Open-source software has become a vital part of development in the last decade. However, utilising these components often comes with several caveats, such as potential security risks or legal issues with licences. Software Composition Analysis (SCA) is an automated process that scans codebases for open-source software.
At first glance, DevSecOps and Agile can seem like different things. In reality, the methodologies often complement each other. Let’s see how. Agile is a methodology that aims to give teams flexibility during software development. DevSecOps is about adding automated security to an existing automated software development process. Both are methodologies that require high levels of communication between different stakeholders and continuous improvement as part of the process.
Nowhere is this more apparent than in DevSecOps where developers and releases outnumber security experts by thousands to one. It’s simply not feasible for the security teams to manually tackle flagged issues with any kind of accuracy—and have any time left in the day to - you know - eat and sleep!
I recently ran an unofficial poll on LinkedIn asking how people found every instance of Log4J in their application portfolio. The options I gave were CMDB (Configuration Management Database), SBOM (Software Bill of Materials), SCA (Software Composition Analysis), and internal detective work. The overwhelming majority, 54% to be exact, said internal detective work. These results got me thinking as organizations spend millions of dollars a year on CMDB, SBOM, and SCA technologies.
Software development cycles have changed immensely in the last ten years. New practices and design philosophies are being tried every day. One of these practices is CI/CD pipelines, utilizing aspects of agile software development paired with automation and robust testing. In this post, we’ll be covering all aspects of CI/CD, as well as some popular CICD tools your organization can use to implement a CI/CD pipeline.
Everyone’s development is different, it stands to reason everyone’s perfect security toolkit will also be different. But finding the right tools to suit your project, and making the most out of those tools shouldn’t have to be a headache. In the field of application security, there are literally thousands of security tools to choose from that may help the development, security and longevity of your projects.