Mediaboss Marketing

2020 State of the Software Supply Chain Report

2020 State of the Software Supply Chain Report

Fulton, Md., Aug. 12, 2020 (GLOBE NEWSWIRE) -- Sonatype, the company that scales DevOps through open source governance and software supply chain automation, today released its sixth annual State of the Software Supply Chain Report.

For the second year in a row, Sonatype partnered with researchers Gene Kim from IT Revolution and Dr. Stephen Magill, CEO at MuseDev to examine how high performing teams successfully demonstrate superior risk management outcomes while maintaining high levels of productivity.

The report analyzes over 1.5 trillion open source download requests, 24,000 open source projects, and 5,600 enterprise development teams. Furthemore, in-depth survey research across a wide variety of organizations identified four types of software engineering teams with markedly different levels of performance as it relates to software supply management practices and open source governance.

When compared to their Low Performer peers, High Performers demonstrated:

When compared to Security First teams, High Performers were:

Many have argued that effective risk management practices are always at the expense of developer productivity, but this years report provides strong evidence to the contrary. Faster innovation and better risk management are not mutually exclusive, said Wayne Jackson, CEO of Sonatype. High Performance engineering teams are accelerating velocity while simultaneously reducing security risks. Adding to these successful business outcomes, developers in High Performance teams demonstrate higher levels of job satisfaction.

The report also evaluated 24,000 open source projects to determine practices of the top-performing suppliers feeding components into software supply chains. Researchers found exemplary OSS projects demonstrated:

We found that high performers are able to simultaneously achieve security and productivity objectives, said Gene Kim, DevOps researcher and author of the WSJ bestselling book, The Unicorn Project. Its fantastic to gain a better understanding of the principles and practices of how this is achieved, as well as their measurable outcomes.

It was really exciting to find so much evidence that this much-discussed tradeoff between security and productivity is really a false dichotomy. With the right culture, workflow, and tools development teams can achieve great security and compliance outcomes together with class-leading productivity, said Dr. Stephen Magill, Principal Scientist at Galois & CEO of MuseDev.

The study also reveals new milestones in open source software development, adversarial activity, and government influence, including:

About the State of the Software Supply Chain Report

The 2020 State of the Software Supply Chain Report blends a broad set of public and proprietary data with expert research and analysis to identify exemplary software development practices. Now in its sixth year, it is the longest-running research on open source software development and application security practices of its kind.

Additional Resources

About Sonatype

Sonatype is the leader in software supply chain automation technology with more than 350 employees, over 1,000 enterprise customers, and is trusted by more than 10 million software developers. Sonatypes Nexus platform enables DevOps teams and developers to automatically integrate security at every stage of the modern development pipeline by combining in-depth component intelligence with real-time remediation guidance. For more information, please visit Sonatype.com, or connect with us on Facebook, Twitter, or LinkedIn.

Read the original:
2020 State of the Software Supply Chain Report Released; Sonatype Reveals New Speed and Security Benchmarks - GlobeNewswire

The PCI PA-DSS Standard was launched in the year 2008 to help merchants secure their applications and safeguard cardholder data. The Payment Application Data Security Standard (PA-DSS) applies to all software developed by vendors who store, process, or transmit cardholder data and/or sensitive authentication data. However, the Payment Card Industry Security Standard Council recently rolled out a new framework to improve security standards of applications that accept payments and use payment data in their environment. With the implementation of the new Standards, the PA-DSS Standards would slowly phase out by 2022.

The transition from PA-DSS to PCI SSF

In 2019, the PCI Security Standards Council released the PCI Software Security Framework (SSF) for the secure design and development of payment software. As stated earlier, the PIC-SSF replaces the PA-DSS with new requirements that support a variety of payment software types, technologies, and development techniques.

However, even though PA-DSS Standards are soon phasing out, it is to be noted that, the new Standard will affect the current payment application within the PCI-DSS environment. The new framework is setup with a unique approach to support traditional and modern payment software, including Cloud and Mobile platforms. The framework is designed to validate the security and development practice of both modern and traditional payment software with an objective-based approach.

The new framework is said to provide flexibility for software vendors and facilitate better alignment of secure application development, as per the industry standard. The framework facilitates software vendors to offer PCI-validated payment software. This shall give merchants confidence that the software added to their environment facilitates compliance with PCI DSS and adheres to stringent security controls.

What Is the PCI Software Security Framework?

The PCI Software Security Framework is a new Standard rolled out with a purpose to secure the design and development of payment application software. This is a crucial move towards improving the security of payment applications and further facilitate reliable online payment transactions. The latest objective-based security framework supports the evolving landscape of application design and development practice with a modern approach. The new framework can support security requirements in both modern and traditional payment software. The SSF provides vendors with security standards for building and maintaining payment software that protects payment transactions and data, reduces vulnerabilities, and sets a strong defence against attacks. The new methodology adopted for validating software security facilitates robust security development practices in the industry.

The objective of rolling out PCI Software Security Framework

PCI Software Security Framework is a blend of traditional and modern software security requirements that support evolving technologies, software types, and development methodologies. The new framework was designed and implemented to encourage objective-focused security practices that can support both the traditional methods of good application security and the latest development practices.

Impact of transition on your organization

When PA-DSS v3.2 expires in 2022, the Standard will be formally replaced by the new PCI-SSF. So, during the transitional phase, the validation of all PA-DSS will move to the Acceptable Only for Pre-Existing Deployments on the PA-DSS listing of applications on the PCI Council website. To make it a hassle-free transition for stakeholders, the PA-DSS and SSF Programs will run parallelly with the PA-DSS Program continuing to operate as it does till the date of expiry.

Existing PA-DSS Validated Payment Application

The PA-DSS Program will remain open and fully supported until October 28, 2022, with no changes to the way the existing PA-DSS validated applications are handled. They will remain on the list of PA-DSS Validated Payment Applications until their expiry dates. Further, as per the normal process, vendors can submit changes until the PA-DSS v3.2 expiry date. On the date of expiry, the PA-DSS v3.2 will automatically be replaced by the PCI Software Security Framework.

New PA-DSS submissions

Vendors will be able to submit new payment software products for PA-DSS validation and listing until 30 June 2021.Low-impact changes can still be submitted for currently valid applications until their expiration date. On the date of expiry, all PA-DSS validated payment applications will move to Acceptable Only for Pre-Existing Deployments on the PCI SSC website.

Note- Assessments against the PCI Software Security Framework will have a three-year validity period.

See more here:
PA DSS to PCI-SSF: Everything that you need to know about the transition - Lexology

Covina, CA, Aug. 13, 2020 (GLOBE NEWSWIRE) -- The report"Global Internet of Things and Traceability for Food & Beverage Manufacturing Market, By Components (Product and Software), By Application (Supply Chain Management, Traceability, & Product Recall, Consumer Transparency, Food Safety & Quality Control, Inventory Management, and Others), and By Region (North America, Europe, Asia Pacific, Latin America, and the Middle East & Africa) - Trends, Analysis and Forecast till 2029.

Key Highlights:

Request Free Sample Copy of this Business Report @https://www.prophecymarketinsights.com/market_insight/Insight/request-sample/4408

Analyst View:

One of the major goals of the food & beverage manufacturing industry is to deliver high-quality food to the end consumer, which can be performed accurately by monitoring the foodservice equipment round the clock, utilizing IoT solutions. Rising investments in technologically advanced solutions towards food processing, safety and packaging are expected to boost the growth of the target market in the upcoming years. Additionally, rapidly rising urban population and growing consumer awareness about the threat of food hazards is also supporting growth of the target market. This growth in consumer awareness regarding the sustainability of the edibles is fascinating the food & beverage companies to employ digital solutions to ensure product quality, henceforth influencing the global market growth. Furthermore, Industrial Internet of Things (IIoT) technologies such as Artificial Intelligence (AI) and Big Data Analytics are anticipated to witness a huge role in streamlining and accelerating the manufacturing process through advanced automation and analytics.

Browse 60 market data tables* and 35figures* through 140 slides and in-depth TOC on Global Internet of Things and Traceability for Food & Beverage Manufacturing Market, By Components (Product and Software), By Application (Supply Chain Management, Traceability, & Product Recall, Consumer Transparency, Food Safety & Quality Control, Inventory Management, and Others), and By Region (North America, Europe, Asia Pacific, Latin America, and the Middle East & Africa) - Trends, Analysis and Forecast till 2029

Request for a Report Customization before Buying @https://www.prophecymarketinsights.com/market_insight/Insight/request-customization/4408

Key Market Insights from the report:

The global internet of things and traceability for food & beverage manufacturing market accounted for US$ 6.0 billion in 2019 and is estimated to be US$ 14.4 billion by 2029 and is anticipated to register a CAGR of 9.2%. The market report has been segmented on the basis of components, application, and region.

To know the upcoming trends and insights prevalent in this market, click the link below:

https://www.prophecymarketinsights.com/market_insight/Global-Internet-of-Things-and-Traceability-for-Food-&-Beverage-Manufacturing-Market-4408

Competitive Landscape:

The prominent player operating in the global Internet of things and traceability for food & beverage manufacturing market includes ScienceSoft, HQ Software Industrial IoT Company, Style Lab IoT Software Company, PTC, Cisco, GE Digital, SAP, ARM IoT, and Siemens IoT Analytics Company.

The market provides detailed information regarding the industrial base, productivity, strengths, manufacturers, and recent trends which will help companies enlarge the businesses and promote financial growth. Furthermore, the report exhibits dynamic factors including segments, sub-segments, regional marketplaces, competition, dominant key players, and market forecasts. In addition, the market includes recent collaborations, mergers, acquisitions, and partnerships along with regulatory frameworks across different regions impacting the market trajectory. Recent technological advances and innovations influencing the global market are included in the report.

About Prophecy Market Insights

Prophecy Market Insights is specialized market research, analytics, marketing/business strategy, and solutions that offers strategic and tactical support to clients for making well-informed business decisions and to identify and achieve high-value opportunities in the target business area. We also help our clients to address business challenges and provide the best possible solutions to overcome them and transform their business.

Some Important Points Answered in this Market Report Are Given Below:

Key Topics Covered

Read more here:
Taste to the Future: Global Internet of Things and Traceability for Food & Beverage Manufacturing Market - GlobeNewswire

The emergence of the DevOps culture over the past several years has fundamentally changed software development, allowing companies to push code faster and to automatically scale the infrastructure needed to support new features and innovations. The increased push toward DevSecOps, which bakes security into the development and operations pipelines, is now changing the state of application security, but gaps still remain according to data from new industry reports.

A new report by the Enterprise Strategy Group (ESG), which surveyed 378 application developers and application security professionals in North America, found that many organizations continue to push code with known vulnerabilities into production despite viewing their own application security programs as solid.

Releasing vulnerable code is never good but doing so knowingly is better than doing it without knowing, since the decision usually involves some risk assessment, a plan to fix, and maybe temporary mitigations. Half of respondents said their organizations do this regularly and a third said they do it occasionally. The most often cited reasons were meeting a critical deadline, the vulnerabilities being low risk or the issues being discovered too late in the release cycle (45%).

The findings highlight why integrating security testing as early in the development process as possible is important, but also that releasing vulnerable code is not necessarily a sign of not having a good security program because this can happen for different reasons and no single type of security testing will catch all bugs. However, the report also found that many organizations are still in the process of expanding their application security programs, with only a third saying their programs cover more than three quarters of their codebase and a third saying their programs cover less than half.

Who takes responsibility for the decision of pushing vulnerable code into production can vary from organization to organization, the survey found. In 28% of organizations the decision is taken by the development manager together with a security analyst, in 24% by the development manager alone and in 21% by a security analyst.

This could actually be a sign of application security programs maturing, because DevSecOps is about moving security testing as early as possible in the development pipeline, whereas in the past security testing fell solely in the sphere of security teams who used to perform it after the product was complete.

In organizations where the development team does the security testing as a result of integrations into their processes and also consumes the results, it's normal for the development manager to make decisions regarding which vulnerabilities are acceptable, either in collaboration with the security team or even inside their own organization if they have a security champion -- a developer with application security knowledge and training -- on their team. Such decisions, however, should still be taken based on policies put in place by the CISO organization, which is ultimately responsible for managing the entire company's information security risk and can, for example, decide which applications are more exposed to attacks or contain more sensitive information that hackers could target. Those applications might have stricter rules in place when it comes to patching.

If the risk is not evaluated correctly, shipping code with known vulnerabilities can have serious consequences. Sixty percent of respondents admitted that their production applications were exploited through vulnerabilities listed in the OWASP Top-10 over the past 12 months. The OWASP Top-10 contains the most critical security risks to web applications and include problems like SQL injection, broken authentication, sensitive data exposure, broken access controls, security misconfigurations, the use of third-party components with known vulnerabilities and more. These are issues that should not generally be allowed to exist in production code.

According to ESG's report, companies use a variety of application security testing tools: API security vulnerability (ASV) scanning (56%), infrastructure-as-code security tools to protect against misconfigurations (40%), static application security testing (SAST) tools (40%), software composition analysis (SCA) testing tools (38%), interactive application security testing (IAST) tools (38%), dynamic application security testing (DAST) tools (36%), plugins for integrated development environments (IDEs) that assist with security issue identification and resolution (29%), scanning tools for images used in containers, repositories and microservices (29%), fuzzing tools (16%) and container runtime configuration security tools (15%).

However, among the top challenges in using these tools, respondents listed developers lacking the knowledge to mitigate the identified issues (29%), developers not using tools the company invested in effectively (24%), security testing tools adding friction and slowing down development cycles (26%) and lack of integration between application security tools from different vendors (26%).

While almost 80% of organizations report that their security analysts are directly engaged with their developers by working directly to review features and code, by working with developers to do threat modelling or by participating in daily development scrum meetings, developers themselves don't seem to get a lot of security training. This is why in only 19% of organizations the application security testing task is formally owned by individual developers and in 26% by development managers. A third of organizations still have this task assigned to dedicated security analysts and in another 29% it's jointly owned by the development and security teams.

In a third of organizations less than half of developers are required to take formal security training and only 15% such training is required for all developers. Less than half of organizations require developers to engage in formal security training more than once a year, 16% expecting developers to self-educate and 20% only offering training when a developer joins the team.

Furthermore, even when training is provided or required, the effectiveness of such training is not properly tracked in most organizations. Only 40% of organizations track security issue introduction and continuous improvement metrics for development teams or individual developers.

Veracode, one of the application security vendors who sponsored the ESG research, recently launched the Veracode Security Labs Community Edition, an in-browser platform where developers can get free access to dozens of application security courses and containerized apps that they can exploit and patch for practice.

Any mature application security program should also cover any open-source components and frameworks because these make up a large percentage of modern application code bases and carry risks of inherited vulnerabilities and supply chain attacks. Almost half of respondents in ESG's survey said that open-source components make up over 50% of their code base and 8% said they account for two thirds of their code. Despite that, only 48% of organizations have invested in controls to deal with open-source vulnerabilities.

In its 2020 State of the Software Supply Chain report, open-source governance company Sonatype noted a 430% year-over-year growth in attacks targeting open-source software projects. These attacks are no longer passive where attackers exploit vulnerabilities after they've been publicly disclosed, but ones where attackers try to compromise and inject malware into upstream open-source projects whose code is then pulled by developers into their own applications.

In May, the GitHub security team issued a warning about a malware campaign dubbed Octopus Scanner that was backdooring NetBeans IDE projects. Malicious or compromised components have also been regularly distributed on package repositories like npm or PyPi.

The complex web of dependencies makes dealing with this issue difficult. In 2019, researchers from Darmstadt University analyzed the npm ecosystem, which is the primary source for JavaScript components. They found that any typical package loaded an average of 79 other third-party packages from 39 different maintainers. The top five packages on npm had a reach of between 134,774 and 166,086 other packages.

"When malicious code is deliberately and secretly injected upstream into open source projects, it is highly likely that no one knows the malware is there, except for the person that planted it," Sonatype said in its report. "This approach allows adversaries to surreptitiously set traps upstream, and then carry out attacks downstream once the vulnerability has moved through the supply chain and into the wild."

According to the company, between February 2015 and June 2019, 216 such "next-generation" supply chain attacks were reported, but from July 2019 to May 2020 an additional 929 attacks were documented, so this has become a very popular attack vector.

In terms of traditional attacks where hackers exploit known vulnerabilities in components, companies seem unprepared to respond quickly enough. In the case of the Apache Struts2 vulnerability that ultimately led to the Equifax breach in 2017, attackers started exploiting the vulnerability within 72 hours after it became known. More recently, a vulnerability reported in SaltStack was also exploited within three days after being announced, catching many companies unprepared.

A Sonatype survey of 679 software development professionals revealed that only 17% of organizations learn about open-source vulnerabilities within a day of public disclosure. A third learn within the first week and almost half after a week's time. Furthermore, around half of organizations required more than a week to respond to a vulnerability after learning about it and half of those took more than a month.

Both the availability and consumption of open-source components is increasing with every passing year. The JavaScript community introduced over 500,000 new component releases over the past year pushing the npm directory to 1.3 million packages. Until May developers downloaded packages 86 billion times from npm, Sonatype projecting that by the end of the year the figure will reach 1 trillion downloads. It's concerning that the University of Darmstadt research published last year revealed that nearly 40% of all npm packages contain or depend code with known vulnerabilities and that 66% vulnerabilities in npm packages remain unpatched.

In the Java ecosystem, developers downloaded 226 billion open-source software components from the Maven Central Repository in 2019, which was a 55% increase compared to 2018. Given the statistics seen in 2020, Sonatype estimates that Java components downloads will reach 376 billion this year. The company, which maintains the Central Repository and has deep insights into the data, reports that one in ten downloads was for a component with a known vulnerability.

A further analysis of 1,700 enterprise applications revealed that on average they contained 135 third-party software components, of which 90% were open source. Eleven percent of those open-source components had at least one vulnerability, but applications had on average 38 known vulnerabilities inherited from such components. It was also not uncommon to see applications assembled from 2,000 to 4,000 open-source components, highlighting the major role the open-source ecosystem plays in modern software development.

Similar component consumption trends were observed in the .NET ecosystem and the microservice ecosystem, with DockerHub receiving 2.2 container images over the past year and being on track to seeing 96 billion image pull requests by developers this year. Publicly reported supply chain attacks have involved malicious container images hosted on DockerHub and the possibility of having images with misconfigurations or vulnerabilities is also high.

The DevOps movement has fundamentally changed software development and made possible the new microservice architecture where traditional monolith applications are broken down into individually maintained services that run in their own containers. Applications no longer contain just the code necessary for their features, but also the configuration files that dictate and automate their deployment on cloud platforms, along with the resources they need. Under DevSecOps, development teams are not only responsible for writing secure code, but also deploying secure infrastructure.

In a new report, cloud security firm Accurics, which operates a platform that can detect vulnerable configurations in infrastructure-as-code templates and cloud deployments, 41% of organizations had hardcoded keys with privileges in their configurations that were used to provision computing resources, 89% deployments had resources provisioned and running with overly permissive identity and access management (IAM) policies and nearly all of them had misconfigured routing rules.

See more here:
The state of application security: What the statistics tell us - CSO Online

NEW YORK, Aug. 13, 2020 /PRNewswire/ --CB Insights today named Icometrixto its second annual Digital Health 150 ranking, which showcases the 150 most promising private digital health companies in the world.

The 2020 Digital Health 150 cohort highlights startups that are reimagining the lines of the traditional healthcare experience across 12 categories, from Virtual Care Delivery and Clinical Trials, to Drug Discovery and Specialty Care.

"This year's Digital Health 150 is our most global ever, covering the best private healthcare companies from 17 countries. Beyond geographic diversity, these companies are innovating across the entire healthcare value chain, spanning technologies that benefit pharma & biotech companies, to payers, hospitals, insurers, and more," said CB Insights CEO Anand Sanwal.

"We are honored to receive this renewed recognition by CB Insights," said Wim Van Hecke, CEO of icometrix. "Innovative digital health solutions are changing healthcare at a rapid pace. Through our brain MRI and CT measures, we help radiologists, neurologists, neurosurgeons, and their referring physicians to make more informed and more accurate decisions for patients with neurological disorders. With our recently launched icompanion, a free app for people with multiple sclerosis to track symptoms, treatments, physician visits, as well as view their MRI scans on-the-go. All of this contributes to enhanced patient care worldwide, providing individual patients with the right treatment at the right moment," Van Hecke concludes.

icometrix offers AI solutions to obtain clinically meaningful data from MR and CT scans. Its icobrain portfolio incorporates brain volumetrics for patients with neurological conditions in clinical practice. icolung, an AI solution launched to help fight COVID-19, quantifies lung pathology on chest CT in admitted COVID-patients. Today, icometrix is internationally active in over 100 clinical practices and works with healthcare providers and pharmaceutical companies on the evaluation of drug trials for neurological diseases.

About icometrix icometrix (Leuven, Belgium; Chicago, USA) is the world leader in software solutions to obtain clinically meaningful data from brain MRI and CT scans. The fully automated icobrain software has market clearance in the USA, Europe, Japan, Canada, Brazil, India, and Australia. Today, the icobrain portfolio is used in patients with multiple sclerosis, dementia, and brain trauma.

Contact: Wim Van Hecke, CEOwim.vanhecke@icometrix.com+32 16-369-000icometrix.com

Press Kit:https://icometrix-files.s3-eu-west-1.amazonaws.com/Press-releases/Press-Kit-icometrix-20200813.zip

View original content to download multimedia:http://www.prnewswire.com/news-releases/icometrix-named-to-the-2020-cb-insights-digital-health-150---list-of-most-innovative-digital-health-startups-301111912.html

SOURCE icometrix

View post:
icometrix named to the 2020 CB Insights Digital Health 150 - List of Most Innovative Digital Health Startups - BioSpace