'Inherited' code flaws in software supply chains invite security risk
Sometimes a flaw's severity isn't known until the damage has been done.
Employees looking for a quick productivity fix will often turn to software applications. And unfortunately, these employees view these tools through rose-colored lenses, with little to no awareness of the risks they may have exposed.
Line of business employees sometimes wrongfully view IT as a back office function and don't consider the broader impact of using tools unmonitored by IT. Downloading and onboarding additional SaaS applications at will introduces unknown security flaws to IT, which trickles impact through the rest of the business.
The severity of breaches are increasing yet employees have not become more aware of risks. Nontechnical employees feel emboldened to use digital tools that aid productivity but often leave IT out of the process.
This is an issue because more than 85% of all software applications have at least one vulnerability, according to Veracode's State of Software Security report of more than 700,000 application assessments through a 12-month period. Of those applications, about 13% have at least one flaw that is critical.
"Detecting stuff doesn't make anything safer," said Chris Eng, VP of research at Veracode, in an interview with CIO Dive. Companies that are aware of a flaw but wait too long to remedy it face a greater threat. Equifax, for example, discovered the bug that lead to its infamous data breach months before the breach occurred.
But sometimes a flaw's severity isn't known until the damage has been done.
"Every company has become a software company," said Eng. But the bulk of code is borrowed and "cobbled together" from open source libraries with only about 10% of personalized "business knowledge" injected into it.
Because companies are so reliant on code from outside sources, flaws can be "inherited," he said. About 88% of Java, 92% of C++ and 86% .NET applications have at least one vulnerable component. Companies have built their foundation on these lines of codes and are unintentionally allowing cracks to form.
Software needs monitoring
Customers don't care where a company get its code from as long as their data is protected and secure, yet the majority of flaws, 70%, sit unresolved for a month, according to the report. More than half of flaws are left for three months after discovery.
CIOs struggle with finding flaws in applications that exist beyond IT's security perimeter. "We've lost control," said Jay Heiser, VP analyst at Gartner, while speaking at the Gartner Symposium in Orlando, last week.
Shadow SaaS applications are outside of the firewall. Truthfully, he said, "it's not actually a wall, it's a door," and only a few select people in IT have keys to that door. But nontechnical employees will likely continue this behavior because it hasn't "blown up in [their] face" yet, leaving a false sense of sustainable security.
Any open door, no matter its size, could lead to a financial or branding catastrophe that takes months if not years to recover come.
Future of security in DevOps
The most common type of flaw is information leakage, though it did slightly decrease from last year, according to the report. Code quality, CRLF injection and insufficient input validation increased from 2017.
The prevalence of certain flaws in 2016, 2017 and 2018 are almost identical. This indicates that organizations haven't done much in the last three years to cultivate more awareness around vulnerabilities.
For this reason, the push for DevSecOps is justified. While DevOps is a buzzword for good reason, businesses are working to create a more holistic approach to software and security.
By leveraging the creativity and nuances of their DevOps and security teams, companies can create "DevSecOps unicorns," according to the report. Companies with DevSecOps can resolve a flaw nearly 12 times faster than a traditional company.
Automation is a "hallmark" of DevSecOps and "makes security more doable," said Eng. Part of this is launching more scans for known software applications and for ones more shadowy.
Follow Samantha Ann Schwartz on Twitter