“Trust us”, we can do it better together

Chris Wysopal, CTO and CISO at Veracode, discusses the importance of third-party software assurance following Oracle CISO, Mary Ann Davidson’s recent blog condemning it.

We are at a pivotal moment in the history of software. As a society, we are becoming ever more reliant on code, whether in the financial services industry, managing operations of Critical National Infrastructure (CNI), or operating medical equipment.

This increasing attack surface hasn’t escaped the attention of cyberattackers. Vulnerable web applications have been the leading causes of data breaches over the past two years, according to Verizon’s 2015 Data Breach Investigations Report.

That’s why it has become so crucial to demonstrate that you actually are producing secure software. Customers increasingly understand the risks created by the software supply chain, and want assurances and independent validation that all procured software is compliant with their own corporate security policies.

“No, You Really Can’t” – but should I?

It’s this ever-increasing threat which rendered Mary Ann Davidson’s, Oracle’s CISO, comments last week so shocking to the security community. Mary lit a firestorm when she posted her blog titled, “No, You Really Can’t” – although it has since been removed with Edward Screven, Oracle’s Executive Vice President and Chief Corporate Architect, stating it didn’t “reflect our beliefs or our relationship with our customers”.

In short, the blog post argued there’s no need for external assurance of Oracle’s software and any attempts to validate their “trust us” claim, via third-party assessments, is breaking their end-user license agreement (EULA). This can result in a strongly worded letter from their lawyers demanding you to stop. I should know – I’ve received such a letter for Veracode’s work providing such third-party code audits for business customers.

So what’s the fuss about?

Firstly, it’s worth introducing a software testing firm to understand Mary Ann’s objection. Veracode works with companies as an independent assessor to evaluate the security of their software supply chains: delivering this capability as an automated cloud-based service, with a self-service model accessible directly by the software provider to ensure neutrality. The company itself never has access to the code itself nor to the vulnerability report – both are sent directly to the software provider, alerting them to the critical vulnerabilities they previously didn’t know about, to remediate.

Why do all this? It means businesses can hold their software suppliers accountable for any vulnerable code that, if left un-remediated, introduces risk to both their corporate networks and sensitive data.

In the past, software vendors were always able to say, “trust us”, but now, customers have expectations around supply chain security that must be met. Third-party assessments help tick all the boxes: ensuring software security while also mediating concerns around protecting the provider’s intellectual property and keeping sensitive vulnerability information private between the assessed and the assessor.

What’s not to like?

The system works well and we now work with many software providers who’ve sought our help. But Mary Ann Davidson isn’t a fan, first coming out against the process in a blogpost in 2011 roughly stating that “we [Oracle] have security covered, so trust us”.

Trust is undoubtedly important, however, I’m yet to meet a security professional who doesn’t adhere to the ‘trust but verify’ motto. That’s why standard certifications, like SOC 2 for cloud service providers, are designed specifically to provide third-party audits and verify a service provider’s security posture.

Davidson does make a few good points about businesses receiving raw analysis results and the confusion this can cause (resulting, for example, from false positives or through being unaware of mitigations in the code that can prevent exploitation). But by engaging directly with software providers, third-party software assurance can easily avoid this.

Veracode’s remediation consultants, for example, work directly with software providers to decipher which results are false positives and or those mitigated by design or the environment. This further trains their developers in understanding secure coding practices and remediate vulnerabilities quickly and efficiently.

This system works. Last year alone, Veracode helped organisations remediate 4.7 million vulnerabilities.

Digitisation and interconnectedness are the key single biggest factors that will drive both economic growth and societal progress in the foreseeable future. But we can only achieve this if we can trust the security of the software that runs the world and our lives.

That means getting everyone involved – commercial software providers, businesses, independent third-party assessors, and security researchers alike- to be transparent and collaborative.

We all want a safer world. Trust me, we can do it better together.