The benefits of application security (AppSec) tool integration in the continuous integration/continuous delivery (CI/CD) pipeline are greater the earlier (the “further left”) you perform them in the process. Development organizations are continuing to shift left to implement security earlier in the CI/CD pipeline. But software security group leaders need to know where AppSec tools should go in the CI/CD workflow, and their purposes in different phases.

GDPR best practices often focus on how to process and manage personal data, but companies should also consider application security to ensure compliance. The standard cliché used to be that you are what you eat. Which remains true, of course. But it’s also incomplete—so last century. Today, you are what you do online, which is almost everything.

Stay on top of open source vulnerabilities and license obligations with discovery capabilities from Black Duck.

Open source risk goes beyond application security. Legal, operational, and supply chain implications demand a capable solution like Black Duck SCA. Open source can be found in everything; nearly all applications in all industries are composed to some degree of open source. The introduction of more cloud-native applications, more open source usage as a whole, and the creation of more-complex applications mean organizations are facing increasing levels of risk.

Sometimes it’s hard to convince people that security needs to be part of every software development process. “We passed all our tests,” they might tell you. “Isn’t that good enough?” The problem is that functional testing usually focuses on the happy path—a place where users act rationally, systems behave well, and nobody is attacking your application.

The ROI of software security is difficult to calculate when the goal is to avoid a breach. Learn where to look for ROI in an AppSec program to maximize your investment. A common declaration at security conferences is that if organizations invest in software security, it will pay dividends. Indeed, “investment” implies a dividend.

The Common Vulnerability Scoring System (CVSS) can help you navigate the constantly growing ocean of open source vulnerabilities. But it’s difficult to lend your trust and put the security of your organization and your customers into the hands of a system that you may know very little about. Let’s take a closer look at the CVSS to see what it’s all about.

Design quality audits are sometimes overlooked in software due diligence, but they are vital to understanding the overall health of a company’s software system. When software is part of an M&A transaction, performing technical due diligence is a critical part of the process. There’s a lot to cover when it comes to software due diligence, and you can learn more by reading our take on the specific areas of the process, but today we’d like to discuss software quality.