The Cyber Resilience Act (CRA) is a new cybersecurity regulation that aims to ensure the security of “products with digital elements” (PDEs) sold in the EU market.

Today at RSA Conference 2024, Mend.io and Sysdig unveiled a joint solution targeted at helping developers, DevOps, and security teams accelerate secure software delivery from development to deployment. The integration incorporates the exchange of runtime insights and application ownership context between Sysdig Secure and Mend Container to provide users with superior, end-to-end, and risk-based vulnerability prioritization and remediation across development and production environments.

Web applications serve as the backbone of business operations, and the rise in cyber threats has put a spotlight on vulnerabilities that can compromise the integrity and confidentiality of web applications. But where to start? Security frameworks can help security and development teams understand the top risks and how to harden their applications against them, while guiding technical professionals on how to protect their applications against attacks.

Containers are integral to modern application development portability, resource efficiency, and ease of deployment. But there is a flip side to these benefits. Unlike traditional applications, containers bundle everything needed to run, making them a scattered setup for hidden security issues. 54% of container images in Docker Hub were found to contain sensitive information that could lead to unauthorized access, data breaches, or identity theft.

A Software Bill of Materials (SBOM) inventories all of the open source components and other third-party libraries within a codebase. Much like IKEA instructions explain which parts are included in the package for your new furniture, an SBOM describes all of the third party components in your codebase. Most SBOMs contain the following information about the make-up of an application: Security vulnerabilities: a key use case for SBOM is understanding the security risks of third party components.

As cybersecurity becomes increasingly important in software development, the “shift left” security approach is widely recognized as a best practice for ensuring superior application security. Numerous traditional security firms are introducing shift-left products and capabilities, and the concept is gaining traction. However, some open source application security tools are more developer-friendly than others.

In the race for technological innovation, companies often sprint toward product launches but find themselves in a marathon when fixing vulnerabilities. This dichotomy poses a significant challenge, especially with the ever-increasing security loopholes. CISA recommends addressing critical issues in less than 15 days, but it may be wishful thinking. IT teams are inundated with an ever-increasing volume of security alerts, making it challenging to prioritize and address each one effectively.

In this new series, CJ May shares his expertise in implementing secure-by-design software processes. The second part of his DevSecOps program is all about implementing secure-by-design software pipelines.

Cloud workloads continue to grow as new digital innovations arise monthly in the worlds of IoT applications, cloud services, and big data analytics. However, the cloud's dynamic and often complex nature can make cloud application security challenging. This gap in cloud security readiness is a growing concern for organizations worldwide, with CISOs feeling the pressure. 61% of CISOs feel unequipped to cope with a targeted attack, and 68% expect such an attack within the following year.

Developers are responsible for mitigating risk of web applications through secure software development. This requires a culture of secure software development, which can be promoted with tactics that engage developers in the security process.