How CA Veracode Products Secure the Production Stage

Share and earn Cybytes
Facebook Twitter LinkedIn Email

By Suzanne Ciccone; Originally Published January 3, 2018

This is the third entry in a series of blogs on how CA Veracode products fit into each stage of the software lifecycle – from coding to testing to production. We want to emphasize lifecycle here, because we continue to hear the misconception that application security falls squarely and solely into the testing stage. In our 10+ years helping organizations secure their applications, we’ve learned that effective application security secures software throughout its entire lifecycle – from inception to production or, put another way, from prevent to respond. In fact, rather than talking about securing the software development lifecycle, we should focus on securing the software lifecycle.

This blog series (and accompanying interactive infographic) will take that notion one step further and detail exactly how our products fit into each stage. We hope this series gives you a better sense of both the security requirements throughout the lifecycle and how CA Veracode can help at each step.

The Production Stage

The move to Agile and DevSecOps development processes has fostered a lot of attention on the need to shift security testing left in the development cycle. And this is absolutely a pivot in the right direction. Moving security testing into the realm of the developer makes security testing faster, easier, more effective and less expensive. It gives developers the power to make great code by making security a part of the definition of “great.” However, it’s important not to lose sight of the fact that effective application security secures software throughout its entire lifecycle – from inception to production.

With the speed of today’s development cycles –and the speed with which software changes and the threat landscape evolves – it would be foolish to assume that code will always be 100 percent vulnerability-free after the development phase, or that code in production doesn’t need to be tested or, in some cases, patched. 

Protecting production apps involves security testing completed code, whether it’s developed internally or externally, and implementing real-time protection for apps in production. Just as software is not static, application security isn’t either. Effective application security is not a one-and-done project, but an ongoing program that both prevents and responds to breaches at the app layer.

The Role of Operations

It’s important to note that operations has a role to play in securing production applications as well.

For our 2017 State of Software Security report, based on our Platform data, we looked at the overall basic hygiene of the production environments on which applications run. What we found was that there were an alarming number of insecure servers running production software. In fact, 25 percent of sites were running on web servers containing at least one high-severity vulnerability. Even if these applications were flawless, they’d be vulnerable.

On the other hand, our research also revealed that many operations people are making a positive impact on software in production. Dynamic testing revealed that apps running in production fared slightly better than those in pre-production. Digging deeper into these numbers, we uncovered that the categories with the biggest difference in vulnerability prevalence between development/QA and production were those that were most likely under the control of IT ops. So issues like easily guessable passwords and the wrong use of HTTP security headers that can be tackled by ops are likely to be shut down before they go live.

How CA Veracode Secures This Stage

CA Veracode Web Application Scanning (Discovery plus Dynamic Testing): Find, secure and monitor all of your web applications — not just the ones you know about.

CA Veracode Manual Penetration Testing: Pen testers conduct simulated attacks for complete assurance. 

CA Veracode Runtime Protection: Detect and block attacks in your production applications.

CA Veracode Software Composition Analysis: SCA alerts you if new vulnerabilities are found in embedded components, enabling you to respond and patch quickly.

Get the Whole Picture

Check out our new interactive infographic, Securing Every Phase of the Software Lifecycle, to further explore security considerations during the SDLC, and how CA Veracode products fit into that picture.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About CA | Veracode
Veracode delivers the application security solutions and services today’s software-driven world requires. Veracode’s unified platform assesses and improves the security of applications from inception through production so that businesses can confidently innovate with the web and mobile applications they build, buy and assemble as well as the components they integrate into their environments. Veracode’s powerful cloud-based platform, deep security expertise and systematic, policy-based approach provide enterprises with a simpler and more scalable way to reduce application-layer risk across their global software infrastructures. Veracode serves hundreds of customers across a wide range of industries, including nearly one-third of the Fortune 100, three of the top four U.S. commercial banks and more than 20 of Forbes’ 100 Most Valuable Brands.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?