In early August 2022, the Consortium for Information & Software Quality (CISQ) released a new specification, the Automated Source Code Data Protection Measure (ASCDPM). CISQ is an industry leadership group that develops international standards for automating the measurement of software size and structural quality from source code. The new ASCDPM measures the extent to which applications protect confidential data from unauthorized access and has been approved and published as an Object Management Group (OMG) standard.
When every business is a software business, software security becomes a matter of business security. According to the 2022 IBM Cost of a Data Breach Report, the average cost of individual data breaches increased 2.6% from USD 4.24 million in 2021 to USD 4.35 million in 2022. Across the board, the average cost of data exposure has climbed 12.7% from USD 3.86 million in the 2020 report. Meanwhile, the frequency of breaches also increased. In the first quarter of 2022, data breaches were up 14% over a year ago, according to the Identity Theft Resource Center (ITRC), moving to three consecutive years of increases in the first quarter. The latest increase comes on the heels of 2021’s 68% increase in breaches over 2020, which beat the previous record, set in 2017, by 23%.
As a result, there’s a real push across all industries to increase security, starting with the software supply chain. The recent Enterprise Strategy Group (ESG) report, “Walking the Line: GitOps and Shift Left Security”, found that organizations are drilling down on supply chain security to encompass not just open source and third-party code but also development tools and pipelines, repos, APIs, infrastructure-as-code, containers, and cloud configurations. Meanwhile, the shift to cloud-native application development has organizations concerned about the risks posed to additional nodes of their supply chain. The ESG report found that 73% of organizations reported they have “significantly increased” their software supply chain security efforts in response to recent supply chain attacks.
This is where standards like the ASCDPM come into play. They enable organizations to measure the operational risk software poses to their business and estimate the cost of corrective maintenance so they can take appropriate security measures.
CISQ developed the ASCDPM based on a collection of relevant software weaknesses from the Common Weakness Enumeration (CWE) repository. DevSecOps teams can use the ASCDPM in application security testing to reveal source vectors for data leakage or data corruption, as well as indicators for non-compliance with data protection and privacy guidelines. If organizations are using software running as part of a network-connected asset that contains one or more of these CWEs, then the organizational enterprise is at risk of not conforming with data protection requirements.
This data protection measure is relevant to guidelines associated with privacy and data protection laws and regulations such as the Cybersecurity Maturity Model Certification (CMMC), Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR), and California Consumer Privacy Act (CCPA). The ASCDPM spotlights the relevance of CWEs for enterprises seeking to comply with regulatory guidance associated with data protection and privacy. Many organizations undergo process assessments associated with the CMMC, GDPR, and CCPA, as well as information security standards like ISO 27001, NIST SP 800-53, and NIST SP 800-171.
When it comes to implementing ASCDPM standards, we can provide the tools for software composition analysis (SCA), static application security testing (SAST), and dynamic application security testing (DAST). With Black Duck coverage for SCA, Coverity for SAST, and Continuous Dynamic™ for DAST, Black Duck has a suite of tools to make sure you’re covered for nearly all CWEs included in the standard.
Black Duck’s SCA performs multifactor open source detection to give you complete visibility into the software components of any application or container. Meanwhile, Coverity SAST examines source code to find software flaws and weaknesses, DAST scans web applications from the outside to look for security vulnerabilities such as cross-site scripting, SQL injection, and command injection. SCA, SAST, and DAST are complementary yet different testing approaches that find different types of vulnerabilities.
Black Duck’s discovery technology lets you compile a complete software Bill of Materials (SBOM) of the open source, third-party, and proprietary software components used to build applications and containers. As part of this compilation, Black Duck can also alert you if the code in your SBOM contains vulnerabilities listed in the ASCDPM.
Coverity provides a fast, accurate, and highly scalable SAST solution that helps your development and security teams address quality and security early in the SDLC. This allows organizations to track and manage risks across their application portfolio, including those covered by the ASCDPM standard. In addition, Coverity also works with the Code Sight IDE plugin to deliver coding solutions right to developers so they can find and fix security and quality defects as they write code. Code Sight provides fast and accurate incremental analysis that gives developers real-time results, including CWE information, remediation guidance, and relevant security training, directly within the IDE. Coverity currently covers the nearly 90 CWEs disclosed by the ASCDPM with the exception of CWE-1051 and CWE-1058.
Continuous Dynamic™ allows you to safely scan applications in production without the need for a separate test environment. This ensures that you are testing exactly the same surface as the one exposed to hackers. Continuous Dynamic also offers continuous scanning that detects and adapts to code changes, ensuring that new functionality is automatically tested, as well as personalized remediation guidance from a team of application security experts. This delivers a prioritized list of vulnerabilities, including many referenced in the ASCDPM, and the guidance to fix them.
While the ASCDPM is primarily designed as a source code analysis standard, it’s important to also test your applications from the implementation interface. Continuous Dynamic provides detection coverage in dynamically testable areas and provides an important security augmentation to the SAST testing you’re already doing. And since Continuous Dynamic is language agnostic, there are no limitations when it comes to language support.
As the pace of digital transformation increases, so, too, do the attack surfaces that hackers can exploit. Standards like the ASCDPM are yet another tool that organizations can employ to ensure that they are protecting their data and the data of their customers. Data breaches are expensive in not only money but in development time and reputational damage. Black Duck can help ensure you’re implementing the ASCDPM across your SCA, SAST, and DAST solutions with solutions like Black Duck, Coverity, and Continuous Dynamic. By building security into your software as quickly as you code it, you’re protecting your bottom line by building trust in your software – all at the speed your business demands.