Let’s explore the key insights from the White House Technical Report and delve into recommendations for integrating security across the software development lifecycle (SDLC).
Securing Cyberspace Building Blocks: The Role of Programming Languages
The White House's report emphasizes the programming language as a primary building block in securing the digital ecosystem. It highlights the prevalence of memory safety vulnerabilities and the need to proactively eliminate entire classes of software vulnerabilities. The report advocates for the adoption of memory safe programming languages, which have been proven to improve software security.
It emphasizes that choosing memory safe programming languages at the outset can reduce memory safety errors and enhance the reliability and predictability of software systems.
However, it also acknowledges that, “Even if every known vulnerability were to be fixed, the prevalence of undiscovered vulnerabilities across the software ecosystem would still present additional risk.” There are no silver bullets in cybersecurity, so it’s good to see this understanding here. Memory corruption vulnerabilities are prevalent but so are vulnerabilities of other types.
Integrating Security Across the Software Development Lifecycle to Increase Measurability
The second main point of the report is about software measurability and metrics for determining cybersecurity quality. This element is also touched on in the National Cybersecurity Strategy Implementation Plan (NCSIP) the Biden administration announced in 2023.
The strategy mentions “reasonable precautions” that need to be taken as part of a shift in liability to software companies, and a “safe harbor framework” is needed to define what reasonable precautions are. My recommendation is to move toward continuous code scanning for security flaws, accompanied by continuous mitigation, as I shared recently in this Forbes article about preparing for the NCSIP.
This proactive approach allows for the collection of data on security vulnerabilities, their frequency, and their impact. By prioritizing security from the outset and making it incorporated directly into the developer toolchain, organizations can gather valuable data and metrics that enable better measurement and evaluation of software security. Veracode has been measuring the frequency of these vulnerability classes for over 10 years across hundreds of thousands of applications. Our archive of State of Software Security (SoSS) reports serves as a resource for the software assurance community; this year’s report was the first to reach the data of one million applications analyzed.
A Tip for Making this Implementation Easier on Software Developers
One development in this space is Veracode's new IDE plugin, which combines Veracode Static Analysis (SAST) and Software Composition Analysis (SCA) into a single plugin. This integration allows developers to efficiently scan their projects for security weaknesses and risks in both first-party code and third-party libraries – and remediate them right in the IDE. Our data shows that developers that engage with SAST and its results in the IDE fix flaws significantly faster. This is welcome news for development teams not typically given the resources to fix all their critical vulnerabilities.
By seamlessly integrating security testing and remediation into the development environment, developers can identify and address vulnerabilities early in the SDLC, reducing the risk of security breaches and ensuring the delivery of more secure software.
It also helps foster a culture of security awareness and responsibility among developers. It enables them to make informed decisions about the security of their code and dependencies, ultimately leading to the development of more secure software at a speed that allows you to scale.
Harnessing Automation and AI for Operational Improvements
The report doesn’t specifically address the role of automation and artificial intelligence (AI) in operational improvements. However, it’s 2024, and AI is increasingly ubiquitous.
One concern with AI initiatives is the potential risks associated with AI-generated code. While AI can accelerate innovation and streamline development processes, there’s a need for careful management to ensure that the generated code meets security and quality standards. Automated code generation requires automated code testing and remediation, lest increased code velocity simply turns into an increased rate of security debt creation. Establish continuous testing and validation processes to verify the reliability and security of AI-generated code.
By utilizing responsible-by-design AI trained on a specific dataset, like Veracode Fix, AI can suggest how to remediate security flaws by AI-generated code. This proactive approach helps enhance the security and quality of the codebase, mitigating risks associated with AI-generated code. You can still get the benefits of increased code velocity without the additional risk.
Managing Risk with Software Supply Chain Security
A key insight from the White House Technical Report on Software Security is the importance of managing risk through software supply chain security. The report highlights the significance of choosing provably secure software libraries to reduce the likelihood of vulnerabilities in the components used by developers.
Our State of Software Security 2024 report takes a deep dive into choosing secure libraries based on the analysis of over one million applications. For data-driven guidance on choosing secure libraries, download your copy now.
Additionally, regular updates and patches should be applied to address any newly discovered vulnerabilities or security issues. By actively managing the security of software libraries, organizations can minimize the risk of incorporating vulnerable components into their applications.
Conclusion: Taking Action to Prioritize Software Security and Compliance
The release of the February 2024 White House Technical Report highlights the urgent need to prioritize software security in the rapidly evolving digital landscape. To learn more about how to do this and implement these recommendations effectively, we invite you to schedule a call with one of our experts. Our team can provide valuable insights and guidance tailored to your organization's specific needs.
Don't miss out on the opportunity to enhance your software security practices. Schedule a call with us today.