With the state of software security apparently getting no better, with platforms and Wi-Fi among those affected, Maria Loughlin, SVP of engineering at Veracode, sat down with Infosecurity at the recent Infosecurity North America, to talk about the importance of building software secure by design, and the state of application security in 2017.
Why is software still insecure, and is the state of software improving?
Software powers our world, and any company that wants to be effective has to have software: it runs our manufacturing plants, our hospitals, our cars and our lives and there are a lot of vulnerabilities present. Veracode does an annual State of Software Security Report to see if we are getting better or if we are getting worse or about the same, and what we found in the latest report was that 60% of software applications that we scan fail the OWASP Top 10 on the first scan. So we know that there is a lot of insecure software out there.
What is troubling is that some of the basics in cross-site scripting (XSS) are still there so we have a lot of work to do there.
Regarding third party software, why does that need to be a concern for businesses?
Speed rules, and I’m a developer and manage a team that does that and top of my mind is to get that software out, so I pull in third party components to enable me to build pieces and I compose as much from pre-assembled pieces as I can rather than build it from scratch. The problem is that there are vulnerabilities and security issues in that software, and statistically 97% of Java applications have a vulnerability that is known in some of the components that they pull in. So as someone creating software in this industry, or as someone purchasing software in this industry, one has to be careful to track what the other components are, and how secure they are.
In terms of the components, how can businesses go about finding and fixing them?
From the perspective of a software development shop, we track what the third party components are and what we are embedding, and there are tools that do this: software composition analysis is rising in usage right now, and through the use of that tool we can understand when known vulnerabilities are identified, zero day or existing vulnerabilities, and if we are using those vulnerable components and quickly patch our systems to get to a less vulnerable version, or even a non vulnerable version of the software.
This happened just recently in [Apache} Struts and Struts 2 and Veracode was watching for the issue in some new zero day and other vulnerabilities and we patched our systems within hours, but that is a great example of vulnerability that had a massive impact and there are others like Equifax who had not been as much on the ball and that is pretty important.