Last May, President Trump ordered his administration to come up with a plan for securing the U.S. government and the nation's infrastructure from cyberattacks that threaten the country's economy and national security.
Under the order, the President tasked the Secretary of Commerce and the Secretary of Homeland Security to identify and promote action by stakeholders to improve the resilience of the internet and communications ecosystem and to encourage collaboration with the goal of dramatically reducing threats perpetrated by automated and distributed attacks, such as through botnets.
The Department of Homeland Security and Department of Commerce have put together a draft report, outlining the administration's goals and key recommendations. The report is now available for public comment, with the government seeking feedback from the security industry, along with other stakeholders in industry, academia, and the public sector, as it prepares to deliver a final report the President in May 2018. Among the highlights of this report is the importance of reducing vulnerabilities in software and Internet of Things (IoT) devices.
The consequences of security vulnerabilities in IoT devices became alarmingly clear last year, when a botnet comprised of 100,000 compromised IoT devices, ranging from routers to webcams and CCTV cameras, was used to attack some of the biggest websites in the U.S., including Twitter, Netflix, and The New York Times. These compromised IoT devices were collected together in a botnet, called Mirai, which launched a distributed denial-of-service attack on the Domain Name System services provider of those websites, crushing them with an enormous number of malicious web requests.
The fact that internet connected security cameras, and other seemingly benign devices, could be used to take out large swaths of the internet, is frightening, but it shouldn't come as a surprise. At its root, the problem with the billions of devices making up the IoT is insecure software. Because IoT devices run on software, and software is frequently riddled with security weaknesses in its underlying code, these devices can be attacked. Software increasingly runs the devices and systems that keep commerce and communications going. When software is vulnerable, so is our economy, and our way of life.
The rising stakes for software security require an appropriate and urgent response from companies that produce software, the application security industry, and policy makers. In recent years, conventional wisdom held that industry and government efforts should focus on detection and response, rather than on prevention. However, a reactive approach is completely inadequate to stop today's destructive attacks, such as the viral strains of ransomware that recently crippled banks, governments, hospitals, shipping companies, and other businesses.
The good news here is that the Trump Administration recognizes the dangers of software insecurity, and the administration's report contains several good recommendations about how to turn this problem around. Among these recommendations are the following action items:
Increase marketplace adoption of application security technologies to prevent vulnerabilities, using multiple testing techniques.
Promote greater awareness and transparency about vulnerabilities in commercial software, software components, and IoT devices.
Leverage the buying power of the federal government through certification processes to increase assurances that no known vulnerabilities are shipped with products.
We support these recommendations, yet we believe the administration can go further to increase the development of secure software in a few respects.
First, developers need better training in cybersecurity principles and secure coding. Because security training is not a part of most computer science courses, we could see great improvements in the security skills of developers, simply by encouraging and incentivizing more schools and universities to teach cybersecurity as part of their computer science curricula.
Second, the government could encourage adoption of best practices through standards such as PCI, HIPAA, the Cybersecurity Framework, and other regulatory and voluntary frameworks.
Our analysis of millions of application scans, covering 6 trillion lines of code, has helped us identify four major principles that are common in application security testing programs that see significant results in reducing the prevalence of software vulnerabilities and lowering application risk.
1. Test throughout the software development lifecycle with multiple technologies.
Different kinds of application security testing — static, dynamic, and manual penetration testing — find different types of vulnerabilities. The most effective AppSec programs use all three kinds of testing to find and fix vulnerabilities during development and once an application is live in production. Not all vulnerabilities are created equal, so effective programs also need to complement testing technologies with policies that describe what types of vulnerabilities make an application “fail” and require fixing.
2. Start small and build the program over time to secure the entire application landscape.
Organizations just starting out with security testing shouldn't try to fix every vulnerability in every application. Security teams need to triage the most critical applications and fix the most severe vulnerabilities first. As an AppSec program scales up into a more mature program, organizations will assess all of their software, not only applications developed internally, but also those purchased from third parties and those assembled with open source components. In addition, effective programs assess every application throughout its lifecycle — from development to quality assurance (QA) and production.
3. Use metrics to improve performance over time.
Advanced application security programs measure results through a set of metrics and key performance indicators (KPIs), such as compliance with policy (internal policy, OWASP policy, and industry regulations). Metrics allow organizations to quantify their risk. Metrics also enable AppSec managers to communicate areas for improvement to the security and development teams. These feedback loops are a key aspect of the development process known as DevOps, which brings development and operations teams together to meet joint goals of improving performance, functionality, and security.
4. Train developers to code securely, and enable them with the right tools.
As DevOps practices continue to take hold in IT departments today, security teams are increasingly filling the role of expert consultants and partners, rather than testers and compliance babysitters. This means developers are shouldering more responsibilities both during security testing and remediation. CA Veracode data shows that supporting developers with resources such as eLearning and remediation coaching by security experts can have a tremendous impact on the efficacy of developer teams in fixing security bugs. Developers with eLearning fix, on average, 19% more flaws than those without eLearning, while developers who received security consulting fix 88% more flaws. Developers also benefit from testing tools that they can use directly within their development environments. Using APIs and plugins to connect AppSec testing with the DevOps toolchain enables more frequent testing. The data shows that organizations who test more frequently, and early in the development process, fix 48% more flaws.
What Comes Next
Securing the world's software requires a significantly increased focus on preventive approaches, by testing for coding flaws in software applications before they can be exploited by malicious actors. CA Veracode strongly supports the recommendations by the Trump Administration that encourage organizations to proactively test software for vulnerabilities, and its efforts to incentivize movement in this direction.