For many companies, applications are one of the most important tools for performing everyday tasks. This strong dependence on software also makes organizations more vulnerable to a certain extent. Cybercriminals look for vulnerabilities to breach systems and steal sensitive data. Therefore, business applications must be as secure as possible. Veracode helps companies to detect vulnerabilities in their software.

In recent times, we’ve discussed the state of the security landscape with various security experts. They all have differing views on what’s going on and what needs to be done. However, what they generally agree upon, is that applications are poorly secured business components. In one of our conversations, Julian Totzek-Hallhuber, Principal Solutions Architect at Veracode, also acknowledges the major risks.

Every year, Veracode analyzes hundreds of thousands of applications, and can therefore confirm that almost every application contains at least one security hole. That in itself is a worrying development. It’s even more alarming when you consider that most companies rapidly deployed apps to support remote working in the past two years. After all, software plays a central role in the changing way of working that resulted from the COVID-19 pandemic.

Accelerated adoption involves different types of apps. On the one hand, you have mobile and web applications from software vendors, such as e-mail programs and browsers. Naturally, the software vendor spends a lot of time securing these applications. On the other hand, your organizations’ own software has become more popular as well, such as extensions to CRM or websites. The development team and the security experts are responsible for this type of software security.

Tip: ‘Most software in government and education contains vulnerabilities’

Responding to necessity

With the vast number of enterprise applications, the large role of software and the prominence of vulnerabilities, it’s time to pay more attention to security. Many developers and security teams are aware of this but face challenges when addressing the problem. For example, there’s too little capacity or time. In other cases, security is involved too late in software development.

Practice shows that software security is given too little priority. Unfortunately, as a result, companies fall victim to data breach that could have been prevented.

The article continues after the section below

From single software solution to comprehensive test platform

Veracode offers a single platform that provides the technology and services for software testing. It sees itself as one of the most complete testing platforms on the market, but it started more modestly some 15 years ago. At the time, the founders were doing a lot of manual pen testing and code testing. They found reading the code a tedious task. So they started looking for a solution to automate security testing.

This frustration resulted in a solution that automatically tests C and C++ applications on vulnerabilities. Meanwhile, many more programming languages are supported. Java, JavaScript and .NET are currently the most scanned languages. Veracode also supports programming languages that are more popular for specific industries. For example, many financial service providers use Veracode to test RPG and Cobol apps. “Developers and security professionals want to test everything, even if they are no longer actively programming,” says Totzek-Hallhuber.

Ideally, Totzek-Hallhuber describes Veracode as an ‘application security program’. You can buy several packages from Veracode. These include tools to test software, but also services to get personal advice from Veracode experts.

Closing the gaps

Veracode wants to close the gap between developers, operations, and security to make companies more enthusiastic about software testing. To this end, its technology allows developers to scan for vulnerabilities as often and early as possible. But there’s also support for the security team to build a governance strategy, for example. That way, developers are shown what policies they need to adhere to. “The developers learn what flaws they need to address in their apps to be compliant”, Totzek-Hallhuber said.

According to Totzek-Hallhuber, technology plays a major role in software testing. However, there’s more to be done. “Although technology allows you to find lots of vulnerabilities, it doesn’t necessarily solve problems”, Totzek-Hallhuber states. Thus, Veracode offers services to aid developers and security professionals. These services, which are often conversations, support in setting up a complete ‘application security testing’ strategy or quickly resolving found vulnerabilities, among other things. According to Veracode, addressing such issues requires a human, as artificial intelligence (AI) isn’t advanced enough yet. Resultingly, Veracode finds that a true software testing platform cannot function without humans.

Ways to test software

According to Veracode, software testing ultimately requires four approaches. First, there’s Static Application Security Testing (SAST). SAST involves evaluating the application’s code. SAST is useful for testing a new application. A SAST scan finds vulnerabilities within minutes, verifies whether code meets security policies and provides feedback on how to fix potential problems.

Dynamic Application Security Testing (DAST) is the second part of Veracode’s approach. This method is used for applications that are already live. A DAST test attacks the application like a hacker would, with the goal of finding vulnerabilities that were not immediately apparent from the SAST code analysis. DAST highlights issues that can only become apparent when the application is live — for example, incorrectly implemented certificates.

Veracode’s third testing option is manual pentesting. Totzek-Hallhuber acknowledges that this option has some overlap with DAST. “Typically, manual pentesters run automated DAST tools and manually verify the results. That’s the only way to find business logic flaws in your application. It’s impossible to do so with automated SAST and DAST tools. You need a human to assess the business logic flaw”, says Totzek-Hallhuber. For example, manual testing finds errors that stand out or creep into an application over time, such as cache poisoning.

Finally, there’s Veracode’s Software Composition Analysis (SCA) test. This analysis reviews third-party components in an application. Veracode notices that applications increasingly use third-party components: more than 80 percent of an average application is said to consist of something other than proprietary code. Some examples are SQL libraries added to .NET apps or NODE.js modules in JavaScript apps. These components can end up being vulnerable, as warned by SCA.

Full testing is a matter of doing it

By its own admission, Veracode’s software testing methods, which involve both technology and people, ensure a complete approach for detecting vulnerabilities. According to Veracode, it’s a necessity, as many applications still contain errors. The number of vulnerabilities often depends on the app’s programming language. By offering broad support and automating various testing methods, Veracode wants to help companies — and can help companies.

Tip: Nobody questions the need of software testing, but it’s not done enough