Article

DZone: The Losing Battle: Code vs Flaws

Developers are writing better quality code, but it still comes with a high number of security flaws. How can this be addressed? We take a look at one possible approach.

Better Quality Code but With Security Flaws

“If debugging is the process of removing software bugs, then programming must be the process of putting them in.” – Edsger Dijkstra, winner of the 1972 Turing Award

There’s no news in the fact that modern software architecture is a mash-up of original and open source code pulled from libraries and repositories with a liberal amount of third-party code that comes in an OS or a JVM, for example. Mixed in with the good is the bad: Known and unknown vulnerabilities that one day could be the source of a newspaper headline with your name in it.

There is some actual news this week, though. Sonatype has published a report on the state of the software supply chain that shows the quality of software components is improving and number of known Java security flaws being passed around in open source downloads is holding steady – at slightly more than six percent.

The bad news is – and you knew there would be some – that six-plus percentage on a base of 31 BILLION downloads is about 2 billion downloads with a known defect. That’s a lot of bad code going into good apps. The report shows new vulnerabilities are uploaded into the 7,000 open source repositories in the study an average of once per day, with 70 percent of those sporting a Common Vulnerability Scoring System (CVSS) level of five (5) or higher.

Read the full article here

Related resources

Ready to scale Security with modern software development?

Work with us to accelerate your adoption of Security-as-Code to deliver application security at scale.