Addressing New-Age Security Testing challenges with focused technology platformsBen Viollet
The days of developers creating every line of code from scratch are over. The intense demand for newer, better software means development cycles have become correspondingly intense. Moreover, the need for Continuous Testing/Development, and Continuous Integration is growing, as Application Development keeps getting complex. Challenges pertaining to Security Testing and Database testing are increasing with the burgeoning Cybersecurity threats for all kinds of enterprises.
In turn, developers need to rely on the pre-built functionality in open source libraries to keep up with the development and testing challenges. However, the problem with this practice is that it also introduces a whole new layer of vulnerabilities into organizations’ code. More often than not, these vulnerabilities are more difficult to identify than those in first-party code. Whilst this has been a known issue for some time, organizations are only now seeking second generation solutions that address the business issue in a more comprehensive way. These solutions and expertise can be defined and offered with strategic partnerships in the industry.
CA Veracode, Cigniti’s strategic partners in the Security Testing domain recently acquired SourceClear Technologies. With this acquisition, Veracode enhanced and expanded Cigniti’s joint software composition analysis offering – helping developers code with both speed and security. Cigniti’s Security TCoE consists of dedicated teams of security testing specialists with deep expertise spanning multiple domains/industries, cutting-edge technological resources/tools.
Following are some of the key requisites for testers and developers while dealing with security and related development and testing challenges.
Vulnerable methods – worry (less) about what you don’t have to worry (a lot) about
In many cases, when developers pull in an open source library, they are only using one small piece of it. Typically this may be only one method or function. If the overall classification of the library being tagged is vulnerable, you must know if your data is passing through the vulnerable part, or if the method or function being used is not vulnerable, and therefore safer to consume as part of your code base.
By using control flow analysis, the SourceClear scanner can tell if the function in an open source component containing a vulnerability is actually being called by your first-party code. This allows developers to better prioritize work, and dramatically decreases remediation work, in some cases by up to 90 percent. This is where Veracode allows business to continue – with great security insight.
Dependency mapping – do you really know the number of libraries you are calling?
When developers are building open source libraries, they often leverage and call other open source libraries. These libraries might well contain methods from a third library – and so you can quickly understand the compound threat effect that can quickly arise. The end result is layers of open source libraries connected together and where it is common for vulnerabilities in open source libraries to be five or six levels removed from your first-party code. Pragmatically, and as part of better understanding of what risks are in your code base – SourceClear has the ability to map these dependencies through all the open source code in use. In this way, you can identify vulnerabilities you would never know about. Importantly – you can then decide where to start in your journey to cleaner, more secure code.
Proprietary vulnerability database – it’s not JUST the NVD that matters – get AHEAD of the attack
SourceClear identifies vulnerabilities that are not in, or haven’t yet made it into, the National Vulnerability Database (NVD). To unearth these vulnerabilities, SourceClear scours all open source repositories and scans the code. But that alone is not enough. You also need to scan the metadata, commit logs, bug fixes, patch notes as well as any other developer comments. The SourceClear platform then uses a machine learning algorithm (verified by humans) to find security issues that have not been found or disclosed yet. This combination approach gives unparalleled levels of insight.
This enhanced database is extremely valuable. Why? Because it keeps organizations one step ahead of cyberattackers.
When a vulnerability is listed in the NVD, it’s essentially being shared publicly for the first time. Key to remember here is that it is being share for both organizations and cyberattackers. Usually organizations have a far less time to fix the vulnerability before attackers start exploiting it. The news is littered with stories of many organizations breached in this way. With SourceClear’s technology, you and organizations like you can find and fix vulnerabilities before they hit the NVD and the free CyberCrime advertising it inadvertently provides.
Library catalog – built in safety at the core
SourceClear maintains a list of approved libraries with their up-to-date vulnerability status. With this data, AppSec leaders can create catalogs for their developers with pre-approved open source libraries to leverage.
CI/CD agent – placing new solutions within your existing tool chain
SourceClear is a SaaS platform with an agent that directly integrates with continuous integration and continuous delivery (CI/CD) platforms, providing a solution that is deeply embedded in the development process. With a variety of SDLC integrations that leverage an agent sitting on the build server, SourceClear allows users to, in most cases, add a single line of code to their build and begin scanning every time a new build is initiated.
Cigniti has a dedicated Security Testing Center of Excellence (TCoE) that has developed methodologies, processes, templates, checklists, and guidelines for web applications, software products, networks, and cloud. It offers end-to-end security testing services including Network Penetration Testing, SCADA Network Vulnerability Assessment and Penetration Testing, Web Application Penetration Testing, Wireless Network Assessment and Penetration Testing.
With this strategic partnership, both the entities collectively present a robust set of Security Testing expertise to our clients for their application development and testing requirements – covering both custom and Open Source code.
Is Cybersecurity a growing concern for your organization and business? Experts from Cigniti and CA Veracode can work with you to address your security testing requirements in the context of the current challenges in the digital sphere.
This blog is written in collaboration with CA Veracode, Cigniti’s strategic partner in the Security Testing domain.
Ben Viollet is EMEA Channel Director at CA Veracode. He works hand in hand with key partners such as Cigniti Technologies. He primarily focuses on ensuring an improvement in the security position of the clients.