Veracode today released its findings from its annual State of Software Security Report, which revealed that the persistent use of components in software development is creating unmanaged risk. The report also found that companies can benefit if they accelerate their application security programs.
Veracode found that a single popular component with a critical vulnerability spread to more than 80,000 other software components, according to the report. Those infected components were used in millions of software programs, with approximately 97% of Java applications containing at least one component with a vulnerability, said the report.
Other key findings included best practices like remedial coaching and e-learning can improve vulnerability fix rates, and that 60% of applications fail security policies upon first scan. Also in the report, developers are using sandbox technology to scan their apps prior to assurance testing, which shows 2x improvement fix rates, said the report.
More findings from the security report can be found here.
Symphony Software Foundation announces Open Developer Platform
Symphony Software Foundation announced the upcoming availability of an Open Developer Platform that will give the foundation members and developers open development access to the Symphony API, as well as tools for a better development experience.
“Open source fueled the cloud and Big Data revolutions,” said Gabriele Columbro, executive director of the Symphony Software Foundation. “As a result, financial institutions and financial tech firms are now increasingly considering this approach to drive faster innovation, pervasive adoption and superior integration capabilities, while lowering development cost.”
The offering also lowers the barrier for financial institutions to collaborate on the platform under the foundation’s governance, according to Suresh Kumar, CIO of BNY Mellon, a member of the foundation and the Open Developer Program. The foundation also hosts open-source development of the Symphony platform, bots and apps on the Symphony Platform, along with technologies common to the financial service industry.
DevExpress open-sources TestCafe
DevExpress is releasing the core library of its automated in-browser testing solution into open source. TestCafe is the company’s node.js testing framework for Web apps.
“Now everyone in the open-source community can benefit from the technologies we developed for the commercial version,” the company wrote in a blog post.
TestCafe is designed to handle everything from starting the browser, running tests, getting results, and generating reports.
Sonatype updates Nexus Platform
The supply chain automation provider Sonatype is giving its Nexus platform npm and JavaScript intelligence. The company has updated the solution with npm and JavaScript components in order to help organizations deliver higher-quality software with DevOps automation at scale.
“Scaling a modern software supply chain requires deep intelligence that is precise enough to automatically weed out vulnerable, outdated, and defective open-source components and packages,” said Wayne Jackson, CEO of Sonatype. “Our customers operate in a polyglot world, and that’s why we’re continuously investing to deliver the world’s best component intelligence, not just for Java, but for JavaScript, .NET, RubyGems, PyPI, and other formats as well.”