Prioritizing Security Debt Remains a Challenge for Developers, Veracode Announces Innovations to Identify and Unify Critical Risks

Veracode

Veracode, a global leader in application risk management, announced its latest platform innovations designed to help organizations identify, prioritize and reduce security debt across their growing attack surface. Two new capabilities in Longbow powered by Veracode, Universal Connector and Application Security Heatmap, enable organizations to quickly connect findings from any source and correlate them with the applications at greatest risk. Together, Universal Connector and Application Security Heatmap provide a clear, actionable view of assets and their issues, enabling prioritization of remediation efforts based on quantifiable risk.

Security Debt Priorities: Critical and Non-Critical

In its State of Software Security 2024 Language Snapshot, Veracode revealed the presence of several “critical” and “non-critical” security debts among applications written in different languages. Critical security debt is defined in this report as a high-severity flaw that remains unfixed for more than one year. If exploited, these vulnerabilities would seriously jeopardize the integrity and availability of organizations.

While the majority of security debt is in first-party code written by developers working within organizations, Veracode research found that the most critical security debt resides in third-party code, such as open source software used as the basis for product code. For example, 80 percent of critical debt in Java applications and 63 percent in JavaScript applications resides in third-party code. The report also found that approximately 51 percent of critical flaws in Java applications result in security debt, while only 45 percent of low-to-medium level flaws result in security debt.

Also Read: Cross River and Forward Bring Payouts-As-A-Service to Software Developers

Visibility and Priority First: Universal Connector and Application Security Heatmap

Following Veracode’s acquisition of Longbow Security last April and the introduction of Longbow’s Repo Risk Visibility and Analysis capability in May, the Universal Connector and Application Security Heatmap were designed with developer time in mind. The capabilities provide operational oversight to help developers and security teams quickly identify and prioritize the most important fixes for the growing security debt in their applications.

Universal Connector enables organizations to quickly access security-relevant data from multiple sources that otherwise cannot be easily integrated into the Longbow platform, without having to develop a specific connector. The Application Security Heatmap maps the application in detail down to the individual developers (including third-party developers) who developed each component, shows a risk trend over the previous 90 days, and allows customization of the acceptable risk threshold to meet the organization’s specific criteria. Application security teams and developers can analyze each application, visualize the risk distribution, and implement the top 5 “Best Next Action™” recommendations to remediate that risk.

With the acquisition of Longbow, Veracode can bridge the gap between development and security teams, providing visibility from code repositories to cloud resources and runtimes. Longbow also identifies infrastructure-as-code and misconfiguration risk for cloud resources from repositories.

SOURCE: BusinessWire