take action for ourselves and our customers. Every company needs security champions since no one has enough resources. Dev teams need to step up and become part of this team. PSIRT doesn’t work if you don’t.

Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

security ,open source security ,open source security testing ,devsecops ,security testing

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}