Addressing New-Age Security Testing Challenges With Focused Technology Platforms
Listen on the go!
|
The days of developers creating every line of code from scratch are over. The intense demand for newer, better software means development cycles have become correspondingly intense. Moreover, the need for Continuous Testing/Development and Continuous Integration is growing as Application Development keeps getting more complex. Security Testing challenges and Database testing risks are increasing with the burgeoning Cybersecurity threats for all kinds of enterprises.
In turn, developers need to rely on the pre-built functionality in open-source libraries to keep up with the development and testing challenges. However, the problem with this practice is that it introduces a whole new layer of vulnerabilities into organizations’ code. Often, these vulnerabilities are more difficult to identify than those in first-party code. Whilst this has been a known issue for some time, organizations are only now seeking second generation solutions, including Penetration Testing Solutions, that address the business issue in a more comprehensive way. These solutions and expertise can be defined and offered with strategic partnerships in the industry.
CA Veracode, Cigniti’s strategic partner in the Security Testing domain, recently acquired SourceClear Technologies. Veracode enhanced and expanded Cigniti’s joint software composition analysis offering with this acquisition, helping developers code quickly and securely. Cigniti’s Security TCoE comprises dedicated teams of specialists who handle security testing challenges with deep expertise spanning multiple domains/industries and cutting-edge technological resources/tools.
Following are some of the key requisites for testers and developers while dealing with security and related development and penetration testing challenges.
Vulnerable methods – worry (less) about what you don’t have to worry (a lot) about
When developers pull in an open-source library, they often only use one small piece of it. Typically, this may be only one method or function. If the overall classification of the library being tagged is vulnerable, you must know if your data is passing through the vulnerable part or if the method or function being used is not vulnerable and, therefore, safer to consume as part of your code base.
Using control flow analysis, the SourceClear scanner can tell if your first-party code calls the function in an open-source component containing a vulnerability. This allows developers to prioritize work better and dramatically decreases remediation work, in some cases by up to 90 percent. This is where Veracode allows business to continue – with great security insight.
Dependency mapping – do you know the number of libraries you call?
When developers build open-source libraries, they often leverage and call other open-source libraries. These libraries might well contain methods from a third library – so you can quickly understand the compound threat effect that can quickly arise. The result is layers of open-source libraries connected together and where it is common for vulnerabilities in open source libraries to be five or six levels removed from your first-party code. Pragmatically and as part of a better understanding of what risks are in your code base – SourceClear can map these dependencies through all the open-source code in use. In this way, you can identify vulnerabilities you would never know about. Importantly, you can decide where to start in your journey to cleaner, more secure code.
Proprietary vulnerability database – it’s not JUST the NVD that matters – get AHEAD of the attack
SourceClear identifies vulnerabilities that are not in or haven’t yet made it into the National Vulnerability Database (NVD). SourceClear scours all open-source repositories and scans the code to unearth these vulnerabilities. But that alone is not enough. You must also scan the metadata, commit logs, bug fixes, patch notes, and other developer comments. The SourceClear platform then uses a machine learning algorithm (verified by humans) to find security issues that have not been found or disclosed yet. This combination approach gives unparalleled levels of insight.
This enhanced database is extremely valuable. Why? Because it keeps organizations one step ahead of cyberattackers.
When a vulnerability is listed in the NVD, it’s essentially being shared publicly for the first time. Key to remember here is that it is being shared for both organizations and cyberattackers. Usually, organizations have far less time to fix the vulnerability before attackers exploit it. The news is littered with stories of many organizations breached in this way. With SourceClear’s technology, you and organizations like yours can find and fix vulnerabilities before they hit the NVD and the free CyberCrime advertising it inadvertently provides.
Library catalog – built-in safety at the core
SourceClear maintains a list of approved libraries with their up-to-date vulnerability status. With this data, AppSec leaders can create catalogs for their developers with pre-approved open-source libraries to leverage.
CI/CD agent – placing new solutions within your existing toolchain
SourceClear is a SaaS platform with an agent that directly integrates with continuous integration and continuous delivery (CI/CD) platforms, providing a solution that is deeply embedded in the development process. With various SDLC integrations that leverage an agent sitting on the build server, SourceClear allows users to, in most cases, add a single line of code to their build and begin scanning every time a new build is initiated.
Cigniti has a dedicated Security Testing Center of Excellence (TCoE) that has developed methodologies, processes, templates, checklists, and guidelines for web applications, software products, networks, and the cloud. It offers end-to-end solutions for security testing challenges, including Network Penetration Testing, SCADA Network Vulnerability Assessment and Penetration Testing Solutions, Web Application Penetration Testing, Wireless Network Assessment and Penetration Testing Solutions.
With this strategic partnership, both entities collectively present a robust set of Security Testing expertise to our clients for their application development and testing requirements – covering both custom and Open Source code.
Is Cybersecurity a growing concern for your organization and business? Experts from Cigniti and CA Veracode can work with you to address your cyber security testing challenges in the context of the current challenges in the digital sphere.
This blog is written in collaboration with CA Veracode, Cigniti’s strategic partner in the Security Testing domain.
Leave a Reply