Why Today’s Organizations Need a Risk-Based Approach to Code Security


We salute October as National Cyber ​​Security Awareness Month

As we salute National Cyber ​​Security Awareness Month, we also want to recognize the continued increase in application-based software supply chain attacks. The process of providing security and protection during software development cycles is inconsistent, resulting in gaps, vulnerabilities, and many false positive alerts. That’s why we’re asking all organizations to take a risk-based approach to code security to identify and prioritize the threats and critical vulnerabilities that really matter.

Gartner in a security briefing related to software supply chain risks1 mentions that “attackers target software development systems, open source artifacts and devops pipelines to compromise software supply chains.” The brief also references one of Gartner’s strategic planning assumptions that 45% of organizations worldwide will experience attacks on their software supply chains by 2025, a three-fold increase from 2021.

Our take on what is contributing to this trend is the fact that code is everywhere. What this really means is that we need to recognize the current practice of software development which involves the use of code present in many repositories that may reside inside or outside the organization. The growing use of open source software and the need to rely on APIs to integrate with third-party applications increases the presence of secrets in code that can be compromised as threat actors exploit vulnerabilities at every step. of the development cycle.

Earlier this year, cybersecurity research experts at the Ponemon Institute released a report on application security risks2. This report contains the results of a survey of more than 600 people engaged in the development, testing and securing of applications. Respondents were almost evenly distributed between medium and large organizations.

Over the past year, those responsible for application security have found the remediation of the code vulnerability to be slow and have relied on point solutions where the number of false positives is so high that effective mitigation has been achieved. has become impossible. This is especially true for open source application security tools as well as some of the one-off products that deal with static code testing or dynamic testing closer to deployment. Of course, it is well known that threats and vulnerabilities detected in the run-up to deployment are incredibly expensive to patch and can cause many other unexpected disruptions.

According to one of the results of the Ponemon survey, 84% of respondents felt that it is difficult to determine and reduce the risk for applications because they cannot monitor, detect and prevent security-related attacks. code and application vulnerability.

The trend to shift to the left requires that application security control shift to the left in the hands of developers. This of course refers to the familiar DevOps process diagram and the fact that security needs to move to the left from Ops to Dev closer to where the initial development takes place. Despite the high visibility that the left movement has received, application security has not transcended silos in many organizations.

Another finding from the previously mentioned study is that 65% of those surveyed said their organizations had little or no collaboration between developers and security teams. The downside for these companies is the inability to quickly detect vulnerabilities and take appropriate action to remediate code vulnerabilities.

One of the key metrics for reviewing application security solutions is determining the time it takes organizations to resolve security issues once detected in applications once deployed to production. Some organizations have taken steps to resolve production vulnerabilities in minutes and hours. However, 58 percent of the organizations surveyed had to contend with the impact over a period spanning days, weeks or even months.

Developers often feel that security controls are put in place after the fact and, in many cases, are bypassed to meet ever-increasing expectations of faster code delivery. Providing effective security tools that work in common daily developer workflows will lead to better results. Due to the longer resolution times, many organizations report that their backlog of vulnerabilities is increasing. On the plus side to all of this is that the accumulating security debt is now forcing them to foster dialogue between developers and security teams.

As noted in the Verizon Data Breach Investigations Report 2021, over 80% of security incidents are caused by compromised credentials. Compromised credentials once referred only to stolen username and password combinations or credential attacks mounted by automated bots. However, today compromised credentials can mean secrets in code such as app-level login credentials, tokens passed between apps, and data passed to call APIs. . Organizations that promote security standards such as OWASP (Open Web Application Security Project) also promote the need to monitor secrets in code.

The BluBracket code security solution is comprehensive and comprehensive and extends beyond secrets in code to include many other risks that must be addressed. BluBracket’s Code Security solution can be applied at different stages of the development cycle.

BluBracket is the most effective solution for discovering vulnerabilities, determining associated risks, and best of all, providing a means to mitigate threats. BluBracket can provide a risk score which is a quantifiable measure of risk over time. Unlike many point solutions, BluBracket can virtually eliminate the huge number of false positives that practitioners face with point solutions and open source tools.

Finally, as a solution designed for developers, BluBracket is easy to integrate into daily development workflows. It has the flexibility to run on all git repositories, both internal and external. Integration with existing DevOps and CI / CD tools commonly found in the enterprise allows developers to easily include BluBracket in their daily routines.

Here are some of the ways companies today are using BluBracket

Running a full repository scan – Developers can check hard-coded secrets in their validation history on a variety of repositories, both internal and external. In addition, developers and security engineers can discover who has access to the code and enable them to take action to limit the number of owners and collaborators to improve security. Git configuration errors are a particular area of ​​risk. BluBracket can help detect insufficient branch protection rules, as well as multi-factor authentication configurations.

Perform pre-engagement checks – Developers can avoid coding errors before committing to their local history on their workstation / device by taking advantage of the BluBracket CLI. Developers can then take action using environment variables or using a secret management tool. This eliminates the risk of leaving secrets in plain text. The solution also highlights unsigned commits, prompting developers to sign them for better security through identity management. Most importantly, finding and highlighting the presence of Personally Identifiable Information (PII) that could constitute a compliance violation or lead to a material violation.

Complete public relations checks – to intercept hard-coded secrets before they are inadvertently merged with a remote feature branch. This is also the stage in which the BluBracket code security solution checks for infrastructure-as-code (IaC) configuration errors. IaC has evolved as an area of ​​security vulnerability monitoring as infrastructure deployment is increasingly automated with scripts used to configure infrastructure environments, eliminating manual configuration efforts. Detecting and resolving potential infrastructure vulnerabilities directly in the development workflow will prevent you from having to deal with security incidents after deployment.

Ensure post-merger validation – In the event that a risk is not detected in the early stages of the development cycle, BluBracket also escalates alerts when hard-coded secrets are merged into a main code branch. Integration with Slack, PagerDuty, ServiceNow and many other tools allows teams to be immediately notified and corrective actions to be instantly called. Additional capabilities also include scanning containers such as docker and kubernetes for secrets. BluBracket regularly scans public repositories for vulnerabilities that may have already been disclosed.

BluBracket Offers Risk-Based Approach to Code Security for Today’s Application Development Practices

BluBracket offers a modern approach to today’s application development practices. It provides the most comprehensive code security solution that enables developers and security professionals to identify risks early in the development process and throughout the CI / CD process. With deep links to the code, the solution provides actionable remediation for each risk found

For more information on the full set of risks covered by BluBracket and how BluBracket can help your team reduce code security risks, please contact us at [email protected]


  1. How Software Engineering Leaders Can Mitigate Software Supply Chain Security Risks, Manjunath Bhatt, Dale Gardner, Mark Horvath, Gartner, July 2021
  2. Reducing Enterprise Application Security Risks, Research Report, Ponemon Institute, February 2021
  3. Verizon DBIR (Data Breach Investigation Report) 2021

*** This is a Syndicated Security Bloggers Network blog by BluBracket: Code Security & Secret Detection written by blubracket. Read the original post on: https://blubracket.com/risk-based-code-security/


Margie D. Carlisle