Tuesday, March 1, 2016

Veracode's State of Software Security Report Supplement to Vol 6, Fall 2015: Application Development Landscape

In return for your contact details, you can download Veracode's (a company known for its application security products and services) analysis on the application development landscape. They mentioned five very relevant conclusions in their executive summary, based on thousands of application security analysis reports and 1.5 trillion lines of code: 
  1.  Applications written in web scripting languages have a far higher prevalence rate of vulnerability classes like SQL injection and Cross-Site Scripting than applications written in .NET or Java.
  2.  Mobile applications had the highest rate of cryptographic issues, at 87 percent for Android and 80 percent for iOS.
  3.  Applications written in different software languages have differing pass rates against common security policies like the OWASP Top 10.
  4. eLearning has a big impact on remediation
  5. The choice of assessment type can make a difference in remediation as well.
"Data shows that development organizations that leverage eLearning see a 30 percent improvement in fix rate compared to those that do not."
So ... if you not only want to know about the weaknesses in your code, but also make sure they get fixed, it will more likely be done if you have established a training program on secure coding. It's a pity you cannot measure things that do not occur because I am pretty much convinced that a properly trained developer will not write insecure code in the first place (unless he gets sloppy by unrealistic expectations for the business or he is simply does not care anymore about this job).
Picture of random() guy using a NERF gun
There is a single quote in that report that I do not fully support "It is challenging to obtain precise measurements of the effectiveness of developer education". Yes ... if your secure code elearning exists out of 2000 slides (when was the last time you though THAT was fun) or hour long modular videos where  after 10 minutes you want to shoot your colleagues with a NERF gun ..
The only thing you can measure is whether they have completed the training, in how much time and how many answers of the multiple choice quiz they have correct. Not very measurable. I agree.
However, this is why we created Secure Code Warrior. Making the effectiveness of secure coding training measurable.
Some of metrics you can get out of the platform:
Metrics about myself. Shows how bad I am in Sensitive Data Protection and how average I a in Authentication and Access Control. Still the 3rd place in my team though!
  • What level of maturity does my developer have (Security Beginner, Security Aware, Security Skilled or Security Champion)
  • What languages and frameworks can my developer code securely in?
  • What are the strengths and weaknesses of your developers in terms of secure coding? Which types of vulnerabilities do they always/sometimes/never write and fix?
  • How much hours has my developer spent this year on hands-on training (not really a meaningful metric, but it is audit evidence for your next PCI DSS audit)
As a last point for anyone who decides that secure coding training is important, the Veracode reports provides statistics on which vulnerabilities are common in which language. Here is the Top 3 out of the report.
  • PHP:  Cross-site scripting, Cryptographic issues and Directory Traversal
  • C/C++: Error Handling, Buffer Overflow and Buffer Management Errors
  • Java: Code Quality, CRLF Injection and Cryptographic issues
  • .NET: Information Leakage, Code Quality and Cryptographic Issues
And I am pretty sure if you divide these statistics up further per framework, you will get complete different results. For example, JAVA might have SQL injection listed at issue #11 but the JAVA Spring Framework provides templates/protection against these by default (with a few exceptions).
As a conclusion, anyone who wants to reduce the number of security vulnerabilities written in code or increase the number of security bugs that get fixed, should think about educating their developers making sure that:
  1. The training is relevant for the developer's language and framework
  2. There are measurable outcomes on the effectiveness of the training