As the world duly salutes our front-line medical professionals, first responders, military and police, factory workers, delivery drivers, construction teams, repair technicians, store clerks, farmers, truckers, pharmacists, cooks, and millions of other people who continue to put themselves front and center of today’s conditions brought on by COVID-19, we cannot forget the others who are working tirelessly to ensure all the technology required to maintain some sense of normalcy is working as intended. It’s time to say ‘thank you’ to our software developers. Many may not realize that developers are at the forefront of the next generation of digital transformation that has suddenly been kicked into overdrive right before our eyes. How often we forget that software is at the very heart of our local and global transportation systems, farming and food processing infrastructures, utility and energy generation/delivery structures, critical chemical and supply organizations, and our life saving medical and testing facilities. The software that developers are creating is touching more than the things we can see in our homes and immediately within our eyesight. For example, developers are working on applications and technologies that will provide new solutions for tracing and monitoring contacts of those infected with COVID-19, dynamically expanding service capacity for infection-rate modeling. Additionally, as organizations and everyday people increase their usage of distance-enabling technologies – like video conferencing tools – and in tandem, malicious actors placing them higher on their target list, developers – as well as their colleagues in IT and security – are prioritizing rapid security patching in the event that issues are discovered that place users at risk. And, as developers continue to deliver software with increasing demands for speed and security, they’re performing critical vulnerability scans, pre- and post-deployment. As the demand for software-driven products and services evolves, the pressure has never been higher for organizations, and more specifically developers, to deliver software faster than ever before. But what about security? The question then inevitably turns to, what security measures must be put in place before new software is released into the world?
Recommendations:Our experts at Checkmarx (and other 3rd-party experts) recommend that organizations – at a minimum – perform the following:
- Static application security testing (SAST) scans of source code, in both an incremental and full scan approach during the code, check in, and build stages, AND
- Perform software composition analysis (SCA) during the build and test/QA stages to identify open source components and vulnerabilities that may have been introduced.