By: Paul Farrington, chief product officer, Glasswall
September 14-20 marks National Coding Week — a time to celebrate the ever-increasing impact of coding across all industries and organizations around the world. In today’s digital world, it is more important than ever to encourage people of all ages to get involved in software development.
There is an abundance of choice and diversity in how a developer can leverage software components, cloud services and deployment patterns today. There’s probably never been a more exciting time to create software. Although, because there is so much freedom of choice for developers, with this comes a degree of security risk.
Development teams will usually use open-source components or frameworks to help accelerate the speed at which software can be written. The good news is that according to Snyk, the number of open-source projects impacted by intentionally malicious vulnerabilities is relatively low. In comparison, 115,000 projects have been hit by only a very small handful of accidental vulnerabilities, named Prototype Pollution, which target JavaScript projects – nearly 27% overall. Malware authors are generally still targeting organisations with business document-based threats like PDF, Word or Excel. Of course, attackers will use any vector they can to breach the organisation.
For developers, a simple but crucial first step in securing code is to turn on automated scanning of third-party components, so that any vulnerable code is flagged immediately. There are plenty of cost-effective software composition analysis (SCA) solutions available for this, and some are free.
One of the most important aspects of software development when it comes to achieving ‘secure by design,’ is to ensure developers have the tools they need at the time they are writing code, as they are still in-context. Deploying security tools sometime after, when a developer may have closed their laptop for the day, or even completed the whole project, is far too late.
