Chris Eng on the challenges of improved application security
The O’Reilly Security Podcast: Vulnerabilities in assembled software and the need for immediate developer feedback.
Interlocking Bricks In Stone Wall. (source: PublicDomainPictures.net)
In this episode, I talk with Chris Eng, vice president of research at Veracode, a software security-as-a-service business.
We discuss Veracode’s research on application security across a broad spectrum of industries, the challenges of securing modern “assembled” software, and making it easier for developers to bake in security from the get-go.
Learn faster. Dig deeper. See farther.
Here are some highlights:
Software security: Some assembly required
No one is writing software from scratch these days. Now, building software is more like assembling software from ingredients. You pull together a library for this, a library for that, and then, by the way, your shiny new piece of software inherits all the security holes in those libraries. As the product matures over time, people start to lose track of what went into it, nobody keeps an inventory of those libraries, and people don’t upgrade libraries if they don’t have a good reason to functionally. So, if you sit there and watch your product over time, it will get more and more vulnerable as additional vulnerabilities are discovered in the libraries that you used.
Developer-friendly security
In an ideal world, you want to be able to give immediate feedback to a developer as soon as you spot an issue. Because then you can fix it in the moment. You don’t have to go back and figure out, “What was that thing I was working on three days ago? Let me try to get back into that headspace and, you know, figure it out.” Now you want to get as close as you can to when the code was written. That’s what we’re working toward. That’s what, I think, the industry will start working toward: finding ways to give immediate feedback, in addition to the deeper analysis that you would do on a nightly basis, or weekly, or whatever makes sense for the organization.
Not all doom and gloom
Last year, 2015, across [Veracode’s] customer base, we detected about 10 million flaws, and we measured that seven million of those were fixed over the course of the year. So people are getting better. We have a tendency, as an industry and as a profession, to focus on all the things going wrong. That’s our job; we have to be good at that. But things are getting better overall. And that’s a good message.