The use of open source code for software and application development is on the rise as the demand for more agile applications and programs continues to grow. According to the Open Source Survey, an open data project by GitHub and collaborators, 72% of the survey’s respondents say that open source is the default choice when evaluating new tools.
This popularity and widespread use of open source, however, is both a blessing and a curse in disguise. On one hand, it means that developers no longer have to “reinvent the wheel” and create code from scratch…which helps to accelerate delivery of digital innovation. But on the other hand, using open source components also exposes organizations to security vulnerabilities because most open source components are not subject to the same level of scrutiny as custom code. So how can companies safeguard their digital business yet ensure that their apps can be feature-rich,unique, and most importantly, secure?
WhiteHat Security, a trusted application security provider that combines the best of technology and human intelligence, believes that the answer lies within identifying and fixing open source vulnerabilities right from the start. The company offers WhiteHat Sentinel, a Software-as-a-Service (SaaS) platform that enables organizations and development teams to embed security throughout the entire development process, thus helping enterprises reap the full benefits of digital transformation but minus the security headaches.
SourceForge recently had the chance to speak to Jeannie Warner, Security Manager at WhiteHat Security, to discuss the importance of application security for open source code and how WhiteHat can help organizations seamlessly integrate security into their development processes with help from the WhiteHat Sentinel platform.
Q: Can you please tell us a bit more about WhiteHat Security as a company? When was the company established, and what problems do your solutions seek to solve with your solutions?
Jeannie Warner, Security Manager at WhiteHat Security
A: WhiteHat Security was founded in 2001. We are a leader in Application Security Testing, which examines web and mobile applications (in production/online or by source code) to find vulnerabilities and provide suggestions for patching, changes in code, and best practice. Application security is often the “missing link” in a security plan for companies, who spend money on perimeter and endpoint security, but ignore flaws in their public-facing apps which can allow ingress.
Q: With multiple high-profile data breaches, it wouldn’t be wrong to say that 2017 wasn’t the best year for cybersecurity. In lieu of this, what do you believe are some of the biggest lessons businesses can learn from the cybersecurity disasters of 2017?
A: These days every year is the “best year” for cybersecurity. However, 2017 was particularly good for bringing light to application-level issues and vulnerabilities (Equifax, e.g.). Several high-profile hacks were successful using web applications without phishing or clickjacking-type activity, illustrating clearly that it is not enough to throw up a firewall and run anti-virus to be secure.
The hacks of 2017 should have also reminded businesses to PATCH, PATCH, PATCH. If there’s a vulnerability in software and that software vendor releases a patch for it, patch it! And if you’re using open source software and assembling apps, don’t assume the open source you’re using is free of vulnerabilities. Any open source components should be tested and fixed, just like custom-written code.
Q: An increasing number of companies today are welcoming the idea of developing their own apps. So, what should companies keep in mind when creating their apps?
A: They should remember that developers, first and foremost, tend to care about functionality of an app rather than the security of an app. Best practices in secure coding are not really taught either in school or most code books. Testing for security vulnerabilities early will save money, as it’s cheaper to patch a flaw in Dev than in Prod. Fortunately, there are some pretty easy and fast security testing tools for developers (such as WhiteHat Scout) that make adding security to their workflows painless.
Q: Free to use, open source provides critical functionality while simultaneously lowering development costs and accelerating time to market. However, it doesn’t come without risks. What are some potential open source software security issues that you have seen or heard of?
A: Third-party libraries and other components make development faster. There are estimates that up to 90% of software development requires the download of components. This brings up a challenge of not only being responsible for your own code, but monitoring your libraries and platforms in use for their updates as well.
Equifax fell to an Apache Struts vulnerability, which WhiteHat could have tested for and informed, as we do full source code composition scans for static (code) analysis, as well as the behavioral aspects for dynamic (live website) testing.
Q: How can teams effectively manage the risks associated with using open source components in their applications? Is there a particular vulnerability developers should paying attention to or be aware of?
A: There are various combinations of ALM tools one might use to ensure the patch levels of third-party components and libraries, in addition to WhiteHat’s capabilities in this area. Keeping up to date on open source components is as important as maintaining current patches for A/V and OS. Sure, there are always zero-days being worked on – but best practice means patching as quickly as possible for all levels of the security ecosystem.
According to the WhiteHat Security 2017 Application Security Statistics Report, the most common code vulnerability evident in static code analysis is Unpatched Libraries. Utilizing such a library can introduce vulnerabilities, potentially bypassing security controls that are in place elsewhere. These Unpatched Library vulnerabilities are also critical one-third of the time. Attackers can take advantage of several well-known information sources, such as the National Vulnerability Database, US-CERT, CVE Database, and more to identify these potential vulnerabilities and can use them to introduce almost any weakness.
While certain vulnerabilities can be mitigated in production, open source components such as libraries must be fixed in development.
A variety of software security testing regimens, including Software Composition Analysis, routinely performed across the SDLC is the best application security approach. Platform solutions provide this level of visibility and control, leaving organizations with enough intelligence to understand how best to fix any software error… for the least cost.
Q: What is DevSecOps? How does it compare to DevOps? And why should organizations adopt a DevSecOps process?
A: I like to quote DevSecOps.org here – “The purpose and intent of DevSecOps is to build on the mindset that “everyone is responsible for security” with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the safety required.”
Development creates code. DevOps tends to be the ones who integrate that code into production, work on the APIs connecting websites and mobile apps to databases and more, aka the heroic Tool Builders who turn a programmer’s code brilliance into a finished, revenue-generating product. Adding security into the mix early and often is best practice for a successful DevSecOps program – that includes informing (training) development in best practices, maintaining a clean build and up-to-date build environment, testing even code snippets that come through for best practices in security, and in turn helping translate security principles into developer language.
Q: What is Software Composition Analysis (SCA)? What does it entail?
A: SCA builds an inventory of open-source components and libraries used by your applications, discovers patch levels, and advises on updates for licenses which acts as the auditor of your development environment. With SCA your DevOps team (or DevSecOps, if you are a star) can quickly inform and update the components and platforms used by your code, allowing only the latest and greatest levels to be used.
Q: Talk to us a bit more about the WhiteHat Application Security Platform. How does it provide security throughout the whole software development lifecycle? What makes it stand out when compared to similar solutions in the market?
WhiteHat Sentinel Application Security Platform combines advanced scanning technology with human intelligence, with each vulnerability checked and verified as a true positive by our Threat Research Center (TRC), a team of over 150 top security researchers. Sentinel is a powerful suite of services including Dynamic Application Security Testing, Static Application Security Testing, and Mobile Application Testing to cover all applications created by organizations, or provided for them by third parties. The platform is fully integrated into the software development lifecycle process, protecting our customers’ entire suite of web, internal, and mobile application infrastructures from inception to production. We also provide eLearning for Developers, Security personnel, management, and any others who work as part of the security ecosystem to create a seamless, educated production team.
What makes our Application Security Platform stand out is the accuracy we provide (near zero false positives); the access we give our customers to the security experts in our TRC through the “Ask-a-Question” capability in the platform’s dashboard; the remediation advice and guidance we provide through the Directed Remediation feature; the WhiteHat Security Index and Peer Benchmarking reports, which provide customers with a common metric to compare the security posture of each of their websites, and to track their security posture against industry peers; and having a full portfolio of application security testing services that support everyone from executives, to security practitioners, to developers with the services and reporting they need to secure their applications at every stage of their lifecycle.
Q: Can you share with us some of your predictions for the application security market this 2018? What market trends, industry movements, or customer desires are shaping the future of WhiteHat Security?
A:
- Education will continue to be a driver in 2018 – when we last surveyed our customers, over 80% of them said that educating their developers and security teams alike in best practices for application security was their top priority. Websites remain the most easily attacked vector for penetrating an organization, as our annual Stats Report illustrates, as most have 1-4 high- or critical-level vulnerabilities which remain open for months. WhiteHat helps customers who are just learning to quantify their application security risk, prioritizing the areas which need to be addressed quickly, and arming every person in the chain of security responsibility with the right information they need to solve the issues quickly.
- As nation state hacking becomes more and more indistinguishable from profit-driven criminal hacking, application security is finally starting to get attention at some of the highest levels, and is being written into new guidelines and governance around the world.
- The rapid growth of DevOps as the development architecture of choice will see application security move more aggressively into the realm of IT and developers = DevSecOps
- The container eco-system has evolved rapidly to make container-based microservices strategies commonplace. Securing containers from an application security perspective therefore really means making sure that the microservices code is written with security in mind.
- API security — APIs are key to the digital transformation strategies for enterprises, but they expose core transactional systems to the outside world in an unprecedented way. So it’s very important that APIs are tested for security.
About WhiteHat Security
Headquartered in Santa Clara, California, WhiteHat Security is the leading provider of application security solutions for digital businesses. The company offers WhiteHat Sentinel, a Software-as-a-Service platform, that identifies potential risks in websites and web applications, helping businesses to bridge the gap between security and development. WhiteHat is recognized by Gartner as a leader in the 2017 Magic Quadrant for Application Security Testing (AST).