Tips for developing successful application security

Craig De Lucchi, Account Director, CA Southern Africa.

---

CA Southern Africa has revealed details of the 2023 Veracode State of Software Security report, which highlights factors that introduce flaws in application development and how to avoid them.

“When it comes to application security programmes, what separates the middle of the pack from the front (or the back) of the maturity curve?” asks Craig de Lucchi, Account Director, CA Southern Africa. “The answer to this is that seemingly small percentages that translate into larger differences over time plus factors that can be influenced are the differentiators,” he says.

The following are Veracode’s recommendations to reduce security debt and avoid introducing security flaws that accumulate over the life of applications.

“This refers to the remediation curve – it must fall early and faster, since, by the time an application is two years old, we see flaws accumulating, whereby something happens to the application or to the groups developing them. Whether increasing application complexity from years of steady growth or diminishing focus on production applications over time, the familiar pattern of an upwards slant is clear. We do know that by the time an application is 10 years old, there is a 90% chance that it has at least one flaw.

“The report notes that development teams must take steps to reduce the factors that result in the accumulation of flaws as applications go through their life cycle.”

Veracode strongly recommends developer training that is proven to be highly effective in avoiding the introduction of flaws. The report reveals that companies taking at least one of the Veracode Security Labs courses saw a 35% reduction in remediation time,” says De Lucchi.

Veracode examined the factors that contribute to remediation and isolated them, to see how they help prevent flaws from being introduced in the first place. “The good news is that things like scan cadence, scanning via PI and developer security training hold up as beneficial for both flaw introduction and remediation,” he adds.

Common weakness enumeration (CWE) is a community-developed list of common software and hardware weakness types that have security ramifications. Veracode determined that developer awareness of which categories of CWE (and even individual CWEs) are introduced is a good starting spot for creating targeted training programmes. Not introducing flaws in the first place is the name of the game. Automation may be a work in progress for some development teams, but training is within reach and should be a priority given its benefits. For those teams that want a quicker return on the time investment, consider targeting the top flaws and CWEs for the languages in use. The Veracode report has given solid guidance on how to reduce the number of flaws introduced in the first place.

“It’s often an uncomfortable organisational discussion regarding who owns an application. Who are the primary stakeholders? The business leaders, the engineering group that develops and maintains the application, the end users that the application serves or the CIO and IT team who deal with the operations, data and migrations? Or is it the person who is called the application owner but who left two years ago? Veracode recommends not getting hung up on the daunting project of creating an exhaustively complete inventory of applications and owners up front. Owners change, developers come and go, business stakeholder priorities change and that will complicate any nascent efforts to gain insight into the flaw introduction root cause analysis.”

Complete rewrites can be unacceptably expensive in terms of resources so organisations are urged to examine if an application is still fit for purpose after five years. “Initial discussions could lead to planned obsolescence for some applications and some form of review of the processes and quality control measures involved in continuous product engineering. These ideas to improve supportability over time lead Veracode back to the idea of introducing and maturing the practice of application life cycle management,” says De Lucchi.

“Veracode aims to assist customers to understand the factors that go into flaw introduction and how to introduce faster remediation. These are essential steps towards lowering security debt regardless of the development language involved; implementing these recommendations will ensure an improvement in companies’ application security programmes in 2023 and beyond,” concludes De Lucchi.