Posted on

The Benefits of Software Composition Analysis

Software composition analysis (SCA) allows organizations to identify third-party and open-source components that have been integrated into all applications. For each of these components, it identifies:

  • Open security CVEs (if any)
  • Licenses
  • Out-of-date library versions and age

SCA easily answers the question, "Are any of my organization’s applications relying on a vulnerable library?" By offering a centralized application security platform and insightful executive-level dashboards that provide a holistic view of an organization’s application security posture, SCA offers the ability to track remediation trends and improve your remediation rate and time-to-fix.

Posted on

The Curious Case of False Positives in Application Security

Over the past year, data breaches, through web, business, and mobile application exploitation, have continued to run rampant. In 2018, major household names like Ticketmaster, the United States Postal Service (USPS), Air Canada, and British Airways were hit by application-based exploits. To minimize vulnerabilities — and identify existing ones before they can do this level of damage — application security solutions need to be fast, provide good coverage for capturing all classes of vulnerabilities, and more importantly, they need to be highly accurate, to be useful to DevOps application development teams. Providing results fast but less accurately is counter-productive to an efficient and successful application security program. Time wasted by engineers to triage the false positives far outweighs the speedier results provided.

Most automated application security testing solutions have the ability to scan thousands of applications containing millions of lines of code and can produce results containing millions of attack vectors. But every application is different — different functionality, different code, different size, and different complexity —resulting in significantly different security findings with different accuracy. More so, selecting any single scanned application with the best accuracy from many and claiming accuracy is misleading. Even taking averages would be misleading, because it would be a measure of only the limited set of applications that the vendor’s solution scanned, and hence, incomparable to the accuracy of other solutions.

Posted on

Mobile DevOps Metrics that Matter

Creating a secure DevOps culture helps companies accelerate mobile app release cycles and securely deliver the new features and capabilities that users crave. Automating the continuous integration/continuous delivery (CD/CD) pipeline speeds time to market to meet the demands of the business.

But app store ratings and reviews aren't the only important measures of performance. As more NowSecure customers embark on the journey to DevOps, they increasingly focus on a few key performance indicators.

Posted on

Will Our Software Bankrupt Us? [Interview]

In this interview, Jeff and I talk to Herb Krasner about his recent study, "The Cost of Poor Quality Software in the US." We ask him about what lead him to this research, he walks us through some the of key insights, and we discuss if the notion that we may not be able to afford the software that runs our business.  You can listen to the full interview here.

Pete Pizzutillo: Herb, thanks for joining us today.  But before we get into our discussion on "The Cost of Poor Quality Software," you have a rich background in software engineering and research; can you walk us back as to how you end up here?

Posted on

What Goals Are Right for Your AppSec Program?

Clear objectives and goals are key to success for any initiative, and AppSec is no exception. But many organizations struggle to establish application security goals or focus on the wrong goals to the detriment of their program. Below, we outline factors to consider when creating goals for your application security program.

Metrics

At a high level, the goals for your AppSec program should focus on a set of core metrics: