Veracode unveils tools to combat growing security debt

1 month ago 22

Ryan Daws is a senior editor at TechForge Media with over a decade of experience in crafting compelling narratives and making complex topics accessible. His articles and interviews with industry leaders have earned him recognition as a key influencer by organisations like Onalytica. Under his leadership, publications have been praised by analyst firms such as Forrester for their excellence and performance. Connect with him on X (@gadget_ry) or Mastodon (@gadgetry@techhub.social)

To help organisations tackle mounting security debt and an expanding attack surface, Veracode has announced two new platform innovations.

Veracode has introduced Universal Connector and Application Security Heatmap, both powered by Longbow, to enable businesses to quickly identify and prioritise security risks across their applications.

These new capabilities come at a critical time, as organisations struggle to manage an overwhelming volume of security alerts and the increasing vulnerability of their systems to threats, including those posed by generative AI.

“The combination of mounting security debt, an expanding attack surface made more vulnerable by generative AI, and an overwhelming volume of security alerts makes it challenging for organisations to know which application risks to prioritise,” said Chris Eng, Chief Research Officer at Veracode.

Veracode’s State of Software Security 2024 Language Snapshot (PDF) revealed alarming trends in security debt across different programming languages. The report defines critical security debt as high-severity flaws that remain unfixed for over a year, posing serious risks to an organisation’s integrity and availability if exploited.

One key finding shows that while most security debt exists in first-party code written by in-house developers, the most critical security debt resides in third-party code, such as open-source software. For instance, 80% of critical debt in Java apps and 63% in JavaScript apps is found in third-party code.

The report also highlighted a concerning trend in how developers prioritise fixes. In Java applications, about 51% of critical flaws turn into security debt, while only 45% of low to medium flaws do so. This suggests that developers may be focusing on less critical issues at the expense of more severe vulnerabilities.

Eng emphasised the importance of prioritising critical flaws: “While focusing on non-critical flaws may result in some quick fixes, developers should use their limited capacity to work on fixing critical flaws with the highest potential impact on security.”

To address these challenges, Veracode’s new Universal Connector allows organisations to quickly access disparate source data that they previously couldn’t bring into the Longbow platform. This eliminates the need to wait for tool-specific connectors, enabling faster analysis and action.

The Application Security Heatmap provides a visual representation of risk across applications, mapping each app to its owner and showing a 90-day risk trend. It also allows for customisation of risk thresholds to align with organisational policies. This feature enables security teams and developers to analyse applications, view risk distribution, and implement recommendations for the most effective remediation actions.

Derek Maki, Vice President of Product Management at Veracode, commented: “As organisations seek to find and fix mounting critical security debt, the need for risk-focused visibility and prioritisation is clear.

“The new capabilities in the Longbow platform provide our customers with a deeper understanding of an organisation’s riskiest applications, plus the unique ability to identify the top five most impactful solutions for improvement.”

These innovations build upon Veracode’s acquisition of Longbow Security in April and the subsequent introduction of Repo Risk Visibility and Analysis capability in May. The enhanced platform aims to bridge the gap between development and security teams, offering comprehensive visibility from code repositories to cloud assets and runtime.

As organisations continue to grapple with the complexities of modern software development and the ever-present threat of cyberattacks, tools like Universal Connector and Application Security Heatmap may prove crucial in managing and mitigating security risks effectively.

(Photo by Sylwester Walczak)

Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including BlockX, Digital Transformation Week, IoT Tech Expo and AI & Big Data Expo.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.

Tags: coding, cyber security, cybersecurity, development, hacking, longbow, programming, security, security debt, veracode