ForAllSecure today provided early access to dynamic software bill of materials (SBOM) generation and software composition analysis (SCA) validation capabilities within its Mayhem Security automated code and application programming interface (API) testing tool.
Josh Thorngren, vice president of product at ForAllSecure, said the dynamically created SBOM lists only the components present at runtime. That’s a critical capability because, given the rate at which most code is developed today, most SBOMs are out of date shortly after they have been created, he noted.
In addition, Mayhem Security will also now filter results from SCA, static application security testing (SAST) and other similar tools to only surface vulnerabilities that are actually present in the code at runtime.
That approach will substantially reduce the cognitive load that developers experience today when reviewing the results these tools would otherwise generate when applied to the entire code base, said Thorngren.
There’s been an ongoing effort to shift more responsibility for application security left toward developers. The challenge is many of the security tools being provided to developers present an overwhelming number of alerts that, upon investigation, don’t impact code actually running in a production environment, noted Thorngren.
As a result, developers become less inclined to run these tools and miss the chance to discover vulnerabilities earlier in the application development life cycle, he added.
Discovering those vulnerabilities is becoming a more pressing issue as more developers employ generative artificial intelligence (AI) platforms trained using general-purpose large language models (LLMs). While those platforms make developers more productive, they also generate code snippets that have the same vulnerabilities as the code that was used to train them. The result can be an even greater number of vulnerabilities finding their way into production environments than there already are.
At the same time, governments around the world are debating legislation that would make organizations around the world more accountable for application security. As that legislation becomes law, it’s only a matter of time before an exploited software vulnerability results in heavier fines and penalties. It may be a while before those proposals become law, but organizations will need to start shoring up their DevSecOps practices today to address those requirements.
It’s not clear whether developers will ever fully embrace security, but identifying and remediating vulnerabilities can become a lot less painful than it is today. At a time when there is more focus than ever on developer productivity, the less time spent remediating vulnerabilities, the more time there should be to write code. In effect, organizations should be able to adopt secure-by-design principles for application development, noted Thorngren.
Ultimately, any effort to reduce the number of vulnerabilities in applications will go a long way toward bridging the current divide between cybersecurity teams that view developers’ lack of appreciation for security as the root cause of many of the issues they face. At the same time, if it becomes easier to identify and remediate vulnerabilities, fewer developers will view cybersecurity as an obstacle to be circumvented.