This feed does not validate.
<span>Preventing Broken Access Control Vulnerabilities in Web Applications</ ...
<div class="field field--name-body field--type-text-with-summary ...
^
... s Control<span style="font-size:24.0pt"><o:p></o:p></span></h2>
^
In addition, interoperability with the widest range of feed readers could be improved by implementing the following recommendations.
<rss version="2.0" xml:base="https://www.veracode.com/" xmlns:dc="http://pur ...
<rss version="2.0" xml:base="https://www.veracode.com/" xmlns:dc="http://pur ...
<rss version="2.0" xml:base="https://www.veracode.com/" xmlns:dc="http://pur ...
<rss version="2.0" xml:base="https://www.veracode.com/" xmlns:dc="http://pur ...
<rss version="2.0" xml:base="https://www.veracode.com/" xmlns:dc="http://pur ...
<rss version="2.0" xml:base="https://www.veracode.com/" xmlns:dc="http://pur ...
<?xml version="1.0" encoding="utf-8"?><rss version="2.0" xml:base="https://www.veracode.com/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:foaf="http://xmlns.com/foaf/0.1/" xmlns:og="http://ogp.me/ns#" xmlns:rdfs="http://www.w3.org/2000/01/rdf-schema#" xmlns:schema="http://schema.org/" xmlns:sioc="http://rdfs.org/sioc/ns#" xmlns:sioct="http://rdfs.org/sioc/types#" xmlns:skos="http://www.w3.org/2004/02/skos/core#" xmlns:xsd="http://www.w3.org/2001/XMLSchema#"> <channel> <title>Veracode</title> <link>https://www.veracode.com/</link> <description></description> <language>en</language> <pubDate>Fri, 01 Dec 2023 13:50:00 -0500</pubDate> <item> <title>Preventing Broken Access Control Vulnerabilities in Web Applications</title> <link>https://www.veracode.com/blog/managing-appsec/preventing-broken-access-control-vulnerabilities-web-applications</link> <description><span>Preventing Broken Access Control Vulnerabilities in Web Applications</span> <div class="field field--name-body field--type-text-with-summary field--label-hidden field__item"><h2>Understanding Broken Access Control<span style="font-size:24.0pt"><o:p></o:p></span></h2><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Calibri",sans-serif">Access control is crucial for modern web development as it enables the management of how users, processes, and devices should be granted permissions to application functions and resources. Access control mechanisms also determine the level of access permitted and manifest activities carried out by specific entities. Broken access control vulnerabilities arise when a malicious user abuses the constraints on the actions they are allowed to perform or the objects they can access. Attackers typically leverage access control failures to gain unauthorized access to resources within the web application, run malicious commands, or gain a privileged user‘s permission. </span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Calibri",sans-serif">This blog discusses broken access control vulnerabilities and common prevention techniques to better secure your web applications.</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Calibri",sans-serif">Access control issues enable unauthorized users to access, modify, and delete resources or perform actions that exceed their intended permissions. Broken access control encompasses various security vulnerabilities typically exploited to elevate privilege levels. Developing secure and effective access control schemes is often a complex undertaking that spans multiple application functions that were not designed deliberately but have evolved with the application. It’s easy to overlook how entities access resources when implementing these schemes, resulting in hidden authorization flaws. Such control flaws are typically easy to discover and exploit, making them a popular target for common attacks. </span></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> </p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><o:p></o:p></p><h2>Types of Broken Access Control Vulnerabilities<span style="font-size:24.0pt"><o:p></o:p></span></h2><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Calibri",sans-serif">Broken access control vulnerabilities mostly lead to privilege escalation attacks and are characterized by how the malicious user exploits and modifies access rights. The primary forms of access control vulnerabilities include:</span><o:p></o:p></p><h4>Horizontal Privilege Escalation<o:p></o:p></h4><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Calibri",sans-serif">Horizontal privilege escalation vulnerabilities occur when a user can obtain access to the accounts of other regular users with the same level of permissions. An attacker can leverage these vulnerabilities to get the legitimate user‘s data and use it for a wide range of malicious acts such as ransomware attacks, financial fraud/unauthorized money transfer, exposure of sensitive files, and data deletion. A horizontal privilege escalation attack usually does not require sophisticated attack tooling and can be orchestrated with a few simple steps, such as:</span><o:p></o:p></p><ul><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Calibri",sans-serif">Modifying the URL‘s request ID parameter with legitimate user details obtained through some form of social engineering</span><o:p></o:p></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Calibri",sans-serif">Reviewing the application code to identify authentication vulnerabilities at the source code level</span><o:p></o:p></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Calibri",sans-serif">Using third-party code review tools combined with security testing tools</span><o:p></o:p></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Calibri",sans-serif">Enumerating user accounts on Linux machines maintains their hold of the identification process</span><o:p></o:p></li></ul><h4>Context-based Privilege Escalation<o:p></o:p></h4><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Calibri",sans-serif">A hybrid attack in which the malicious user first obtains access to regular user accounts and then uses broken vertical access controls to gain administrative rights. Context-based privilege escalation attacks also involve business logic exploitation that allows users to perform usually impossible actions within their security context. Examples of context-based privilege escalation include:</span></p><ul><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Calibri",sans-serif">Leveraging Insecure Direct Object Reference vulnerabilities to access critical resources via user-supplied input</span><o:p></o:p></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Calibri",sans-serif">Using corrupt HTTP referrer headers to access functionality and sensitive files beyond their permitted context</span><o:p></o:p></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Calibri",sans-serif">Location-based attacks</span><o:p></o:p></li></ul><h4>Vertical Privilege Escalation<o:p></o:p></h4><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Calibri",sans-serif">Vertical privilege escalation, also known as privilege elevation, allows an unauthorized user to gain higher privilege levels, typically admin privileges. Vertical privilege elevation usually follows an initial attack, as the malicious user intends to obtain permissions beyond what the compromised subject already has. When compared to horizontal escalation, vertical privilege escalation attacks are more sophisticated since the hacker is required to perform root or kernel-level modifications to obtain administrative access.</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Calibri",sans-serif">Once the attackers gain access rights of admin users, they can inject malicious payloads at the code level, disrupt a sensitive business function, or impact the availability of the application‘s critical resources. Some common techniques hackers use to abuse vertical access controls include:</span><o:p></o:p></p><ul><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Calibri",sans-serif">Using the Windows Sysinternals suite to create backdoor administrative users</span><o:p></o:p></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Calibri",sans-serif">Using process injection to mimic administrative functions</span><o:p></o:p></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Calibri",sans-serif">Leveraging directory listing vulnerabilities to disclose information about the access control policy</span><o:p></o:p></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Calibri",sans-serif">Using social engineering for direct access to admin accounts</span><o:p></o:p></li></ul><h2> </h2><h2>Detecting Broken Access Control Vulnerabilities<span style="font-size:24.0pt"><o:p></o:p></span></h2><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Calibri",sans-serif">Through comprehensive application security testing, <a href="//www.veracode.com/products/dynamic-analysis-dast"><span style="color:blue">Veracode Dynamic Analysis </span></a>helps you generate an in-depth analysis of your tech stack’s security and access control. The platform includes scanners that collectively analyzes for broken access control vulnerabilities. These scanners include:</span><o:p></o:p></p><ul><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Calibri",sans-serif"><a href="https://docs.veracode.com/r/cross-site-request-forgery"><b><span style="color:#0E101A">CSRF Scanner:</span></b></a> Helps prevent access control attacks using malicious payloads submitted through a trusted normal user.</span><o:p></o:p></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-family:"Calibri",sans-serif;<br />color:#0E101A">URL Fuzzer Scanner:</span></b><span style="font-family:"Calibri",sans-serif"> Prevents privilege escalation attacks orchestrated through forced browsing or modifying URL request parameters with a relevant admin URL.</span><o:p></o:p></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Calibri",sans-serif"><a href="https://docs.veracode.com/r/enable-security-headers"><b><span style="color:#0E101A">HTTP Header Scanner:</span></b></a> Prevents the use of modified HTTP referrer headers to access critical resources beyond the current security context</span><o:p></o:p></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Calibri",sans-serif"><a href="https://docs.veracode.com/r/fingerprinting"><b><span style="color:#0E101A">Fingerprinting Scanner:</span></b></a> Detect attack surfaces that expose application server implementations, privacy laws, and the web application‘s access control policy to external domains</span><o:p></o:p></li></ul><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Calibri",sans-serif"><a href="//www.veracode.com/products/dynamic-analysis-dast"><span style="color:blue">Veracode Dynamic Analysis</span></a> reduces manual efforts, and lets developers focus quickly on implementing secure design and threat mitigation policies. The platform also offers actionable security reports that can be shared across cross-functional teams, clients, and executives, encouraging a collaborative approach to security that spans across all verticals of your organization.</span></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> </p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><o:p></o:p></p><h2>Broken Access Control Prevention Techniques<span style="font-size:24.0pt"><o:p></o:p></span></h2><h4>Multi-factor Authentication<o:p></o:p></h4><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Calibri",sans-serif">Multi-Factor authentication (MFA) is a zero-trust approach to administering security that deploys a series of access control checks that make it difficult for a hacker to perform malicious activities even after acquiring legitimate user credentials. This multi-layered defense strategy combines different authentication mechanisms to validate a user‘s identity. In implementation, two or more proofs of identification (such as tokens or biometric IDs) are made a mandatory requirement before access is granted. This blocks unauthenticated users from exploiting a user account, preventing broken access control attempts.</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Calibri",sans-serif">Unlike other dynamic application security testing solutions that are disrupted by MFA setups during testing, <a href="//www.veracode.com/products/dynamic-analysis-dast"><span style="color:blue">Veracode Dynamic Analysis</span></a> allows you to launch dynamic scans that automatically support your MFA configurations. This allows you to perform dynamic testing on web applications and APIs without turning off your MFA setup, helping you achieve a more automated dynamic scanning experience that ensures alignment with best practices.</span><o:p></o:p></p><h4>Test and Audit Access Controls Frequently<o:p></o:p></h4><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Calibri",sans-serif">Apart from manually testing control mechanisms, it is also recommended to adopt <a href="//www.veracode.com/security/vulnerability-scanning-tools"><span style="color:blue">automated scanning tools</span></a> for continuous monitoring of access control flaws that misalign with an organization‘s security policy. While <a href="//www.veracode.com/security/vulnerability-scanning-tools"><span style="color:blue">continuous testing and vulnerability scanning</span></a> help teams evaluate access control mechanisms are working as intended, such tools also help uncover emerging vulnerabilities within access control systems.</span><o:p></o:p></p><h4>Session Management<o:p></o:p></h4><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Calibri",sans-serif"><a href="//www.veracode.com/security/session-management"><span style="color:blue">Session management</span></a> is a critical consideration for building secure software. As such, the appropriate implementation of session IDs, authentication tokens, and cookies collectively prevent session hijacking attacks. Such deployments are provisioned to forcefully destroy session-associated data on an application server after a subject logs out of the application. Implementing session timeouts that require re-authentication and a fresh token when a user connects to the server after logout is also recommended. It is also a best practice to not expose session IDs in URLs, as attackers could exploit these for session theft techniques.</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> </p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><o:p></o:p></p><h2>Strengthen Your Web Applications and APIs Against Attacks<span style="font-size:24.0pt"><o:p></o:p></span></h2><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Calibri",sans-serif"><a href="//www.veracode.com/products/dynamic-analysis-dast"><span style="color:blue">Veracode Dynamic Analysis (DAST)<b> </b></span></a>helps you implement best practices and a continuous, automated security testing process to prevent and detect broken access control vulnerabilities in web applications. The solution integrates with almost all popular software stacks and security platforms, helping to initiate dynamic analysis testing within minutes.</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Calibri",sans-serif">See how Veracode can help you prevent, find and fix broken access control vulnerabilities to strengthen your software against attack with a free, 14-day trial of <a href="//www.veracode.com/products/veracode-dynamic-analysis-free-trial"><span style="color:blue">Veracode DAST Essentials</span></a>.</span><o:p></o:p></p><p class="BodyBulletBodycopy"><span style="color:black;mso-themecolor:text1;<br />letter-spacing:0pt"><o:p> </o:p></span></p></div> <span><span lang="" about="/users/jenny-buckingham" typeof="schema:Person" property="schema:name" datatype="">Jenny Buckingham</span></span> <span>Fri, 12/01/2023 - 13:50</span> <div class="field field--name-field-featured-image field--type-image field--label-hidden field__item"> <img loading="lazy" src="/sites/default/files/default_images/default_fullsize_image_1600x800_Generic_2.png" width="1396" height="550" alt="" typeof="foaf:Image" /> </div> </description> <pubDate>Fri, 01 Dec 2023 18:50:00 +0000</pubDate> <dc:creator>Jenny Buckingham</dc:creator> <guid isPermaLink="false">64191 at https://www.veracode.com</guid> </item><item> <title>CVision CISO Dinner (Tampa) </title> <link>https://www.veracode.com/node/64181</link> <description><span>CVision CISO Dinner (Tampa) </span> <span><span lang="" about="/users/shafrazkamil2xmarketing" typeof="schema:Person" property="schema:name" datatype="" content="Shafraz.Kamil@2x.marketing">Shafraz.Kamil@…</span></span> <span>Thu, 11/30/2023 - 03:23</span> <div class="field field--name-field-event-start-date field--type-datetime field--label-above"> <div class="field__label">Event Start Date</div> <div class="field__item"><time datetime="2023-12-12T00:00:00Z">Mon, 12/11/2023 - 19:00</time></div> </div> <div class="field field--name-field-event-end-date field--type-datetime field--label-above"> <div class="field__label">Event End Date</div> <div class="field__item"><time datetime="2023-12-12T03:00:00Z">Mon, 12/11/2023 - 22:00</time></div> </div> <div class="field field--name-field-resource-featured-resource field--type-boolean field--label-above"> <div class="field__label">Featured Event</div> <div class="field__item">Off</div> </div> <div class="field field--name-field-resource-image field--type-entity-reference field--label-above"> <div class="field__label">Featured Image</div> <div class="field__item"><a href="/media/image/18626" hreflang="en">cvision-ciso-dinner-event-2023.jpg</a></div> </div> <div class="field field--name-field-resource-link field--type-link field--label-above"> <div class="field__label">Link</div> <div class="field__item"><a href="https://www.cvisionintl.com/events/dinner/2023-dec-11-veracode-ciso-tampa-fl/" target="_blank">Join Us</a></div> </div> <div class="field field--name-field-event-location field--type-entity-reference field--label-above"> <div class="field__label">Event Location</div> <div class="field__item"><a href="/vc-event-location/united-states" hreflang="en">United States</a></div> </div> <div class="field field--name-field-vc-event-type field--type-entity-reference field--label-above"> <div class="field__label">Event Type</div> <div class="field__item"><a href="/vc-event-type/person" hreflang="en">In-Person</a></div> </div> <div class="field field--name-field-use-new-template field--type-list-string field--label-above"> <div class="field__label">Use new template</div> <div class="field__item">No</div> </div></description> <pubDate>Thu, 30 Nov 2023 08:23:26 +0000</pubDate> <dc:creator>Shafraz.Kamil@2x.marketing</dc:creator> <guid isPermaLink="false">64181 at https://www.veracode.com</guid> </item><item> <title>Apex East Assembly (Charlotte)</title> <link>https://www.veracode.com/node/64176</link> <description><span>Apex East Assembly (Charlotte)</span> <span><span lang="" about="/users/shafrazkamil2xmarketing" typeof="schema:Person" property="schema:name" datatype="" content="Shafraz.Kamil@2x.marketing">Shafraz.Kamil@…</span></span> <span>Thu, 11/30/2023 - 03:21</span> <div class="field field--name-field-event-start-date field--type-datetime field--label-above"> <div class="field__label">Event Start Date</div> <div class="field__item"><time datetime="2023-12-07T12:45:00Z">Thu, 12/07/2023 - 07:45</time></div> </div> <div class="field field--name-field-event-end-date field--type-datetime field--label-above"> <div class="field__label">Event End Date</div> <div class="field__item"><time datetime="2023-12-07T19:00:00Z">Thu, 12/07/2023 - 14:00</time></div> </div> <div class="field field--name-field-resource-featured-resource field--type-boolean field--label-above"> <div class="field__label">Featured Event</div> <div class="field__item">Off</div> </div> <div class="field field--name-field-resource-image field--type-entity-reference field--label-above"> <div class="field__label">Featured Image</div> <div class="field__item"><a href="/media/image/18861" hreflang="en">apex-east-assembly-event-2023.jpg</a></div> </div> <div class="field field--name-field-resource-link field--type-link field--label-above"> <div class="field__label">Link</div> <div class="field__item"><a href="https://events.bizzabo.com/cha-assembly-ciso-1207" target="_blank">Register Now</a></div> </div> <div class="field field--name-field-event-location field--type-entity-reference field--label-above"> <div class="field__label">Event Location</div> <div class="field__item"><a href="/vc-event-location/united-states" hreflang="en">United States</a></div> </div> <div class="field field--name-field-vc-event-type field--type-entity-reference field--label-above"> <div class="field__label">Event Type</div> <div class="field__item"><a href="/vc-event-type/person" hreflang="en">In-Person</a></div> </div> <div class="field field--name-field-use-new-template field--type-list-string field--label-above"> <div class="field__label">Use new template</div> <div class="field__item">No</div> </div></description> <pubDate>Thu, 30 Nov 2023 08:21:41 +0000</pubDate> <dc:creator>Shafraz.Kamil@2x.marketing</dc:creator> <guid isPermaLink="false">64176 at https://www.veracode.com</guid> </item><item> <title>Futurecon Atlanta </title> <link>https://www.veracode.com/node/64171</link> <description><span>Futurecon Atlanta </span> <span><span lang="" about="/users/shafrazkamil2xmarketing" typeof="schema:Person" property="schema:name" datatype="" content="Shafraz.Kamil@2x.marketing">Shafraz.Kamil@…</span></span> <span>Thu, 11/30/2023 - 03:18</span> <div class="field field--name-field-event-start-date field--type-datetime field--label-above"> <div class="field__label">Event Start Date</div> <div class="field__item"><time datetime="2023-12-06T15:00:00Z">Wed, 12/06/2023 - 10:00</time></div> </div> <div class="field field--name-field-event-end-date field--type-datetime field--label-above"> <div class="field__label">Event End Date</div> <div class="field__item"><time datetime="2023-12-06T22:00:00Z">Wed, 12/06/2023 - 17:00</time></div> </div> <div class="field field--name-field-resource-featured-resource field--type-boolean field--label-above"> <div class="field__label">Featured Event</div> <div class="field__item">Off</div> </div> <div class="field field--name-field-resource-image field--type-entity-reference field--label-above"> <div class="field__label">Featured Image</div> <div class="field__item"><a href="/media/image/18856" hreflang="en">futurecon-atlanta-event-2023.jpg</a></div> </div> <div class="field field--name-field-resource-link field--type-link field--label-above"> <div class="field__label">Link</div> <div class="field__item"><a href="https://futureconevents.com/events/atlanta-ga-2023/" target="_blank">Register Now</a></div> </div> <div class="field field--name-field-event-location field--type-entity-reference field--label-above"> <div class="field__label">Event Location</div> <div class="field__item"><a href="/vc-event-location/united-states" hreflang="en">United States</a></div> </div> <div class="field field--name-field-vc-event-type field--type-entity-reference field--label-above"> <div class="field__label">Event Type</div> <div class="field__item"><a href="/vc-event-type/person" hreflang="en">In-Person</a></div> </div> <div class="field field--name-field-use-new-template field--type-list-string field--label-above"> <div class="field__label">Use new template</div> <div class="field__item">No</div> </div></description> <pubDate>Thu, 30 Nov 2023 08:18:40 +0000</pubDate> <dc:creator>Shafraz.Kamil@2x.marketing</dc:creator> <guid isPermaLink="false">64171 at https://www.veracode.com</guid> </item><item> <title>CVision CISO Dinner (DC)</title> <link>https://www.veracode.com/node/64166</link> <description><span>CVision CISO Dinner (DC)</span> <span><span lang="" about="/users/shafrazkamil2xmarketing" typeof="schema:Person" property="schema:name" datatype="" content="Shafraz.Kamil@2x.marketing">Shafraz.Kamil@…</span></span> <span>Thu, 11/30/2023 - 03:16</span> <div class="field field--name-field-event-start-date field--type-datetime field--label-above"> <div class="field__label">Event Start Date</div> <div class="field__item"><time datetime="2023-12-05T22:30:00Z">Tue, 12/05/2023 - 17:30</time></div> </div> <div class="field field--name-field-event-end-date field--type-datetime field--label-above"> <div class="field__label">Event End Date</div> <div class="field__item"><time datetime="2023-12-06T02:00:00Z">Tue, 12/05/2023 - 21:00</time></div> </div> <div class="field field--name-field-resource-featured-resource field--type-boolean field--label-above"> <div class="field__label">Featured Event</div> <div class="field__item">Off</div> </div> <div class="field field--name-field-resource-image field--type-entity-reference field--label-above"> <div class="field__label">Featured Image</div> <div class="field__item"><a href="/media/image/18626" hreflang="en">cvision-ciso-dinner-event-2023.jpg</a></div> </div> <div class="field field--name-field-resource-link field--type-link field--label-above"> <div class="field__label">Link</div> <div class="field__item"><a href="https://www.cvisionintl.com/events/dinner/2023-dec-5-veracode-ciso-dinner-washington-dc/" target="_blank">Join Us</a></div> </div> <div class="field field--name-field-event-location field--type-entity-reference field--label-above"> <div class="field__label">Event Location</div> <div class="field__item"><a href="/vc-event-location/united-states" hreflang="en">United States</a></div> </div> <div class="field field--name-field-vc-event-type field--type-entity-reference field--label-above"> <div class="field__label">Event Type</div> <div class="field__item"><a href="/vc-event-type/person" hreflang="en">In-Person</a></div> </div> <div class="field field--name-field-use-new-template field--type-list-string field--label-above"> <div class="field__label">Use new template</div> <div class="field__item">No</div> </div></description> <pubDate>Thu, 30 Nov 2023 08:16:04 +0000</pubDate> <dc:creator>Shafraz.Kamil@2x.marketing</dc:creator> <guid isPermaLink="false">64166 at https://www.veracode.com</guid> </item><item> <title>GBI Half Moon Bay Summit (San Francisco) </title> <link>https://www.veracode.com/node/64161</link> <description><span>GBI Half Moon Bay Summit (San Francisco) </span> <span><span lang="" about="/users/shafrazkamil2xmarketing" typeof="schema:Person" property="schema:name" datatype="" content="Shafraz.Kamil@2x.marketing">Shafraz.Kamil@…</span></span> <span>Thu, 11/30/2023 - 03:13</span> <div class="field field--name-field-event-start-date field--type-datetime field--label-above"> <div class="field__label">Event Start Date</div> <div class="field__item"><time datetime="2023-12-05T13:00:00Z">Tue, 12/05/2023 - 08:00</time></div> </div> <div class="field field--name-field-event-end-date field--type-datetime field--label-above"> <div class="field__label">Event End Date</div> <div class="field__item"><time datetime="2023-12-05T20:00:00Z">Tue, 12/05/2023 - 15:00</time></div> </div> <div class="field field--name-field-resource-featured-resource field--type-boolean field--label-above"> <div class="field__label">Featured Event</div> <div class="field__item">Off</div> </div> <div class="field field--name-field-resource-image field--type-entity-reference field--label-above"> <div class="field__label">Featured Image</div> <div class="field__item"><a href="/media/image/18851" hreflang="en">gbi-half-moon-bay-summit-event-2023.jpg</a></div> </div> <div class="field field--name-field-resource-link field--type-link field--label-above"> <div class="field__label">Link</div> <div class="field__item"><a href="https://www.gbiimpact.com/boardrooms/half-moon-bay-summit-ciso" target="_blank">Register Now</a></div> </div> <div class="field field--name-field-event-location field--type-entity-reference field--label-above"> <div class="field__label">Event Location</div> <div class="field__item"><a href="/vc-event-location/united-states" hreflang="en">United States</a></div> </div> <div class="field field--name-field-vc-event-type field--type-entity-reference field--label-above"> <div class="field__label">Event Type</div> <div class="field__item"><a href="/vc-event-type/person" hreflang="en">In-Person</a></div> </div> <div class="field field--name-field-use-new-template field--type-list-string field--label-above"> <div class="field__label">Use new template</div> <div class="field__item">No</div> </div></description> <pubDate>Thu, 30 Nov 2023 08:13:41 +0000</pubDate> <dc:creator>Shafraz.Kamil@2x.marketing</dc:creator> <guid isPermaLink="false">64161 at https://www.veracode.com</guid> </item><item> <title>TASSCC Conference: State of the State </title> <link>https://www.veracode.com/node/64156</link> <description><span>TASSCC Conference: State of the State </span> <span><span lang="" about="/users/shafrazkamil2xmarketing" typeof="schema:Person" property="schema:name" datatype="" content="Shafraz.Kamil@2x.marketing">Shafraz.Kamil@…</span></span> <span>Thu, 11/30/2023 - 03:10</span> <div class="field field--name-field-event-start-date field--type-datetime field--label-above"> <div class="field__label">Event Start Date</div> <div class="field__item"><time datetime="2023-12-01T14:00:00Z">Fri, 12/01/2023 - 09:00</time></div> </div> <div class="field field--name-field-event-end-date field--type-datetime field--label-above"> <div class="field__label">Event End Date</div> <div class="field__item"><time datetime="2023-12-01T22:00:00Z">Fri, 12/01/2023 - 17:00</time></div> </div> <div class="field field--name-field-resource-featured-resource field--type-boolean field--label-above"> <div class="field__label">Featured Event</div> <div class="field__item">Off</div> </div> <div class="field field--name-field-resource-image field--type-entity-reference field--label-above"> <div class="field__label">Featured Image</div> <div class="field__item"><a href="/media/image/18846" hreflang="en">tasscc-conference-state-of-the-state-event-2023.jpg</a></div> </div> <div class="field field--name-field-resource-link field--type-link field--label-above"> <div class="field__label">Link</div> <div class="field__item"><a href="https://www.tasscc.org/page/2023sos" target="_blank">Register Now</a></div> </div> <div class="field field--name-field-event-location field--type-entity-reference field--label-above"> <div class="field__label">Event Location</div> <div class="field__item"><a href="/vc-event-location/united-states" hreflang="en">United States</a></div> </div> <div class="field field--name-field-vc-event-type field--type-entity-reference field--label-above"> <div class="field__label">Event Type</div> <div class="field__item"><a href="/vc-event-type/person" hreflang="en">In-Person</a></div> </div> <div class="field field--name-field-use-new-template field--type-list-string field--label-above"> <div class="field__label">Use new template</div> <div class="field__item">No</div> </div></description> <pubDate>Thu, 30 Nov 2023 08:10:57 +0000</pubDate> <dc:creator>Shafraz.Kamil@2x.marketing</dc:creator> <guid isPermaLink="false">64156 at https://www.veracode.com</guid> </item><item> <title>Top 5 Open Source Security Risks IT Leaders Must Know</title> <link>https://www.veracode.com/blog/intro-appsec/top-5-open-source-security-risks-it-leaders-must-know</link> <description><span>Top 5 Open Source Security Risks IT Leaders Must Know</span> <div class="field field--name-body field--type-text-with-summary field--label-hidden field__item"><p paraeid="{401a55bf-a23b-452f-8450-c1cea3a41d2f}{26}" paraid="1400727962">Lurking in the open source software (OSS) that <a href="https://venturebeat.com/programming-development/github-releases-open-source-report-octoverse-2022-says-97-of-apps-use-oss/" rel="noreferrer noopener" target="_blank">pervades applications</a> around the world are open source security risks technology leaders must be aware of. Software is one of technology’s most vulnerable subsets with <a href="https://info.veracode.com/report-state-of-software-security-2023.html" rel="noreferrer noopener" target="_blank">over 70% of applications</a> containing security flaws. Here are the open source security risks IT leaders must be aware of to protect technology and help it scale safely. </p><h2 aria-level="2" paraeid="{401a55bf-a23b-452f-8450-c1cea3a41d2f}{80}" paraid="717585834" role="heading">Why Address Open Source Software Security Risks </h2><p paraeid="{401a55bf-a23b-452f-8450-c1cea3a41d2f}{92}" paraid="256977134">On December 9, 2021, a Tweet exposed a vulnerability in the <a href="//www.veracode.com/blog/security-news/58-orgs-are-using-vulnerable-version-log4j" rel="noreferrer noopener" target="_blank">widely-used OSS library Log4j</a>. It didn’t take long before <a href="https://www.microsoft.com/en-us/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/" rel="noreferrer noopener" target="_blank">attackers around the world</a> were working to exploit the Log4j vulnerability. This incident was a wake-up call to how the security of a library can quickly change and proactive measures must be in place to protect from this danger. </p><p lang="EN-US" paraeid="{d5067fc3-0142-4d9d-98ee-bf2a4741e43a}{54}" paraid="1156949772" xml:lang="EN-US">Log4j is just one example of how vulnerabilities in open source pose significant risks that can impact operations, data security, and overall IT health. Strategic technology choices can make a big impact on how much risk your open source is exposing you to. New <a href="//www.veracode.com/blog/intro-appsec/why-new-sec-cyber-rules-promote-accountability-and-maturity" rel="noreferrer noopener" target="_blank">SEC regulations</a> make it clear that security is no longer only for the “cyber person,” and we all play our part in security. </p><p lang="EN-US" paraeid="{b96483d3-a071-40ac-9e73-bc95f0ea1bf7}{63}" paraid="1501868350" xml:lang="EN-US">Since you won’t be addressing open source software security risks by getting rid of your use of OSS altogether, here are the risks you need to know about and how to tackle them. </p><h2 aria-level="2" paraeid="{401a55bf-a23b-452f-8450-c1cea3a41d2f}{123}" paraid="285144626" role="heading">Risk 1: Known Vulnerabilities in Open Source Libraries </h2><p paraeid="{401a55bf-a23b-452f-8450-c1cea3a41d2f}{135}" paraid="994294251">Open source libraries, or 3rd party libraries, contain vulnerabilities that are standardized in the <a href="https://nvd.nist.gov/" rel="noreferrer noopener" target="_blank">National Vulnerability Database</a> (NVD). The NVD is a product of the <a href="https://www.nist.gov/" rel="noreferrer noopener" target="_blank">National Institute of Standards and Technology</a> (NIST) made to be “the U.S. government repository of standards based vulnerability management data.” To rate the severity of security vulnerabilities, it makes use of the <a href="https://www.sans.org/blog/what-is-cvss/" rel="noreferrer noopener" target="_blank">Common Vulnerability Scoring System</a>. </p><p lang="EN-US" paraeid="{2ef233cf-f13b-4052-9d90-97ee997b31b1}{71}" paraid="292794240" xml:lang="EN-US">As in the Log4j example above, one huge risk of these vulnerabilities is that once they are known to the NVD, they are known to attacker, too. It's very likely that attackers who know about it have already formulated a way to leverage the vulnerable vector. Many times, an attack is discovered weeks or months AFTER it’s already been in play. </p><p lang="EN-US" paraeid="{545b16c2-de79-4d25-a169-645d7664f1d5}{38}" paraid="216249692" xml:lang="EN-US">The <a href="https://info.veracode.com/report-state-of-software-security-2023.html" rel="noreferrer noopener" target="_blank">State of Software Security 2023</a> states: “Make sure your <a href="//www.veracode.com/products/software-composition-analysis">Software Composition Analysis</a> (SCA) solution leverages multiple sources for flaws (not just NVD) to give advanced warning to teams. Once a vulnerability is disclosed (even via unofficial channels), it’s a race against the clock to when active exploitation begins. It might take weeks to months for a vulnerability to appear in the NVD, and by then, in-the-wild exploits may have already begun.” </p><h2 aria-level="2" paraeid="{401a55bf-a23b-452f-8450-c1cea3a41d2f}{181}" paraid="1348627125" role="heading">Risk 2: Lack of Timely Updates and Patches </h2><p paraeid="{401a55bf-a23b-452f-8450-c1cea3a41d2f}{211}" paraid="1915167339">Another open source security risk comes from a lack of timely patches. Failure to update your open source dependencies can lead to leaving systems exposed to known vulnerabilities. You must keep up with updates to secure versions of libraries. A <a href="//www.veracode.com/blog/secure-development/sbom-explained-how-sboms-improve-cloud-native-application-security" rel="noreferrer noopener" target="_blank">Software Bill of Materials (SBOM)</a> helps you keep a current inventory of what’s in your applications. </p><p paraeid="{401a55bf-a23b-452f-8450-c1cea3a41d2f}{231}" paraid="1936085754">Going back to our Log4j example, it revealed that there is a “give a mouse a cookie” affect with things breaking due to accrued library update security debt. Our CTO and Founder, <a href="https://www.linkedin.com/in/wysopal/" rel="noreferrer noopener" target="_blank">Chris Wysopal</a>, shared: "Log4j created awareness that you should have as much security testing automation in build processes as possible. It was also a wake-up call to how security technical debt, when left unaddressed, can cause urgent issues to take an enormous amount of time to fix.” </p><h2 aria-level="2" paraeid="{401a55bf-a23b-452f-8450-c1cea3a41d2f}{251}" paraid="674051525" role="heading">Risk 3: Compliance and License Risks </h2><p paraeid="{20d23407-5182-433e-9fd0-ff8de1380279}{2}" paraid="1820938511">There are specific usage terms for many open source licenses with which you must comply. Imagine the nightmare that unfolds when you have a large application and one small part of it uses a library you don’t have a license for (let alone know who added it and why). </p><p lang="EN-US" paraeid="{d01e44ca-5177-4758-b85a-f1905671aa1d}{85}" paraid="1478302082" xml:lang="EN-US">Again, this is where the SCA and SBOM solutions help immensely. By scanning libraries, SCA helps you know if you are calling anything you need a license for and will actively manage license risk. Especially important for commercial applications, the SBOM is the record that shows verifiable proof that you have a license for everything in the application or applications being sold or acquired. </p><h2 aria-level="2" lang="EN-US" paraeid="{9cef5a63-19d1-4c36-93c4-040ab6acd045}{237}" paraid="1923745927" role="heading" xml:lang="EN-US">Risk 4: Community Dependence and Maintenance of Open Source Libraries </h2><p paraeid="{20d23407-5182-433e-9fd0-ff8de1380279}{44}" paraid="1327848358">A critical OSS security risk is that an open source project may or may not still have a developer updating the project. Data from the <a href="https://info.veracode.com/report-state-of-software-security-2023.html" rel="noreferrer noopener" target="_blank">State of Software Security 2023</a> tells us, “One out of every 10 repositories had their last commit more than almost six years ago.” </p><p lang="EN-US" paraeid="{38609d45-d2c4-45cd-9910-765b0976078c}{85}" paraid="537229452" xml:lang="EN-US">Adding to this risk of inactivity, you’re at risk of there not being a big (or engaged) enough community maintaining the OSS you’re dependent upon. The following State of Software Security 2023 figure shows Percent of Applications by Activity and Developer (by Language). Shockingly, 92% of JavaScript applications use at least one library maintained by a single contributor with zero contributions in the last year. </p><p lang="EN-US" paraeid="{38609d45-d2c4-45cd-9910-765b0976078c}{85}" paraid="537229452" xml:lang="EN-US"><img alt="State of Software 2023 Figure Percent of Applications by Activity and Developer (by Language)" data-entity-type="file" data-entity-uuid="86d437bc-eeba-401a-9336-e5d5376abe51" src="//www.veracode.com/sites/default/files/inline-images/Open%20Source%20Security%20Risks_Developer%20Activity%20in%20Library.png" /></p><h2 aria-level="2" paraeid="{20d23407-5182-433e-9fd0-ff8de1380279}{65}" paraid="1417775657" role="heading">Risk 5: Software Supply Chain Security Risks Due to Malicious Packages </h2><p paraeid="{31b81574-1f17-44b5-9c14-14323dd40376}{18}" paraid="1628783509">In contrast to accidental vulnerabilities in open source, another significant risk is deliberately malicious packages that contain malware. These malicious libraries can be mistakenly used with their malware properties unbeknownst to the developer. </p><p paraeid="{a8000fa9-44b6-4437-ba07-eeaad88a136d}{73}" paraid="1569826511">One way they get in your supply chain is a form of <a href="https://www.mcafee.com/learn/what-is-typosquatting" rel="noreferrer noopener" target="_blank">typosquatting</a> where an attacker creates a package that’s nearly identical to the real package, like “myUsefulFunction” vs “myUsefulFunctions.” Another way is in the compromise of an existing package by either an account takeover of the maintainer or just <a href="https://medium.com/intrinsic-blog/compromised-npm-package-event-stream-d47d08605502" rel="noreferrer noopener" target="_blank">a simple offer to help out</a>. </p><p paraeid="{e1a5f36d-3560-4958-91ba-8e953f85f4d2}{174}" paraid="349605119">Whereas accidental security flaws might require expertise to covertly exploit, malware is designed to be hard to detect, and once inserted, it may be operating for a long time before discovery. Since these attacks are deliberate, the probability of exploit is orders of magnitude higher. In fact, they are guaranteed in the case of attacks that automatically begin using your compute resources for nefarious operations. </p><p paraeid="{250032b5-b632-45d3-8bcf-0686474609c3}{7}" paraid="1660092656">One way to reduce the risk of malware from malicious packages is robust testing during initial software build and any time an application is rebuilt. You can learn about this and securing the software development lifecycle in our eBook, <a href="https://info.veracode.com/SDLC-eBook.html" rel="noreferrer noopener" target="_blank">6 Steps to Secure the SDLC</a>. </p><h2 aria-level="2" paraeid="{20d23407-5182-433e-9fd0-ff8de1380279}{82}" paraid="1274519954" role="heading">Open Source Security Strategy Resources to Measurably Reduce Risk </h2><p paraeid="{20d23407-5182-433e-9fd0-ff8de1380279}{98}" paraid="1502300778">Now that you know the top open source security risks, here are the top tips and vital strategy resources to help you keep your technology safe while increasing agility. </p><ul role="list"><li aria-setsize="-1" data-aria-level="1" data-aria-posinset="1" data-font="Symbol" data-leveltext="" data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-listid="1" role="listitem"><p paraeid="{688d1b74-985d-4353-8ec1-952cebd2ce98}{76}" paraid="1602660776">Know what's going into the software you make. With <a href="//www.veracode.com/products/software-composition-analysis">SCA</a> and <a href="//www.veracode.com/products/container-security" rel="noreferrer noopener" target="_blank">Infrastructure as Code</a> scanning, you can make a constrained subset of allowable modules developers can use. Make sure you optimize for risk with a solution that can identify the <a href="//www.veracode.com/blog/managing-appsec/vulnerable-methods-under-hood" rel="noreferrer noopener" target="_blank">vulnerable methods</a> that really matter. </p></li><li aria-setsize="-1" data-aria-level="1" data-aria-posinset="2" data-font="Symbol" data-leveltext="" data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-listid="1" role="listitem"><p paraeid="{1f48f2d3-eaa1-4949-9b15-e63727949181}{84}" paraid="891222176">Know what’s in the software you're using. Ask for an SBOM for third party software you install. It's likely that at some point the software you make or the software you use will contain a vulnerability derived from an open source component. Being able to quickly identify and remediate it might keep you out of serious trouble. </p></li><li aria-setsize="-1" data-aria-level="1" data-aria-posinset="3" data-font="Symbol" data-leveltext="" data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-listid="1" role="listitem"><p paraeid="{c96bf7a3-8274-4e3b-bd9e-e9fdab534a41}{96}" paraid="198032552">Help development teams reduce new technical debt into the code base by giving them access to interactive, hands-on secure coding training (like <a href="//www.veracode.com/products/security-labs" rel="noreferrer noopener" target="_blank">Security Labs</a>) and allowing them to see flaw and remediation recommendations in the tools they use every day (like with <a href="//www.veracode.com/fix" rel="noreferrer noopener" target="_blank">Veracode Fix</a>). The more automated the flaw recommended remediations are, the better! </p></li></ul><p paraeid="{20d23407-5182-433e-9fd0-ff8de1380279}{138}" paraid="966311270">IBM’s <a href="https://www.ibm.com/reports/data-breach" rel="noreferrer noopener" target="_blank">Cost of a Data Breach 2023</a> tells us that the adoption of a DevSecOps approach is the most impactful factor when it comes to reducing the cost of a data breach. The successful DevSecOps approach includes open source security as a factor integrated into the steps. We show you how to do this in our <a href="https://info.veracode.com/devsecops-playbook.html" rel="noreferrer noopener" target="_blank">DevSecOps Playbook</a>. </p><p paraeid="{533ccb83-9336-4c26-9664-172bdf0995f3}{158}" paraid="190071620">Development teams play a huge role in reducing open source security risks. Our research team has done the work of finding secure development practices that make open source security tangible for developers. They are compiled in the following blog series, <a href="//www.veracode.com/blog/secure-development/secure-cloud-native-development-top-five-security-pitfalls-and-how-avoid" rel="noreferrer noopener" target="_blank">Secure Cloud-native Development: The Top Five Security Pitfalls and How to Avoid Them</a> </p></div> <span><span lang="" about="/users/ntischler" typeof="schema:Person" property="schema:name" datatype="">ntischler</span></span> <span>Mon, 11/27/2023 - 16:01</span> <div class="field field--name-field-featured-image field--type-image field--label-hidden field__item"> <img loading="lazy" src="/sites/default/files/Open%20Source%20Security_What%20You%20Must%20Know.jpg" width="1200" height="800" alt="" typeof="foaf:Image" /> </div> </description> <pubDate>Mon, 27 Nov 2023 21:01:16 +0000</pubDate> <dc:creator>ntischler</dc:creator> <guid isPermaLink="false">64146 at https://www.veracode.com</guid> </item><item> <title>Veracode Revolutionizes Cloud-Native Security with Dynamic Duo: DAST Essentials and Veracode GitHub App</title> <link>https://www.veracode.com/press-release/veracode-revolutionizes-cloud-native-security-dynamic-duo-dast-essentials-and</link> <description><span>Veracode Revolutionizes Cloud-Native Security with Dynamic Duo: DAST Essentials and Veracode GitHub App</span> <div class="field field--name-body field--type-text-with-summary field--label-hidden field__item"><p align="center" style="text-align:center; margin-bottom:11px"><span style="font-size:11pt"><span style="line-height:115%"><span style="vertical-align:baseline"><span style="font-family:Calibri,sans-serif"><i><span lang="EN-US" style="font-family:"Trebuchet MS",sans-serif">Intelligent Software Security Leader Unveils Unified Defense Against Threats from Code to Cloud at AWS re:Invent 2023 </span></i></span></span></span></span></p><p style="margin-bottom:11px"><span style="font-size:11pt"><span style="line-height:115%"><span style="vertical-align:baseline"><span style="font-family:Calibri,sans-serif"><b><span lang="EN-US" style="font-family:"Trebuchet MS",sans-serif">Burlington, Mass. & Las Vegas, Nevada – AWS re:Invent booth #270 – November 27, 2023 - </span></b><span lang="EN-US" style="font-family:"Trebuchet MS",sans-serif">Veracode, a global leader in intelligent software security, today announced product innovations to enhance the developer experience. The new features integrate security into the software development lifecycle (SDLC) and drive adoption of application security techniques in the environments where developers work.</span></span></span></span></span></p><p style="margin-bottom:11px"><span style="font-size:11pt"><span style="line-height:115%"><span style="vertical-align:baseline"><span style="font-family:Calibri,sans-serif"><span lang="EN-US" style="font-family:"Trebuchet MS",sans-serif">According to a recent study by analyst firm IDC, 84 percent of organizations say developer acceptance of security tooling is the “most important requirement” or a “very important requirement” for DevSecOps adoption.¹ Veracode’s latest innovations redefine the approach to securing cloud-native applications throughout the SDLC, reinforcing the company’s commitment to providing a unified platform for comprehensive security risk management.</span></span></span></span></span></p><p style="margin-bottom:11px"><span style="font-size:11pt"><span style="line-height:115%"><span style="vertical-align:baseline"><span style="font-family:Calibri,sans-serif"><span lang="EN-US" style="font-family:"Trebuchet MS",sans-serif">Brian Roche, Chief Product Officer at Veracode said, “Developers face immense pressure to rapidly deliver innovations, often resorting to mechanisms such as LLMs and open source to expedite the process. Unfortunately, this approach can result in insecure code consumption and solutions that exacerbate security risks rather than mitigate them. The situation is compounded by existing security tools that add complexity rather than simplifying the process for developers.</span></span></span></span></span></p><p style="margin-bottom:11px"><span style="font-size:11pt"><span style="line-height:115%"><span style="vertical-align:baseline"><span style="font-family:Calibri,sans-serif"><span lang="EN-US" style="font-family:"Trebuchet MS",sans-serif">Veracode addresses this challenge by providing a unified platform that not only monitors and mitigates risk but also streamlines developer workflows across repositories, IDEs, and the cloud. By delivering developer-friendly security tools, we empower organizations to deliver secure software faster, eliminating the need to compromise between security and speed.” </span></span></span></span></span></p><p style="margin-bottom:11px"><span style="font-size:11pt"><span style="line-height:115%"><span style="vertical-align:baseline"><span style="font-family:Calibri,sans-serif"><b><span lang="EN-US" style="font-family:"Trebuchet MS",sans-serif">The Next Frontier: DAST Essentials</span></b></span></span></span></span></p><p style="margin-bottom:11px"><span style="font-size:11pt"><span style="line-height:115%"><span style="vertical-align:baseline"><span style="font-family:Calibri,sans-serif"><span lang="EN-US" style="font-family:"Trebuchet MS",sans-serif">In a world where web applications account for 60 percent of breaches² and API attacks skyrocketed by 137 percent in 2022,³ ensuring cloud-native applications are sufficiently protected and continuously monitored is paramount. Dynamic scanning analyzes live runtime systems using real-world attack methods in a safe environment and can be performed in a pre-production environment—within the SDLC. Traditional point solutions fall short and often don’t offer the scalability and flexibility required by growing organizations. In contrast, Veracode’s DAST Essentials is an agile solution that empowers developers and security teams to address risk easily at speed and scale.</span></span></span></span></span></p><p style="margin-bottom:11px"><span style="font-size:11pt"><span style="line-height:115%"><span style="font-family:Calibri,sans-serif"><span lang="EN-US" style="font-family:"Trebuchet MS",sans-serif">"As organizations continue to grapple with the challenge of securing an ever-expanding attack surface, the need for comprehensive solutions is undeniable. Balancing speed of development with robust security is a daunting task, hindered by the time-consuming nature of regular dynamic scans and the disconnect between development and security teams," said Katie Norton, senior research analyst, DevOps and DevSecOps, at IDC. "Solutions, like Veracode DAST Essentials, that are integrated and reduce friction for developers can help to accelerate secure software development, unify remediation efforts, and empower organizations to strengthen their defenses in the evolving cybersecurity landscape.”</span></span></span></span></p><p style="margin-bottom:11px"><span style="font-size:11pt"><span style="line-height:115%"><span style="vertical-align:baseline"><span style="font-family:Calibri,sans-serif"><span lang="EN-US" style="font-family:"Trebuchet MS",sans-serif">With one of the lowest customer-reported false-positive rates (below five percent), Veracode DAST Essentials scans and tests multiple web applications and APIs (Application Programming Interfaces) simultaneously. Veracode’s State of Software Security research found 80 percent of web applications have critical vulnerabilities that can only be identified through dynamic scanning. This emphasizes the critical role DAST (Dynamic Application Security Testing) plays in a robust application security program, ensuring organizations can address exploitable vulnerabilities in cloud-native software accurately and swiftly. </span></span></span></span></span></p><p style="margin-bottom:11px"><span style="font-size:11pt"><span style="line-height:115%"><span style="vertical-align:baseline"><span style="font-family:Calibri,sans-serif"><span lang="EN-US" style="font-family:"Trebuchet MS",sans-serif">Supply chain solutions specialist, Manhattan Associates, chose to partner with Veracode on its dynamic analysis and cloud-native security program. Rob Thomas, Executive Vice President, Research & Development and Cloud Operations at Manhattan Associates, said, “Veracode’s tenure in the industry and the fact that they are cloud-based means they can continually deliver new innovation. Having a cloud-native partner like Veracode enables us to scan our software continuously so we have real-time confidence that our solution is as safe as possible.”</span></span></span></span></span></p><p style="margin-bottom:11px"><span style="font-size:11pt"><span style="line-height:115%"><span style="vertical-align:baseline"><span style="font-family:Calibri,sans-serif"><b><span lang="EN-US" style="font-family:"Trebuchet MS",sans-serif">Enhancing Developer Workflows: Veracode GitHub App </span></b></span></span></span></span></p><p style="margin-bottom:11px"><span style="font-size:11pt"><span style="line-height:115%"><span style="vertical-align:baseline"><span style="font-family:Calibri,sans-serif"><span lang="EN-US" style="font-family:"Trebuchet MS",sans-serif">Veracode understands the challenges developers face in adopting cloud-native security measures without disrupting their workflows. The Veracode GitHub App facilitates developer adoption, allowing application security teams to configure once and seamlessly onboard developers. This integration enables developers to fix code quickly in the environments where they work with a single tool for static, software composition analysis (SCA), and container security scanning. The result is a faster, frictionless development process that doesn’t compromise security.</span></span></span></span></span></p><p style="margin-bottom:11px"><span style="font-size:11pt"><span style="line-height:115%"><span style="vertical-align:baseline"><span style="font-family:Calibri,sans-serif"><b><span lang="EN-US" style="font-family:"Trebuchet MS",sans-serif">Enhanced Repo Scanning</span></b></span></span></span></span></p><p style="margin-bottom:11px"><span style="font-size:11pt"><span style="line-height:115%"><span style="vertical-align:baseline"><span style="font-family:Calibri,sans-serif"><span lang="EN-US" style="font-family:"Trebuchet MS",sans-serif">Scanning cloud-native applications for the first time is often a manual, complex and frustrating process. The Veracode GitHub App simplifies this by providing developers with frustration-free scan results in their preferred environment. DevOps teams can easily onboard repositories without manual setup, maintaining development velocity and streamlining scan processes. With the ability to standardize scan configurations across hundreds of repositories using a single click, DevOps teams can reduce friction and integrate cloud-native security much earlier in the development cycle. </span></span></span></span></span></p><p style="margin-bottom:11px"><span style="font-size:11pt"><span style="line-height:115%"><span style="vertical-align:baseline"><span style="font-family:Calibri,sans-serif"><span lang="EN-US" style="font-family:"Trebuchet MS",sans-serif">Roche closed, “Ensuring the security of cloud-native applications has never been more crucial. Developers are assembling code just as much as they’re writing it, meaning even the most meticulously built applications are susceptible to threat. To protect the software supply chain, modern application development demands a paradigm shift in security practices. As distributed cloud app development methods take hold, these latest product innovations demonstrate Veracode is embracing the dynamic nature of the cloud-native landscape to lead the charge in securing our digital future."</span></span></span></span></span></p><p style="margin-bottom:11px"><span style="font-size:11pt"><span style="line-height:115%"><span style="vertical-align:baseline"><span style="font-family:Calibri,sans-serif"><span lang="EN-US" style="font-family:"Trebuchet MS",sans-serif">This announcement follows the launch earlier this year of AI-powered remediation engine, </span><a href="//www.veracode.com/fix" style="color:blue; text-decoration:underline"><span style="font-family:"Trebuchet MS",sans-serif">Veracode Fix</span></a><span lang="EN-US" style="font-family:"Trebuchet MS",sans-serif">, which was named one of the </span><a href="https://www.crn.com/news/security/20-hottest-cybersecurity-products-at-rsac-2023/14" style="color:blue; text-decoration:underline"><span style="font-family:"Trebuchet MS",sans-serif">20 Hottest Cybersecurity Products</span></a> <span lang="EN-US" style="font-family:"Trebuchet MS",sans-serif">and </span><a href="https://www.csoonline.com/article/575127/most-interesting-products-to-see-at-rsa-conference-2023.html" style="color:blue; text-decoration:underline"><span style="font-family:"Trebuchet MS",sans-serif">most interesting products to see</span></a> <span lang="EN-US" style="font-family:"Trebuchet MS",sans-serif">at RSA Conference 2023.</span></span></span></span></span></p><p style="margin-bottom:11px"><span style="font-size:11pt"><span style="line-height:115%"><span style="vertical-align:baseline"><span style="font-family:Calibri,sans-serif"><b><span lang="EN-US" style="font-family:"Trebuchet MS",sans-serif">AWS re:Invent Unveiling</span></b></span></span></span></span></p><p style="margin-bottom:11px"><span style="font-size:11pt"><span style="line-height:115%"><span style="vertical-align:baseline"><span style="font-family:Calibri,sans-serif"><span lang="EN-US" style="font-family:"Trebuchet MS",sans-serif">The market availability of all these capabilities will be announced at AWS re:Invent 2023, November 27th to December 1st in Las Vegas, Nevada.</span></span></span></span></span></p><p><span style="font-size:11pt"><span style="line-height:115%"><span style="vertical-align:baseline"><span style="font-family:Calibri,sans-serif"><span lang="EN-US" style="font-family:"Trebuchet MS",sans-serif">Visit booth #270 at AWS re:Invent to find out more about Veracode’s intelligent software security platform innovations, including </span><a href="//www.veracode.com/blog/managing-appsec/securing-your-web-applications-and-apis-dast-essentials#:~:text=DAST%20Essentials%2C%20part%20of%20Veracode's,real%2Dtime%20insights%20into%20vulnerabilities." style="color:blue; text-decoration:underline"><span style="font-family:"Trebuchet MS",sans-serif">Veracode DAST Essentials</span></a><span lang="EN-US" style="font-family:"Trebuchet MS",sans-serif">, Veracode GitHub App, and Veracode Fix. </span></span></span></span></span></p><p><span style="font-size:11pt"><span style="line-height:115%"><span style="vertical-align:baseline"><span style="font-family:Calibri,sans-serif"><span lang="EN-US" style="font-family:"Trebuchet MS",sans-serif">¹ IDC, “DevSecOps Adoption, Techniques, and Tools Survey,</span> <span lang="EN-US" style="font-family:"Trebuchet MS",sans-serif">2023,” Katie Norton and Jim Mercer, May 2023</span></span></span></span></span><br /><span style="font-size:11pt"><span style="line-height:115%"><span style="vertical-align:baseline"><span style="font-family:Calibri,sans-serif"><span style="font-family:"Trebuchet MS",sans-serif">²</span><span lang="EN-US" style="font-family:"Trebuchet MS",sans-serif"> Verizon, “2023 Data Breach Investigations Report,” June 2023</span> </span></span></span></span><br /><span lang="EN-US" style="font-size:11.0pt"><span style="line-height:107%"><span style="font-family:"Trebuchet MS",sans-serif">³ Akamai, State of the Internet (SOTI) report, April 2023</span></span></span></p></div> <span><span lang="" about="/users/kgwilliam" typeof="schema:Person" property="schema:name" datatype="">kgwilliam</span></span> <span>Mon, 11/27/2023 - 06:12</span> <div class="field field--name-field-date field--type-datetime field--label-above"> <div class="field__label">Date</div> <div class="field__item"><time datetime="2023-11-27T12:00:00Z">Mon, 11/27/2023 - 12:00</time></div> </div> <div class="field field--name-field-image field--type-image field--label-above"> <div class="field__label">Content Image</div> <div class="field__item"> <img loading="lazy" src="/sites/default/files/2021-02/news-options-veracode.jpg" width="350" height="230" alt="" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-featured-resource field--type-boolean field--label-above"> <div class="field__label">Primary Press Release ?</div> <div class="field__item"></div> </div> <div class="field field--name-field-primary-featured-resource field--type-boolean field--label-above"> <div class="field__label">Featured News</div> <div class="field__item">On</div> </div> <div class="field field--name-field-resource-image field--type-entity-reference field--label-above"> <div class="field__label">Featured Image</div> <div class="field__item"><a href="/media/image/7821" hreflang="en">news-options-veracode.jpg</a></div> </div> <div class="field field--name-field-promoted-to-home field--type-boolean field--label-above"> <div class="field__label">Promoted to home</div> <div class="field__item">Off</div> </div> <div class="field field--name-field-resource-featured-resource field--type-boolean field--label-above"> <div class="field__label">Feature press release on homepage</div> <div class="field__item">Off</div> </div></description> <pubDate>Mon, 27 Nov 2023 11:12:11 +0000</pubDate> <dc:creator>kgwilliam</dc:creator> <guid isPermaLink="false">64136 at https://www.veracode.com</guid> </item><item> <title>Security and developers: the importance of training</title> <link>https://www.veracode.com/64131</link> <description><span>Security and developers: the importance of training</span> <span><span lang="" about="/users/jonathanwong2xmarketing" typeof="schema:Person" property="schema:name" datatype="" content="Jonathan.Wong@2x.marketing">Jonathan.Wong@…</span></span> <span>Thu, 11/23/2023 - 02:40</span> <div class="field field--name-field-source field--type-string field--label-above"> <div class="field__label">Source</div> <div class="field__item">techfromthenet.it</div> </div> <div class="field field--name-field-date field--type-datetime field--label-above"> <div class="field__label">Date</div> <div class="field__item"><time datetime="2023-11-16T12:00:00Z">Thu, 11/16/2023 - 12:00</time></div> </div> <div class="field field--name-field-link field--type-link field--label-above"> <div class="field__label">Link</div> <div class="field__item"><a href="https://techfromthenet.it/2023/11/16/sicurezza-e-sviluppatori-limportanza-della-formazione/">https://techfromthenet.it/2023/11/16/sicurezza-e-sviluppatori-limportanza-della…</a></div> </div> <div class="field field--name-field-image field--type-image field--label-above"> <div class="field__label">Content Image</div> <div class="field__item"> <img loading="lazy" src="/sites/default/files/2023-11/techfromthenet.it_news_logo.png" width="350" height="230" alt="" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-featured-resource field--type-boolean field--label-above"> <div class="field__label">Primary News ?</div> <div class="field__item"></div> </div> <div class="field field--name-field-cta-text field--type-string field--label-above"> <div class="field__label">CTA Text</div> <div class="field__item">Check it Out</div> </div> <div class="field field--name-field-resource-image field--type-entity-reference field--label-above"> <div class="field__label">Featured Image</div> <div class="field__item"><a href="/media/image/18801" hreflang="en">techfromthenet.it news logo.png</a></div> </div></description> <pubDate>Thu, 23 Nov 2023 07:40:35 +0000</pubDate> <dc:creator>Jonathan.Wong@2x.marketing</dc:creator> <guid isPermaLink="false">64131 at https://www.veracode.com</guid> </item> </channel></rss> 
