Application Security

Application Security Improvement

July 12th, 2016

The average organization uses and implements around 229,000 open source components for developing software. The research was conducted by Sonatype, a provider of software development lifecycle solutions. It manages a central repository of these components for the Java development community. According to the survey, Thirty one billion requests for downloads from the repository in 2015 was made as compared to 17 billion in 2014.

The number “blows people’s minds,” said Derek Weeks, a VP and DevOps advocate at Sonatype. “The perspective of the application security professional or DevOps security professional or open source governance professional is, ‘This really changes the game. If it were 100, I could control that, but if it is 200,000 the world has changed.”

Firm also found certain application security issues related to the use of open source components.

“The application security professional’s usual response to that is ‘that doesn’t mean those vulnerabilities ended up in our applications.’ But when we looked across 25,000 applications we saw an average of 6.8 percent of components across those apps had at least one known vulnerability,” Weeks said. “That tells me that from the beginning of the software supply chain to the end products developed through these supply chains, there isn’t enough control.”

Weeks said that the study was conducted to educate and increase awareness around the massive consumption of open source components.

“By revealing this information, we think we can help change people’s behavior around how they think about and use open source components in wiser, more efficient and safer ways,” he said.

One can also use supply chain best practices to improve application security. Example includes building in quality as early as possible by sourcing fewer and better components.

“From an application security perspective if you are a CISO that has 2,000 developers individually sourcing components, it is very difficult to audit, protect and maintain your organization. If you limit the number of places where components can come in, you can ensure you know what is coming in and can use the opportunity to vet it,” he said. “This is a fundamental supply chain best practice. Toyota has hundreds of thousands of employees but not hundreds of thousands of employees in procurement; the number of employees that is vetting the components in their products is fairly small.”

Weeks also mentioned that managing and vetting open source components is further complicated by the fact there are repositories for different development languages, including PHP, Python and Ruby.

Weeks explained. “You might say, ‘You can’t use any component with a CVSS Level 10 vulnerability anywhere in our organization.’ Your solution can automatically check for that and notify the developer. It’s like a food label on a product on the grocery shelf; it can help make a decision as to whether a component complies with the organization’s standards.”

____________________________________________________________________________________________

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption software.

Skill gap widens for information security professionals

April 9th, 2015

Today, organizations are finding it difficult to manage IT security threats and avoid error. They also face challenges to recover after cyber attack. According to the survey, by 2020 there will be shortfall of 1.5 million information security professionals.

The IT security of companies is being threatened by understaffed workforce and the high level of complexities. (ISC)2 conducted survey polled 3,000 information security professionals and practitioners worldwide.

“Our first workforce study was conducted in 2004 to illuminate critical concerns within the information and cyber security that were struggling for attention,” said Adrian Davis, managing director, Emea, at (ISC)2.

“The 2015 report shows that many of these issues are finally getting much-needed budget and priority, but we are facing new challenges and our skills and staffing challenge is growing,” he added.

Davis mentions that the findings are more or less similar to US and Europe.

“There are some small differences from country to country, but at a higher level, as information security environments become increasingly homogeneous, there is not much variance,” he told Computer Weekly.

“This is likely to be due to the fact that the legal and privacy environment in Germany may make companies more sensitive to protecting information,” he said.

The study also shows that security spending is increasing across the companies.

“We are playing catch-up in an environment where information security has never really made its case as being an interesting and exciting career, and where security professionals are retiring faster than they are being replaced,” said Davis.