Software and online security are front-and-center in corporate boardrooms and corner offices around the world. The September 2017 cyber attack on US credit company Equifax is a recent example. Hackers potentially compromised sensitive information of 143 million Equifax consumers, including social security numbers.
But Equifax is just one high-profile incident in the steady rise of cyber crimes targeting corporate software applications and software-enabled products. Sadly, the pace of these threats will likely accelerate and be felt more broadly in the coming years given the explosion of software-controlled connected Internet of Things (IoT) devices. Given the risks, it is essential that companies take all possible security measures before they launch new products.
But where to start?
There are three broad categories of vulnerability that account for the majority of cyber attacks: software coding, exposed network interfaces and misconfiguration of the product. The most important category to focus on is software coding. Hardening the software-coding development process requires investment in automation frameworks, which pay dividends over the long-run by preventing security breaches and theft of sensitive information.
But as the software development process evolves, so do the challenges of maintaining a high level of security. Here are four challenges that must be recognized and addressed:
■ Maintain discipline and adopt best practices. When it comes to secure coding, there are no formal, objective standards to It’s up to the organization to identify and adopt best practices and try to implement them in the systems development lifecycle.
■ Shorter delivery cycles. Software delivery models have changed from the traditional waterfall model to agile and secure DevOps. This shift puts more emphasis on implementing the code and software functionality than on code security.
■ Rich toolsets. Finding coding-related vulnerabilities is one of the most challenging tasks developers face because there are so many automated code-review security tools available. The tools are often expensive, cumbersome and lack documentation and analyzing the reports from different tools is challenging.
■ False positive removal. Some reports generated by secure-code vulnerability analyzers produce false positives or false negatives. Interpreting the data is critical to identifying security threats, but it is a manual process and consumes a lot of time.
Software security solution: HAVOC
To address these challenges and elevate software security, Aricent has developed a solution called HAVOC, short for Highly Automated Vulnerability Assessment Orchestration Containers. (See Figure 1.) The HAVOC framework automates security testing, allowing companies to harden their products and ecosystems and reduce security vulnerabilities. HAVOC is scalable, provides tool coverage and let’s security analysts move fast during analysis. Organizations leveraging HAVOC no longer require large, highly skilled and expensive-to-maintain workforces to design for security and ensure a high degree of customer trust.
Figure 1. HAVOC Automation and Orchestration
As a security testing automation orchestrator, HAVOC integrates multiple tools, including secure-code reviews tools. With the tools integrated into the framework, HAVOC eradicates common security bugs in the code using efficient automation methods. Aricent conceptualized and created HAVOC to address the challenges traditionally seen in the security testing and especially in insecure, static-code analysis. Automating the security vulnerability assessment and penetration testing (VAPT), the HAVOC static-code review analysis addresses most of the challenges discussed above.
HAVOC addresses all four of the challenges described above:
■ Maintain discipline and adopt best practices. HAVOC automates the entire security test automation process including static-code analysis. There is no extra effort needed by the developer during coding.
■ Shorter delivery cycles. HAVOC security tests can be controlled by a single click once the code is committed to secure-code review or when the new code is deployed for the VAPT. This lowers the risk of developers ignoring or overlooking essential tests given the shorter lifecycle.
■ Rich toolsets. The HAVOC toolset coverage is broad and supports other security tools. With a single click, the user can run the scan using multiple tools without any extra manual effort. When developers use multiple tools for the same type of tests, HAVOC can read and parse the results from the tools and normalize and combine the reports.
■ False positive removal. HAVOC helps to overcome the false-positive and false-negative problems by tagging these vulnerabilities. Once tagged, HAVOC does not display the vulnerability in the report.
Security testing is only going to become more critical as the number of networked devices proliferates, and cyber attacks increase. Aricent’s HAVOC bridges the security-testing gap by efficiently orchestrating the tests and reducing manual effort. This allows security testers and developers-as well as boards of directors and senior management-to concentrate on creating secure products and growing revenue.