One Article Review
| Source |  Veracode |
|---|---|
| Identifiant | 2146384 |
| Date de publication | 2021-01-05 13:25:00 (vue: 2021-01-05 19:05:15) |
| Titre | Nature vs. Nurture Tip 3: Employ SCA With SAST |
| Texte |  For this year???s State of Software Security v11 (SOSS) report, we examined how both the ???nature??? of applications and how we ???nurture??? them contribute to the time it takes to close out a security flaw. We found that the ???nature??? of applications ??? like size or age ??? can have a negative effect on how long it takes to remediate a security flaw. But, taking steps to ???nurture??? the security of applications ??? like using multiple application security (AppSec) testing types ??? can have a positive effect on how long it takes to remediate security flaws.
In our first blog, Nature vs. Nurture Tip 1: Use DAST With SAST, we explored how organizations that combine DAST with SAST address 50 percent of their open security findings almost 25 days faster than organizations that only use SAST. In our second blog, Nature vs. Nurture Tip 2: Scan Frequently and Consistently, we addressed the benefits of frequent and consistent scanning by highlighting the SOSS finding that organization that scan their applications at least daily reduced time to remediation by more than a third, closing 50 percent of security flaws in 2 months.
For our third tip, we will explore the importance of software composition analysis (SCA) and how ??? when used in conjunction with static application security testing (SAST) ??? it can shorten the time it takes to address security flaws.
What is SCA and why is it important?
SCA inspects open source code for vulnerabilities. Some assume that open source code is more secure than first-party code because there are ???more eyes on it,??? but that is often not the case. In fact, according to our SOSS report, almost one-third of applications have more security findings in their third-party libraries than in primary code. Given that a typical Java application is 97 percent third-party code, this is a concerning statistic.
Since SCA is the only AppSec testing type that can identify vulnerabilities in open source code, if you don???t employ SCA, you could find yourself victim of a costly breach. In fact, in 2017, Equifax suffered a massive data breach from Apache Struts that compromised the data ??? including Social Security numbers ??? of more than 143 million Americans. Following the breach, Equifax's stock fell over 13 percent.
How can SCA with SAST shorten time to remediation?
If you are only using static analysis to assess the security of your code, your attack surface is likely bigger than you think. You need to consider third-party code as part of your attack surface, which is only uncovered by using SCA.
By incorporating software composition analysis into your security testing mix, you can find and address more flaws. According to SOSS, organizations that employ ???good??? scanning practices (like SCA with SAST), tend to be more mature and further along in their AppSec journey. And organizations with mature AppSec programs tend to remediate flaws faster. For example, employing SCA with SAST cuts ti |
| Envoyé | Oui |
| Condensat | 143 2017 according additional address addressed age almost along americans analysis apache application applications appsec are assess assume attack because benefits bigger blog both breach but can case check close closing code combine composition compromised concerning conjunction consider consistent consistently contribute costly could cuts daily dast data days don effect employ employing equifax examined example explore explored eyes fact faster fell find finding findings first flaw flaws following found frequent frequently from further given good have highlighting how identify importance important including incorporating information inspects java journey least libraries like likely long massive mature million mix months more multiple nature need negative not numbers nurture nurturing often one only open organization organizations out over part party percent positive practices primary programs recent reduced remediate remediation report sast sca scan scanning second secure security shorten since six size social software some soss source state static statistic steps stock struts suffered surface takes taking tend testing than them think third time tip tips type types typical uncovered use used using v11 victim vulnerabilities what when which why will year your yourself |
| Tags | Data Breach |
| Stories | Equifax |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.