Veracode has released the findings in its annual State of Software Security Report (SoSS). The seventh edition of the report presents metrics drawn from code-level analysis of billions of lines of code across 300,000 assessments performed over the last 18 months. The report revealed that the continued and persistent use of components in software development is creating systemic risk in our digital infrastructure. However, they also found that companies achieve accelerated benefits when their application security programs reach maturity. These findings indicate that the growing trend of focusing on digital risk at the application layer and building security into DevOps processes (DevSecOps) can yield great results for organizations in reducing risk without slowing down software development.
A few key highlights:
- 97 percent of Java applications
have at least one vulnerability due to the reuse of software components
- Healthcare is still struggling to fix vulnerabilities despite a string of breaches. Government however seems to have learned its lesson from OPM and is fixing its security holes
- Commercially developed applications are less secure than ones developed in-house. 75 percent of commercial applications fail basic security checks compared to 61 percent of internally developed applications
Their analysis revealed the growing risk caused by the proliferation of vulnerable open-source components
. Veracode found that a single popular component with a critical vulnerability spread to more than 80,000 other software components, which were in turn then used in the development of potentially millions of software programs. Approximately 97 percent of Java applications contained at least one component with a known vulnerability.
The research also highlights the challenges that still exist in software development more broadly. For example, 60 percent of applications failed basic security requirements upon first scan. However, the report found that when companies follow best practices and implement programs with consistent policies and practices for secure development, they are able to remediate vulnerabilities at a higher rate. The study showed that the top quartile of companies fix almost 70 percent more vulnerabilities than the average organization. Additionally, best practices like remediation coaching and eLearning can improve vulnerability fix rates by as much as six-times. Developers who test unofficially using Developer Sandbox
scanning improve policy-based vulnerability fix rates by about two-times.
Read more: http://interactive.veracode.com/state-of-software-...
Are you paying more taxes than you have to as a developer or freelancer? The IRS is certainly not going to tell you about a deduction you failed to take, and your accountant is not likely to take the time to ask you about every deduction you’re entitled to. As former IRS Commissioner Mark Everson admitted, “If you don’t claim it, you don’t get it.
Get hands-on experience in performing simple to complex mobile forensics techniques Retrieve and analyze data stored not only on mobile devices but also through the cloud and other connected mediums A practical guide to leveraging the power of mobile forensics on popular mobile platforms with lots of tips, tricks, and caveats.
The Chirp GPS app is a top-ranked location sharing app available for Apple and Android that is super easy to use, and most of all, it's reliable.
Write and run code every step of the way, using Android Studio to create apps that integrate with other apps, download and display pictures from the web, play sounds, and more. Each chapter and app has been designed and tested to provide the knowledge and experience you need to get started in Android development.