It'll surprise no one in the software-making business to hear an app security vendor claim that the majority of applications contain at least one security flaw. (Really? Only one?) But a new report from Application Security Testing (AST) solutions provider Veracode serves as a cogent reminder that it often takes months to fix those flaws.
The report, "State of Software Security," available as a free download, analyzes 130,000 applications. The report's authors determined that it takes about six months for teams to close half the security flaws they find. The report also outlines some best practices to significantly improve those deplorable fix rates.
More
Posted by John K. Waters on November 5, 20200 comments
It's been almost exactly one year since Docker Inc. sold its enterprise platform business to Mirantis, a commercial distributor of OpenStack, to focus on the needs of enterprise application development teams. Since then, the company behind the leading containerization platform has concentrated on refining its dev tools and building an ecosystem of partners to support a "code-to-cloud" automations for developers.
Docker CEO Scott Johnston talked with a group of reporters this week about the progress of that strategy and laid out the company's path going forward.
More
Posted by John K. Waters on October 29, 20200 comments
Open-source Java platform provider Azul Systems today unveiled a new series of migration tools and services designed to help enterprise and public sector IT teams transition from proprietary Oracle Java SE to its Zulu builds of OpenJDK. These tools and services include inventory and usage auditing, testing, and certification, "to help organizations move their entire Java estate quickly, easily, and securely from Oracle to Azul's OpenJDK platform," the company said in a statement.
More
Posted by John K. Waters on October 22, 20200 comments
When IBM and the organizers of the Call for Code Global Challenge announced the grand prize winner last week (our coverage here) of its third annual international tech-for-good competition, they also unveiled a new Call for Code initiative: Call for Code for Racial Justice, which IBM is describing as "a vital initiative that brings together technology and a powerful ecosystem to combat one of the greatest challenges of our time: racial injustice."
More
Posted by John K. Waters on October 20, 20200 comments
The decade-long court battle between Google and Oracle over 37 Java APIs Google used without Oracle's permission in its Android mobile operating system is finally coming to an end. (Really this time…. probably.) Oral arguments before the Supreme Court of the United States (SCOTUS) ended on Friday.
The case has been pending at the High Court for almost two years. It was set originally for oral argument in March, but was rescheduled to this fall when the coronavirus pandemic scrambled the spring argument sessions. (My earlier report includes a summary of the long history of this case, which started when Oracle sued Google in 2010.)
More
Posted by John K. Waters on October 14, 20200 comments
There's a lot going on this week in the Kotlin community. JetBrains, the Prague-based maker of the venerable code-centric Java IDE, IntelliJ IDEA, and creator of Kotlin, is hosting an online event focused on the programming language.
Kotlin 1.4 (named, obviously, for the latest release) is a three-day event, underway now (Oct 12-14) that's bringing together Kotlin experts to share insider insights with the global developer community.
More
Posted by John K. Waters on October 14, 20200 comments
Kubernetes security solutions provider Alcide achieved a milestone this week. The Israel-based company has earned the AWS Outposts Ready designation, which is part of the Amazon Web Services (AWS) Service Ready Program.
This designation is a big deal for the young company. It recognizes that Alcide's platform has demonstrated successful integration with AWS Outposts deployments. AWS Outposts is a fully managed service that extends AWS infrastructure, AWS services, APIs, and tools to virtually any datacenter, co-location space, or on-premises facility for a consistent hybrid experience.
More
Posted by John K. Waters on September 17, 20200 comments
Enterprises are adapting their software security efforts to support DevOps as CI/CD instrumentation and operations orchestration have become standard components of organizations' software security initiatives. That's one of the insights from the latest Building Security In Maturity Model (BSIMM ) report from Synopsis.
First published in 2009, the BSIMM is the result of a multiyear study of real-world software security initiatives (SSIs). It was developed to provide a "fact-based" set of best practices for developing and growing an enterprise-wide software security program. That set of practices was the first maturity model for security initiatives created entirely from real-world data. The latest BSIMM is available for download now.
More
Posted by John K. Waters on September 15, 20200 comments