/jul 30, 2018

Veracode Dynamic Analysis Helps You Check Your Security Headers

By Saikrishna Chavali

Veracode Dynamic Analysis helps you follow Google I/O 2018 security recommendations

I've been binging on the Google I/O 2018 videos. I guess every web geek does! One video caught my attention: Google Chrome security team's improvements to fight off the Spectre & Meltdown "celebrity" vulnerabilities. They're using software at the browser level to mitigate against a hardware vulnerability. How cool is that?

Just like Google, Veracode has been beating the drum on the importance of security headers here in 2012, 2013 and 2014. Google calls out Site Isolation feature, cross-origin read blocking, cookie restrictions, high resolution timers, and Google V8 JavaScript engine. Read more here

However, Chrome security cannot make the web safer on its own. It needs web developers to help defend against Spectre vulnerability and future software vulnerabilities. For these goals, Chrome security recommends a bunch of website configuration best practices. This is where Veracode Dynamic Analysis comes in!

Best part, no new workflows! Just run your Dynamic Analysis scans as usual to verify your web developers are using the website configuration best practices. Checking these security headers is just one of the many vulnerability checks we have to help you safeguard modern web applications.

Veracode Dynamic Analysis checks the following security headers are set correctly. Some of these were called out by Google Chrome in their Google I/O 2018 talk.

SECURITY HEADER CWE ID CWE NAME
X-Content-Type-Options 16 Configuration
X-Frame-Options 16 & 693 Configuration & Protection Mechanism Failure
Strict-Transport-Security 16 Configuration
Access-Control-Allow 668 Exposure of Resource to Wrong Sphere
Content Security Policy directives (including SameSite Cookie) 352 Cross-Site Request Forgery (CSRF)

For more information on setting them up correctly and common misconfigurations, check out our blog post here.

How often do you hear the phrases “Zero Trust” or “Trust but Verify” bandied about? It’s so true in application security. We should enable our developers to do the right thing. But we have to verify, either before production releases or on a regular cadence in production. At Veracode, we happen to favor using our Dynamic Analysis for such purposes! 

P.s. If you want to watch the Google I/O talk in full, see this YouTube link: https://www.youtube.com/watch?v=dBuykrdhK-A

Related Posts

By Saikrishna Chavali

Harnessing and securing the power of the web for the past decade. Currently, Senior Product Manager for application layer Information Security products. These products help web developers and Information Security professionals make the everyday web applications we use more secure. Prior to this, harnessed the power of web in digital search advertising, just as the programmatic advertising revolution was taking off.