{"id":12877,"date":"2018-09-24T19:20:17","date_gmt":"2018-09-24T13:50:17","guid":{"rendered":"https:\/\/cigniti.com\/blog\/?p=12877"},"modified":"2023-12-19T17:49:16","modified_gmt":"2023-12-19T12:19:16","slug":"addressing-new-age-security-testing-challenges","status":"publish","type":"post","link":"https:\/\/www.cigniti.com\/blog\/addressing-new-age-security-testing-challenges\/","title":{"rendered":"Addressing New-Age Security Testing Challenges With Focused Technology Platforms"},"content":{"rendered":"<p>The days of developers creating every line of code from scratch are over. The intense demand for newer, better software means development cycles have become correspondingly intense. Moreover, the need for\u00a0<a href=\"https:\/\/www.cigniti.com\/blog\/why-businesses-must-not-miss-out-continuous-testing\/\">Continuous Testing\/Development<\/a> and Continuous Integration is growing as Application Development keeps getting more complex. Security Testing challenges and Database testing risks are increasing with the burgeoning Cybersecurity threats for all kinds of enterprises.<\/p>\n<p>In turn, developers need to rely on the pre-built functionality in open-source libraries to keep up with the development and testing challenges. However, the problem with this practice is that it introduces a whole new layer of vulnerabilities into organizations\u2019 code. Often, these vulnerabilities are more difficult to identify than those in first-party code. Whilst this has been a known issue for some time, organizations are only now seeking second generation solutions, including Penetration Testing Solutions, that address the business issue in a more comprehensive way. These solutions and expertise can be defined and offered with strategic partnerships in the industry.<\/p>\n<p>CA Veracode, Cigniti\u2019s strategic partner in the Security Testing domain, recently\u00a0<a href=\"https:\/\/www.veracode.com\/blog\/security-news\/ca-technologies-acquires-sourceclear-advancing-sca-capabilities-devsecops-world\" target=\"_blank\" rel=\"noopener\">acquired<\/a>\u00a0SourceClear Technologies. Veracode enhanced and expanded Cigniti\u2019s joint software composition analysis offering with this acquisition, helping developers code quickly and securely. Cigniti\u2019s\u00a0<a href=\"https:\/\/www.cigniti.com\/security-testing\/\">Security TCoE<\/a>\u00a0comprises dedicated teams of specialists who handle security testing challenges with deep expertise spanning multiple domains\/industries and cutting-edge technological resources\/tools.<\/p>\n<p>Following are some of the key requisites for testers and developers while dealing with security and related development and penetration testing challenges.<\/p>\n<h2>Vulnerable methods \u2013 worry (less) about what you don\u2019t have to worry (a lot) about<\/h2>\n<p>When developers pull in an open-source library, they often only use one small piece of it. Typically, this may be only one method or function. If the overall classification of the library being tagged is vulnerable, you must know if your data is passing through the vulnerable part or if the method or function being used is not vulnerable and, therefore, safer to consume as part of your code base.<\/p>\n<p>Using control flow analysis, the SourceClear scanner can tell if your first-party code calls the function in an open-source component containing a vulnerability. This allows developers to prioritize work better and dramatically decreases remediation work, in some cases\u00a0<strong>by up to 90 percent<\/strong>. This is where Veracode allows business to continue \u2013 with great security insight.<\/p>\n<h2>Dependency mapping \u2013 do you know the number of libraries you call?<\/h2>\n<p>When developers build open-source libraries, they often leverage and call other open-source libraries. These libraries might well contain methods from a third library \u2013 so you can quickly understand the compound threat effect that can quickly arise. The result is layers of open-source libraries connected together and where it is common for vulnerabilities in open source libraries to be five or six levels removed from your first-party code. Pragmatically and as part of a better understanding of\u00a0<em>what<\/em>\u00a0risks are in your code base \u2013 SourceClear can map these dependencies through all the open-source code in use. In this way, you can identify vulnerabilities you would never know about. Importantly, you can decide\u00a0<em>where<\/em>\u00a0to start in your journey to cleaner, more secure code.<\/p>\n<h2>Proprietary vulnerability database \u2013 it\u2019s not JUST the NVD that matters \u2013 get AHEAD of the attack<\/h2>\n<p>SourceClear identifies vulnerabilities that are not in or haven\u2019t yet made it into the National Vulnerability Database (NVD). SourceClear scours all open-source repositories and scans the code to unearth these vulnerabilities. But that alone is not enough. You must also scan the metadata, commit logs, bug fixes, patch notes, and other developer comments. The SourceClear platform then uses a machine learning algorithm (verified by humans) to find security issues that have not been found or disclosed yet. This combination approach gives unparalleled levels of insight.<\/p>\n<p>This enhanced database is extremely valuable. Why? Because it keeps organizations one step ahead of cyberattackers.<\/p>\n<p>When a vulnerability is listed in the NVD, it\u2019s essentially being shared publicly for the first time. Key to remember here is that it is being shared for\u00a0<em>both<\/em>\u00a0organizations\u00a0<em>and<\/em> cyberattackers. Usually, organizations have far less time to fix the vulnerability before attackers exploit it. The news is littered with stories of many organizations breached in this way. With SourceClear\u2019s technology, you and organizations like yours can find and fix vulnerabilities\u00a0<em>before<\/em>\u00a0they hit the NVD and the free CyberCrime advertising it inadvertently provides.<\/p>\n<h2>Library catalog \u2013 built-in safety at the core<\/h2>\n<p>SourceClear maintains a list of approved libraries with their up-to-date vulnerability status. With this data, AppSec leaders can create catalogs for their developers with pre-approved open-source libraries to leverage.<\/p>\n<h2>CI\/CD agent \u2013 placing new solutions within your existing toolchain<\/h2>\n<p>SourceClear is a SaaS platform with an agent that directly integrates with continuous integration and continuous delivery (CI\/CD) platforms, providing a solution that is deeply embedded in the development process. With various SDLC integrations that leverage an agent sitting on the build server, SourceClear allows users to, in most cases, add a single line of code to their build and begin scanning every time a new build is initiated.<\/p>\n<p>Cigniti has a dedicated Security Testing Center of Excellence (TCoE) that has developed methodologies, processes, templates, checklists, and guidelines for web applications, software products, networks, and the cloud. It offers end-to-end solutions for security testing challenges, including Network Penetration Testing, SCADA Network Vulnerability Assessment and Penetration Testing Solutions, Web Application Penetration Testing, Wireless Network Assessment and Penetration Testing Solutions.<\/p>\n<p>With this strategic partnership, both entities collectively present a robust set of\u00a0<a href=\"https:\/\/www.cigniti.com\/resource\/case-studies\/financial-application-security-testing-automobile-financing-firm\/?utm_source=blog&amp;utm_medium=hyperlink&amp;utm_campaign=casestudy\">Security Testing expertise<\/a>\u00a0to our clients for their application development and testing requirements \u2013 covering both custom\u00a0<em>and<\/em>\u00a0Open Source code.<\/p>\n<p>Is Cybersecurity a growing concern for your organization and business? Experts from Cigniti and CA Veracode can work with you to address your <a href=\"https:\/\/www.cigniti.com\/services\/security-testing\/\">cyber security testing<\/a> challenges in the context of the current challenges in the digital sphere.<\/p>\n<p>This blog is written in collaboration with CA Veracode, Cigniti\u2019s strategic partner in the Security Testing domain.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The days of developers creating every line of code from scratch are over. The intense demand for newer, better software means development cycles have become correspondingly intense. Moreover, the need for\u00a0Continuous Testing\/Development and Continuous Integration is growing as Application Development keeps getting more complex. Security Testing challenges and Database testing risks are increasing with the [&hellip;]<\/p>\n","protected":false},"author":43,"featured_media":12885,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[7,3515],"tags":[60,1829,2101,2027,1297,2275,498,2212,2137,1481,1978,308],"ppma_author":[3766],"class_list":["post-12877","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security-testing","category-cybersecurity","tag-application-security-testing","tag-cyber-security-testing","tag-cybersecurity-for-enterprises","tag-enterprise-security-testing","tag-network-penetration-testing","tag-security-tcoe","tag-security-testing","tag-security-testing-center-of-excellence","tag-security-testing-experts","tag-security-testing-services","tag-security-testing-specialists","tag-web-application-penetration-testing"],"authors":[{"term_id":3766,"user_id":43,"is_guest":0,"slug":"benviollet","display_name":"Ben Viollet","avatar_url":{"url":"https:\/\/www.cigniti.com\/blog\/wp-content\/uploads\/Ben-Viollet-Veracode.jpg","url2x":"https:\/\/www.cigniti.com\/blog\/wp-content\/uploads\/Ben-Viollet-Veracode.jpg"},"user_url":"","last_name":"Viollet","first_name":"Ben","job_title":"","description":"Ben Viollet is EMEA Channel Director at CA Veracode. He works hand in hand with key partners such as Cigniti Technologies. He primarily focuses on ensuring an improvement in the security position of the clients."}],"_links":{"self":[{"href":"https:\/\/www.cigniti.com\/blog\/wp-json\/wp\/v2\/posts\/12877"}],"collection":[{"href":"https:\/\/www.cigniti.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cigniti.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cigniti.com\/blog\/wp-json\/wp\/v2\/users\/43"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cigniti.com\/blog\/wp-json\/wp\/v2\/comments?post=12877"}],"version-history":[{"count":0,"href":"https:\/\/www.cigniti.com\/blog\/wp-json\/wp\/v2\/posts\/12877\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.cigniti.com\/blog\/wp-json\/wp\/v2\/media\/12885"}],"wp:attachment":[{"href":"https:\/\/www.cigniti.com\/blog\/wp-json\/wp\/v2\/media?parent=12877"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cigniti.com\/blog\/wp-json\/wp\/v2\/categories?post=12877"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cigniti.com\/blog\/wp-json\/wp\/v2\/tags?post=12877"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.cigniti.com\/blog\/wp-json\/wp\/v2\/ppma_author?post=12877"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}