Being part of CA Veracode Verified demonstrates commitment to produce secure software

Adelaide, Australia – June 12th, 2018 – Prophecy International today announced that it participates in CA Veracode Verified, a program that validates a company’s secure software development processes. With approximately 30 percent of all breaches occurring as a result of a vulnerability at the application layer, software purchasers are demanding more insight into the security of the software they are buying. CA Veracode Verified empowers Prophecy to demonstrate its commitment to creating secure software.

When purchasing software, customers and prospects are demanding to understand how secure the software is. As part of CA Veracode Verified, Prophecy can now demonstrate through a seal and provide an attestation letter from an industry leader that the application has undergone security testing as part of the development practice. Additionally, participating in the program ensures that our software meets a high standard of application security, reducing risk for the customer.

Organizations that had their secure development practice validated, and their application accepted into the Standard Tier, have demonstrated that the following security gates have been implemented into their software development practice:

  • Assesses first-party code with static analysis
  • Documents that the application does not allow Very High flaws in first-party code
  • Provides developers with remediation guidance when new flaws are introduced

Snare has been solving log monitoring and management problems around the globe for almost 20 years. It is the key piece in successful SIEM deployments from nearly every SIEM vendor and is trusted by private enterprises and government agencies alike for it’s ease of deployment and rock-solid architecture.

“Prophecy is committed to delivering secure code to help organizations reduce the risk of a major security breach. Companies that invest in secure coding processes and follow our protocol for a mature application security program are able to deliver more confidence to customers who deploy their software,” said Asha May, CA Veracode

“As an organization we have always put security first, so this was the next logical step to show our customers just how secure our applications really are and so they can rest easy knowing their security and compliance goals are not jeopardized by our software.” Said Steve Challans, CISO of Prophecy International.

About Prophecy International Holdings Limited

Prophecy International Holding Limited is a listed Australian company (ASX:PRO) that has been operating globally since the 1980s. More recently the focus at Prophecy has been on growing the eMite and Snare lines of business. eMite service intelligence platform combines analytics, correlation, capacity, and performance, availability, and SLA management into a single, out of the box solution to provide customers with real time insight. The Snare product suite is a highly scalable platform of security products designed to find, filter and forward event log data. Snare log sources include Windows, flat files, databases, Linux, Mac and Solaris with coverage for desktops and servers.

Prophecy operates globally from Adelaide and Sydney in Australia, London in the United Kingdom and in Denver, USA.

You can see Prophecy listed in Veracode’s directory here: https://www.veracode.com/verified/directory/prophecy-international

It seems like a silly question but how many companies take the extra steps to know that the millions of lines of code in their solutions don’t have any vulnerabilities? It’s easy to say your code is secure, it’s completely different to pay an accredited third party to review each and every line of code in your applications to ensure they’re free from vulnerabilities. It is with this in mind that Snare teamed with CA Veracode to review our Snare agent software and put them through the Veracode Verified program that would review the executable and application source, putting their own brand reputation behind their certainty. It is a lengthy process and the first to finish was our Snare Windows Agent with version 5.1 and Snare Agent Manager v1.1.0 that achieved Veracode VL4 security compliance. The VL4 status means that there were no Very high, High or Medium risk vulnerabilities in the applications as reviews by Veracode using the OWASP top 10 and SANS top 25 secure coding vulnerabilities. As part of the Verified program we have achieved Verified Standard.

What exactly goes into being Veracode VerAfied? It’s a back and forth between us and Veracode as they go through our application reviewing the code and check it against a policy using the Veracode OWASP top 10 and SANS top 25 known coding vulnerabilities to provide assurance that they did not contain coding vulnerabilities at the time of the scan. As part of the program we are required to perform rescans for every release and or every 6 months whichever occurs first to maintain the Verified Status. So its now built into our development and release process where the Windows Agent and Snare Agent Manager are constantly reviewed. Talk about an extra mile (or kilometer for those of you on the metric system).

Our competitors haven’t taken this extra step, and while we understand why, it was important to us that our best-selling products are built securely and are free from all known vulnerabilities. You can’t go a week anymore without major breaches making headlines and vulnerabilities can often be found in the most unassuming places. So, we went ahead and made sure that we are not only helping you secure your organization but we continually do so with the most secure solutions on the market.

Check out Veracode’s website to learn more about being Verified. 

Check out our page on Snare Agents to learn more about the world’s favorite logging tool.

Most of the time security professionals worry about zeros and ones – to simplify our entire industry somewhat. In essence, we’re trying to keeping our own assets protected and keeping outsiders, well, on the outside – and technology solutions, people and processes are obviously core to that.

However, there’s always one big grey area when it comes to putting effective cyber security protections into practice – our own people.

The reality is, if companies didn’t have people in them, they’d be a lot easier to secure. Unrealistic I know but it’s a fact. (And yes, in a previous blog I did also point out that not having the internet connected would also be quite good too).

No matter how secure your infrastructure, applications and devices, if a suitably-enabled staff member or contractor really wants to walk out the front door with private and confidential information, there’s little you can do to stop it from happening.

In addition, privileged users such as system and network administrators, database administrators, data owners, finance and HR staff can cause significant damage at an industrial scale if they maliciously attack systems or delete, change or leak sensitive information.

You’d hope it was detected very quickly, and perhaps DLP software will set off bells and sirens, and maybe even physical security will mitigate a malicious, physical attempt to steal information. But mostly – that information will just walk out the door.

So this is the interesting bit. In essence, after you have set access levels and rights correctly, you then have to trust that the people you also trust to serve customers and to behave within the cultural norms of common business practice have no intention of deliberately causing mayhem in your IT systems.

Of course with privacy and data protections laws and regulations tightening around the globe, that doesn’t seem like much of a security strategy. Naturally, every technology that should be deployed will be deployed to protect an organisation, relative to its business type and risk profile.

But what do you do about people!

It actually doesn’t come up as much as you’d think when you consider the discussions, news and general information coming across your desktop on a daily basis in relation to IT security. We see lots about devices and software that protects organisations or we hear a lot about the results of a breach from some malicious actors.

But the reality is that educating, supporting and communicating with staff about IT security (and all that entails) absolutely builds a more resilient and protected organisation.
There are a few things worth considering. These include:

  • How do we onboard new staff and contractors?
  • How do we reinforce various policies?
  • How do we oversee or educate employees that have been with the business for a longer period of time about issues like phishing attacks, shadow IT, securing sensitive information in emails, not plugging USB keys into devices on the network without security scanning (if it’s not already automatic) etc?
  • How do we ensure the business can still do business (and people don’t throw up their hands in frustration and look for a new job) but we still stay in business?
  • Implementing the relevant controls and tools that will help us verify the trust we have bestowed to some of our staff that have admin or access to privileged information.

Every company has their own approach, often built around international IT security standards.

However, dig below the surface and you can guarantee in all but perhaps military-grade sites, there can be big gaps between what should be happening and what is happening.
If it wasn’t true there wouldn’t be an entire dark web sector raking in millions of dollars per year from various nefarious activities.

So what’s the answer?

To some extent, (technology tools not withstanding), trust remains the watchword.

So trust comes from the overarching culture leaders create within a business.

Engaged, positive and tribe-oriented people value and protect their own. People who are aligned to their organisation’s success and take pride in their work, are less likely to deliberately steal or damage IT infrastructure and assets.

In most cases, accidents are captured by logging tools and security software and the like – and many people will put their hand up to admit they did something they shouldn’t have if it was an honest mistake. And of course, trust can also be verified to a reasonable extent with best-in-class logging tools.

What this means of course, is that for any CISO worried about security on a daily basis (and I’m pretty sure that’s at the top of the job description), they need to have one eye observing how their organisation looks after and treats people.

It may be that there’s not much we can do to influence a truly abysmal, pan-continental culture in a business, but we sure can be aware of what that means when it comes to setting a security posture and conducting internal audits. For example, it would also be prudent to review logs more assertively to verify staff activities and validate the trust levels that have been set.
It’s the difference between expecting and anticipating trouble.