for the current SoSS Report VeraCode has analyzed 130.000 applications. A key finding: scans are a decisive factor. Using static analysis (SAST) through the API, companies can resolve security risks 17 days faster on average. […]
Frequent scans, a combination of static and dynamic analysis (DAST), the implementation of a regular scan rate, and the use of software composition analysis (SCA) with SAST lead to faster vulnerability fixes and increased application security.
In addition, outstaffing developers can influence application security by choosing their tools: open source software is vulnerable to attacks by cybercriminals. At the same time, programs written with C++ and PHP represent an increased risk. According to the report, 59 percent of C++applications have high or even very high security risks-53 percent for PHP. Data leaks are the most common type of errors that lead to a lack of application security. The challenge for developers in the future: identify and resolve various security problems in an increasingly digitalized environment.
Agility and flexibility are necessary attributes for every developer today and in the future. In addition, comprehensive expertise can not only help to identify existing problems and risks, but also to remedy them. Therefore, developers should not only be able to develop programs in the future, but should also know relevant quality criteria for them and be well versed in cybersecurity. You need to test your programs and fix any vulnerabilities discovered during the development process.
True security champions follow the DevSecOps approach: they combine knowledge and practices from software development, IT security and IT operations. This results in applications that are as safe as possible during development. In addition, you can complete numerous tasks simultaneously at high speed and ensure uninterrupted deployment. A central DevSecOps practice, for example, is regular scans-one of the largest identified deficits in the current SoSS report.
The right training and targeted security training for developers play a major role in the success of the new digital normality. Nevertheless, the training around secure coding is almost non-existent at university level– although it should be a core component of a computer science and cybersecurity curriculum.
Here, the initiative of companies or the developers themselves is in demand, because superheroes in software development are curious: they look outside the box, always want to stay up-to-date and continue to educate themselves. Security Champions can help companies overcome this challenge by sharing knowledge between developers and security teams, while raising the flag for developer training.
* Bernhard Lauer is, among other things, a freelance editor of dotnetpro and supervises the Basic Instinct section here. With Visual Basic he has been programming privately since version 1.0.