Software Security Guide

Securing an application is just as important as building it in the first place. As data becomes more valuable, there are more people who want to steal it and use it for their own personal gain.

Making sure applications are indeed secure has always been a challenge, as hackers try to stay one step ahead of defenders. When organizations ran their applications in their own data centers, firewalls were an effective way of denying hackers access. The explosion of the Internet led to the creation of web applications, with entry points via the browser into client-side code that could endanger the organization.

Further, the increased speed of feature delivery in software stresses security teams trying to prevent hacks and data breaches. Today, with application modularity and edge computing increasing, along with the increased use of open-source software, that challenge has only become more difficult. Hackers now have more surface area to target than ever before. Here are the top threats organizations face as they work to secure their applications, data and systems.

IT and developers must work to ensure that their applications and systems are secure. On the development side, security touches nearly every step of the process, from the planning stage, development, to testing. The use of automation in security can help organizations stay one step ahead.

 

New report finds signs of slowing supply chain security momentum, plateaued DevOps maturity

The number of security challenges companies are facing continue to grow, but organizations are beginning to display signs of “AppSec exhaustion,” or decreased engagement in security practices.  This is according to Snyk’s new State of Open Source report, which found that dependency tracking and code ship frequency has remained largely unchanged since last year. There … continue reading

The top 25 weaknesses in software in 2024

MITRE recently released its yearly list of the 2024 CWE Top 25 Most Dangerous Software Weaknesses.  This list differs from lists that contain the most common vulnerabilities, as it is not a list of vulnerabilities, but rather weaknesses in system design that can be exploited to leverage vulnerabilities.  “By definition, code injection is an attack, … continue reading

Report: Less complex applications are more likely to have security vulnerabilities than their more complex counterparts

While one might anticipate that the more complex an application is, the more likely it is to have security vulnerabilities, a recent analysis from Black Duck found the opposite to be true.  Its 2024 Software Vulnerability Snapshot report analyzed data from 200,000 dynamic application security testing scans for 1,300 applications across 19 different industry sectors.  … continue reading

Report: Only 1 in 5 organizations have full visibility into their software supply chain

Several high profile software supply chain security incidents over the last few years have put more of a spotlight on the need to have visibility into the software supply chain. However, it seems as though those efforts may not be leading to the desired outcomes, as a new survey found that only one out of … continue reading

Google researchers successfully found a zero-day vulnerability using LLM assisted vulnerability detection

One of Google’s security research initiatives, Project Zero, has successfully managed to detect a zero-day memory safety vulnerability using LLM assisted detection. “We believe this is the first public example of an AI agent finding a previously unknown exploitable memory-safety issue in widely used real-world software,” the team wrote in a post. Project Zero is … continue reading

OpenSSF updates its Developing Secure Software course with new interactive labs

The Open Source Security Foundation (OpenSSF) is updating its Developing Secure Software (LFD121) course with new interactive learning labs that provide developers with more hands-on learning opportunities.  LFD121 is a free course offered by OpenSSF that takes about 14-18 hours to complete. Any student who passes the final exam gets a certificate that is valid … continue reading

Microsoft makes improvements to the passkey experience on Windows 11

Microsoft is making it easier to use passkeys on Windows 11 by introducing a way for third-party passkey providers to integrate with Windows’ passkey system, improving the user experience for creating and using passkeys, and adding the ability to sync passkeys across multiple Windows 11 devices. Passkeys are a safer alternative to passwords where users … continue reading

The state of open source maintainers

Open source maintainers do significantly more security and maintenance work than unpaid maintainers, yet 60% of all maintainers remain unpaid, according to the 2024 State of Open Maintainer report from Tidelift. “The health and security of our global software infrastructure depends on open source maintainers,” Donald Fischer, co-founder and CEO, Tidelift, said in an announcement … continue reading

JFrog helps developers improve DevSecOps with new solutions and integrations

At its annual user conference, swampUp, the DevOps company JFrog announced new solutions and integrations with companies like GitHub and NVIDIA to enable developers to improve their DevSecOps capabilities and bring LLMs to production quickly and safely.  JFrog Runtime is a new security solution that enables developers to discover vulnerabilities in runtime environments. It monitors … continue reading

GitHub’s Copilot Autofix generates remediation fixes for code vulnerabilities

GitHub is rolling out a new feature to not only help developers find vulnerabilities, but fix them quickly.  Copilot Autofix in GitHub Advanced Security (GHAS) analyzes vulnerabilities, explains their importance, and offers suggestions on how to remediate them.  “For developers who aren’t necessarily security experts, Copilot Autofix is like having the expertise of your security … continue reading

Q&A: 10 emerging technologies to watch in 2024

Every year, Forrester puts together a list of 10 emerging technologies to watch. This year’s list was released in June, and in the most recent episode of our podcast, What the Dev?, we were able to sit down with Brian Hopkins, VP of Emerging Tech Portfolio at Forrester, about the list. Here is an edited … continue reading

Google launches new knowledge base for remediating vulnerabilities in Android apps

In an effort to reduce the number of vulnerabilities in Android apps, Google is introducing the Android Application Security Knowledge Base (AAKB).  The AAKB includes a database of common code issues, complete with examples on how to remediate them and explanations on how to implement specific code patterns.  Google already does scan Android apps for … continue reading

1 2 3 74
DMCA.com Protection Status