"Despite Post-Log4J Security Gains, Developers Can Still Improve"

Developers are increasingly implementing security testing as part of the development pipeline. However, there is still room for improvement as only a minority of companies test software during development or before committing code. According to Snyk's annual 2023 State of Software Supply Chain Security report, while two-thirds of companies have security tools integrated into their software development systems, only 40 percent of firms have deployed security checks into the Integrated Development Environment (IDE), and 48 percent as part of the code committing stage. Forty percent of companies do not use supply chain technologies, such as a Static Analysis Security Tool (SAST) or a Software Composition Analysis (SCA) tool. According to Randall Degges, head of developer relations at Snyk, developers should perform at least three types of scans. They should scan custom code with SAST, check open source dependencies with an SCA tool, and analyze infrastructure files to detect insecure configuration. This article continues to discuss key findings and points from Snyk's annual 2023 State of Software Supply Chain Security report.  

Dark Reading reports "Despite Post-Log4J Security Gains, Developers Can Still Improve"