The secure state of security: closing the security skills gap
The secure state of security: closing the security skills gap

Businesses are increasingly implementing new technologies to grow and innovate; in turn, making their consumers more reliant on software than ever before as it underpins every aspect of daily life, from controlling our devices, to managing e-commerce systems. 

This dependency has led to an unprecedented level of cyber-attacks against public organisations, global corporations and most recently critical national infrastructure such as nuclear, energy and industrial firms. Almost half (46 percent) of all UK businesses suffered a cyber-security breach between April 2016 and April 2017. The exploitation of vulnerable software and applications is a key attack vector used by cyber-criminals, yet few enterprises have vendor application security testing programmes in place. 

Exemplifying the prolific risk that vulnerable applications and software can have, CA Veracode recently released its 2017 State of Software Security (SOSS) report. The data comes from code-level analysis of over 250 billion of lines of code, representing more than 400,000 assessments performed over a 12 month period, to provide security and software development professionals with an up-to-date understanding of trends and identify best practices. 

CA Veracode researchers looked to the OWASP Top 10 for their initial risk assessment, which lists the most important vulnerability categories in web applications agreed on by the security practitioners at the Open Web Application Security Project (OWASP). As applications first underwent the scrutiny of software testing, approximately 70 percent of them failed security testing when measured against major industry vulnerability standards. 

Open source components: test, test and test again 

Despite the high prevalence of known vulnerabilities, many organisations never do static or dynamic testing – although exactly how many applications remain untested in a mystery. But, we do know that 83 percent of organisations have released code before testing or resolving security issues. 

The vulnerabilities that can be introduced by open source components, in particular, can present significant risks to an organisation. An aspect of modern software development, is the incorporation of third-party libraries – which in turn can lead to a broad dissemination of vulnerabilities in wide-ranging applications across any number of industries. This year, for example, CA Veracode found that 91 percent of Java applications contained at least one vulnerable component that could exploited by cyber-criminals.

Securing software that has leveraged open source is entirely possible. To assure the security of the applications, developers need to understand the type of components they're using and methodically track them over time, so that if any vulnerabilities in the code are discovered, they can locate and patch them in a timely manner. 

Upskill your developer team 

Developers play a huge role in ensuring that enterprise applications are secure. There is a challenge however. As it stands there is a critical deficit in developer security training and how they may manage effectively, the risk of vulnerable components. The research found that developers aren't choosing to ignore security issues, but rather they don't have the skills or resources needed to create secure code. 

Security education for developers is crucially needed. Training in security for developers has been shown to deliver a clear return on investment: eLearning improved developer fix rates by 19 percent, whilst remediation coaching improved fix rates by 88 percent. Nevertheless, 86 percent of IT professionals say their organisation doesn't spend enough money, or time, on application security training. If organisations truly are concerned about the state of their security, they need to be taking steps to ensure their developers have the competencies to deliver it.  

Act fast, before it's too late 

With new vulnerabilities constantly being discovered, it is essential for organisations to get a handle on their software security. Even for those organisations with an AppSec programme in place, flaws can take a long time to patch, with only 22 percent of very high severity flaws being patched within 30 days. 

Testing applications early and often can avoid a long, drawn out fixing process. Both effective and critical, research demonstrates the need for systematic software security testing. Now is the time for business to understand the state of their software, as well as the implications it can have. There's too much riding on it, if they don't.

Contributed by Paul Farrington, ‎Manager, EMEA Solution Architects at CA Veracode.