8 min read time

Navigating Code Security in 2024: Fortify's Response to Industry Challenges

by   in Cybersecurity

The Fortify team recently sponsored Dark Reading Research to conduct a comprehensive survey, leading to the insightful "2024 Sate of Code Security: How Enterprises Secure Their Applications" report. In addition to the report, the team hosted a webinar to discuss the survey findings and published a blog post on the topic.

Below are some of the key takeaways from the report, along with my perspectives on how Fortify Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST), and Software Composition Analysis (SCA) solutions (and more) can address key identified challenges.

Heightened Focus on Application Security

Several factors are driving the increased emphasis on application security. The primary concerns for many organizations include the security of open-source components and APIs. There's also significant apprehension about the accuracy and depth of security testing practices and threats to cloud-native applications.

Addressing with Fortify

Fortify SCA, which includes Sonatype on-premises and Debricked in Fortify on-Demand (FoD), analyzes open-source components to identify known vulnerabilities and license compliance issues, thereby mitigating risks associated with open-source software (OSS). For more information on mitigating OSS risks, check out this blog, which includes a summary and links to supporting resources.

Fortify also provides a comprehensive solution for addressing API security testing challenges. Refer to our Developers Guide to the OWASP Top 10 for API Security for more details.

Regarding the apprehension of security testing for cloud-native applications, visit our landing page for cloud-driven code security solutions.

Addressing Staffing and Security Concerns

A notable percentage of organizations are enhancing their AppSec practices due to a shortage of security staff, the widespread use of open-source code, and concerns about attackers with deep knowledge of application vulnerabilities. The survey revealed that 23% of respondents cited attackers with deep knowledge of application vulnerabilities as their greatest pain point, followed by inadequate security staff (20%) and frequent use of open-source code libraries (19%).

Addressing with Fortify

Fortify SAST mitigates these concerns by providing a comprehensive analysis of source code, identifying vulnerabilities early in the development cycle. This automation reduces the burden on understaffed security teams by streamlining the detection of security issues in a codebase. Additionally, Fortify Hosted and FoD further alleviate the load on AppSec teams. For more details, see the Fortify Hosted landing page and the Top 5 Reasons to Choose Fortify on Demand for Application Security.

Meanwhile, Fortify DAST complements SAST by dynamically testing running applications to identify vulnerabilities that may not be visible in the source code alone, thus offering a multi-layered defense strategy.

Additionally, ScanCentral, a part of the Software Security Center (SSC), empowers small AppSec teams to deliver scalable static (SAST) and dynamic (DAST) application security testing to large development teams. By offloading code analysis tasks from build machines to remote sensors, ScanCentral enables efficient management of time and resources. Integration with popular build tools like Maven, Gradle, and MSBuild allows teams to hit the ground running, embedding security seamlessly into existing CI/CD pipelines. Scan orchestration allows for parallel scans that dynamically scale to meet changing demands, ensuring comprehensive security coverage without disrupting the development workflow. With automation capabilities, ScanCentral SAST integrates with common build tools, embedding security into every stage of the software development lifecycle and fulfilling the promise of DevSecOps.

Growing Threat Landscape

Concerns about attackers scanning code for exploitable vulnerabilities have grown, with 50% of respondents identifying it as the biggest source of concern. Additionally, 44% of organizations have strengthened their app security to protect intellectual property, 41% to safeguard keys and credentials, and 39% to prevent the inclusion of unauthorized packages or components in applications. Other significant concerns include the introduction of malicious code into apps (35%) and hijacking software update mechanisms (28%).

Addressing with Fortify

Fortify DAST excels at detecting real-world attack vectors by simulating the actions of malicious attackers, helping organizations identify and fix vulnerabilities that could be exploited in production environments. In contrast, Fortify SAST ensures that vulnerabilities are identified and resolved during the development phase, preventing them from ever reaching production. For more insights, see Beyond the Noise: Elevating SAST with Fortify’s Precision and Innovation.

Impact of High-Profile Breaches

Recent high-profile breaches, such as the Progress Software’s MOVEit platform incident and mass attacks on Microsoft Exchange Server vulnerabilities, have significantly influenced attitudes toward application security. Fifty-eight percent of respondents believe attacks via trusted software suppliers increase their risk exposure, 49% feel the same about business apps like Microsoft Exchange, and 54% about breaches via cloud providers.

Addressing with Fortify

Fortify offers robust mechanisms to detect vulnerabilities introduced through third-party components, ensuring the security of both internally developed and third-party applications. These tools help organizations maintain a secure software supply chain by continuously scanning for and addressing vulnerabilities, whether they arise from unintentional risks like the inclusion of a vulnerable open-source component or from malicious threats attempting to subvert code repositories with harmful code. For more information, refer to our joint report with Dark Reading, Shoring up the Software Supply Chain Across Enterprise Applications, as well as our Securing Software Supply Chain Hub.

Confidence in Security Measures

Despite the growing threats, many organizations express confidence in their ability to manage application security. Sixty-three percent of respondents are confident in their ability to prevent compromises via the software supply chain, 59% in detecting such compromises, and 50% in ensuring a secure software supply chain. This confidence seems tied to the perceived effectiveness of their security mechanisms, including manual penetration testing and static and dynamic AppSec testing processes, with 80% considering these processes effective.

Addressing with Fortify

Fortify DAST and SAST enhance confidence by offering continuous and automated testing capabilities, which are more efficient and less error-prone than manual processes. These tools help organizations achieve higher levels of assurance in their security posture by systematically identifying and mitigating vulnerabilities. We have numerous case studies showcasing the success of Fortify implementations, but one of my favorite resources is the whitepaper How Equifax is Transforming with Fortify on Demand.

Knowledge Disparities and Security Priorities

The survey uncovered a growing disparity in knowledge of application security issues between IT security teams and application developers. While 73% of respondents consider their IT security team knowledgeable on AppSec, the percentage of application developers with very good knowledge of AppSec declined to 18% this year from 22% last year.

Addressing with Fortify

Fortify SAST offers real-time feedback to developers on security issues in their code, bridging the knowledge gap by educating them on best practices and common vulnerabilities as they code. Fortify DAST enables security teams to focus on dynamic testing without needing deep integration into the development process, allowing both teams to work effectively within their areas of expertise. Additionally, our integration with Secure Code Warrior provides developers with real-time access to targeted, interactive application security training within Fortify SSC or FoD.

Implementation Challenges

Organizations face several challenges in implementing effective application security programs, including inadequate funding, management support, technical resources, and security skills. Forty-three percent of organizations struggled with inadequate funding and management support for AppSec initiatives, 33% lacked the technical resources to secure production apps properly, and 32% dealt with insufficient security skills.

Addressing with Fortify

Fortify Professional Services, along with our extensive network of partners, can help organizations advance their application security programs. Many of our customers have utilized Fortify on Demand (FoD) to jumpstart their initiatives, rapidly ramping up security testing and significantly increasing testing coverage. This support enables organizations to overcome challenges related to inadequate technical resources and security skills, ultimately moving their AppSec programs up the maturity curve.

Adoption of Formal Security Practices

Many organizations have adopted formal and programmatic application security practices to address concerns over supply chain security, vulnerability exploits, and other software security threats. There has been an increase in the adoption of DevSecOps practices, improved patch management capabilities, and more extensive testing, monitoring, and assessments of business-critical, third-party, and web applications.

Addressing with Fortify

Fortify SAST and DAST are integral to DevSecOps practices, enabling continuous integration and continuous deployment (CI/CD) pipelines with built-in security checks. These tools ensure that security is embedded throughout the development lifecycle, helping organizations maintain a strong security posture. See this flyer on DevSecOps with Fortify.

Conclusion

The Dark Reading report highlights the evolving landscape of application security. Fortify's solutions are uniquely positioned to address the challenges identified in the survey, offering comprehensive, automated, and effective security testing capabilities. To learn more about the latest AppSec challenges, read the full report and watch our on-demand webinar.

Labels:

Application security