As the number of known vulnerabilities continues to grow every year, software development and application security teams are increasingly relying on vulnerability detection tools throughout development. The result: teams are often overwhelmed with a steady stream of security alerts that must be addressed, and it’s becoming clear that it’s impossible to attempt to fix everything.
Over five years ago, Adrian Bridgwater wrote a Forbes article pronouncing that “If Software Is Eating The World, Then Open Source Will Chew It Up (And Swallow).” That statement is just as true today. Open source components have become a basic building block for software developers, providing them with ready-made solutions from a vast community that help them keep up with today’s speedy and frequent release cycles.
Open source is everywhere. Everyone is using it. Open source code is found in almost every proprietary software offering on the market and is estimated to make up on average 60%-80% of all software codebases in 2020. Why the proliferation? Open source libraries help developers write code faster to meet the increasingly shorter release cycles under DevOps pipelines. Instead of writing new code, developers leverage existing open source libraries to quickly gain needed functionality.
Today’s software development life cycle includes a variety of quality and security testing techniques at every stage. Frequent testing throughout the DevOps pipeline is imperative considering the ever-increasing pace of development. One of the most common testing methods that companies use to ensure the products they are pushing out are secure and high-quality is black box testing.
Your open source usage is out of control. Sure, it’s helping you develop your product faster and getting new releases out the door in days instead of months, but now your code base is made up of 60% or more open source components. And that percentage is only growing. The application layer continues to be the most attacked, so you know you need to stay on top of vulnerabilities.
Shifting left quality and security testing has finally become a practice that organizations are embracing. But even before testing the code comes code review, beginning at the earliest stages of development. Code review is essential for detecting and remediating code defects and errors before production, when they are relatively easy and less expensive to address.
Many software developers tend to see patch management as another tedious security task that gets in the way of the development process. However, considering Forresters’s recent State of Application Security Report for 2020 predicted that application vulnerabilities will continue to be the most common external attack method, patch management is a critical part of the vulnerability management process that organizations can’t afford to neglect.
The application layer continues to be the most attacked and hardest to defend in the enterprise software stack. With the proliferation of tools aimed at preventing an attack, it’s no wonder the application security testing market is valued at US 4.48 billion. Forrester’s market taxonomy breaks up the application security testing tools market into two main categories: security scanning tools and runtime protection tools.
