Many of us in the development world rely on our code to be secure to ensure that our customers are safe while their web apps exist in the wild of the Internet. But sometimes, in order to save costs, we take potential shortcuts or put security to the end and rely on scanners to tell us our mistakes.
Security scanners are great but only when used properly with a company that truly assesses their own security. The other day a program that took many years to build and cost a company a large sum of cash was delivered for security purposes to a competitor security scanning company. Upon the completion of the scans, the scans were sent for Independent Verification and Validation (IV&V) separate from the security vendor and the company that produced the software.
It was at this IV&V that the issues became abundantly clear, did the IV&V personnel have the necessary skills for the IV&V?
The company that provided the product, or the customer, went through the findings results as well to show the IV& V team.
The company indicated the entire finding list was, at its base level, majority false positives. This brings up two points to consider as a company and security vendor.
Are you educated in coding enough to properly understand the findings and the customer’s response?
Is the security scanning software a good choice for your application?
By stating majority false-positives, you might think it will help you to pass the IV&V and thereby create a shortcut, but if you are wrong and the validators buy your assessment and you are wrong, the consequence could be catastrophic.
Was It Safe To Shortcut?
As to question 1, most security professionals do not have a large knowledge of coding. Couple that with the myriad of coding languages out there and you soon find, few people have all the needed skills.
As to question 2, In this case, with all the false positives, the security vendor should question this and determine if they chose the correct product from their “toolbox”.
The company in addition to stating it was almost all false positives, outsourced its responses to its development team who works overseas. This begs the question of whether the company itself knows how to read its own code.
Is the development team correct, only time will tell for this company and their future?
Making It Safe
So how to eliminate these two points?
Brush up on the coding languages your company uses and have frequent development meetings to make sure the programmers take time to show you how they follow best practices, implement security, and test their code before the independent evaluators arrive. In this case a security scanning vendor.
Consider if the scanning software you are using is correct for your coding. Just like there are many coding languages, there are also many types of scanners out there from application code to operating system scanning. Only a few scanners out there are even capable of standing up the newest programming languages and coding techniques. Not to mention the concern of business logic, which is a basic understanding of how you do business. Who reports to whom within the organization and can make approvals. These questions have to be answered when you look to pick your scanner or scanning company
Gather a second opinion on the scanner and result. Reach out to other companies and see what they used. Many websites exist where you can read what other companies thought of the software and how it performed. Use of two different scanners can be worthwhile. While this can be a costly expense, consider the negatives of your business if the code you wrote is compromised. Would your company be able to rebound from that? What would happen to your reputation? How much is that worth to you?
Finding the Right Company
There are companies out there such as True-Positives that have personnel on staff who can assist with these 3 points plus they only require a small investment for big dividends on the end. The dividends are paid back to you as the customer in that world-class scanning software can be used at little to no money.
True Positives (T+) is an AppSec consultancy specializing in automated solutions, manual testing services, and assurance program overwatch. We serve security teams and toolmakers alike to help the entire industry shift left.
We are AppSec experts with 100+ years of experience, advising Boeing, Cisco, Intel and Microsoft, and others. We provide our expertise, insight, and solutions to businesses without demanding enterprise-level fees. When you work with us, you get the best protection at the best rates.