Beyond Testing: The Human Element of Application Security

Companies of every size and in every industry are changing the world with software. From healthcare to agriculture, education, and manufacturing, software is enabling unprecedented advancement and innovation. But if that software is insecure, these innovations may get held up, or worse, put us at risk. And this is a very real concern; our most recent State of Software Security report found that 83 percent of applications had at least one vulnerability on initial scan. In turn, testing the security of software and addressing any security-related defects is a critical undertaking.

However, it’s important not to lose sight of the fact that effective application security secures software throughout its entire lifecycle — from inception to production. With the speed of today’s development cycles — and the speed with which software changes and the threat landscape evolves — it would be foolish to assume that code will always be 100 percent vulnerability-free after the development phase, or that code in production doesn’t need to be tested or, in some cases, patched.

An effective application security program requires some “human” elements beyond testing, including:

Developer secure coding training, because the vulnerability that is never introduced will always be the cheapest and easiest to fix. Most developers don’t receive training on secure coding, either in school or on the job, but when they do, it pays off. Data collected for our State of Software Security report found that eLearning on secure coding improved developer fix rates by 19 percent.

A solid vulnerability disclosure policy, which ensures that vulnerabilities unearthed by security researchers are addressed and disclosed in an effective manner. Veracode’s co-founder and CTO Chris Wysopal notes that, “Today, we have both tools and processes to find and reduce bugs in software during the development process. But even with these tools, new vulnerabilities are found every day. A strong disclosure policy is a necessary part of an organization’s security strategy and allows researchers to work with an organization to reduce its exposure. A good vulnerability disclosure policy will have established procedures to work with outside security researchers, set expectations on fix timelines and outcomes, and test for defects and fix software before it is shipped.”

Bug bounty programs, which put the power of multiple security researchers behind your application security. Wysopal says of bug bounty programs, “bringing in outside hackers with their own attack tools will uncover new risks. This is one of the clear values of bug bounty programs.”

Ultimately, effective application security focuses on both prevention and detection. You wouldn’t let your kids play with matches just because you have a fire extinguisher. On the other hand, even if you teach your kids about fire safety and never let them play with matches, you wouldn’t toss out the fire extinguisher. Fire safety requires prevention and detection, as does application security.

Testing your code for vulnerabilities early and often in the development process, and assessing the security of both third-party and open source code are all essential software security steps. But detecting and responding to vulnerabilities with human solutions plays a critical part as well. Developer training, a vulnerability disclosure policy, and a bug bounty partnership all play a role.

Continue this conversation with us at our fall road show; we’ve teamed up with Bugcrowd and Edgewise on a series of networking events — coming to a city near you!

RSS | Veracode Blog


Are you looking for products for hacking, cybersecurity, and penetration testing? Do you need to cleanse your smartphone, PC, or website from viruses and malware? Do you need to track down a person or recover urgent information? Do you need to regain control of an account, email, or password that has been stolen from you? Interested in purchasing pre-configured devices to easily and quickly experiment with hacking techniques? Do you have specific requirements in software or hardware? We can assist you!

Contact us immediately for immediate assistance: provide us with details via email or WhatsApp about the type of support you need, and we will respond you promptly!

Fill out and submit the form below to send us an immediate support request

Write your email address here

Write here how we can help you - we provide immediate support for all your needs!

chevron_left
chevron_right