In the past two years, we have had to learn a lot about cybersecurity. New attack vectors are becoming more and more sophisticated and are directed more and more against the value chain in general.
But what does that mean for us? What can be done about it, and what reactions have the state already taken?
-
SAST, DAST, IAST and RASP
In this article, we’re going to look at the differences between the various cybersecurity defence techniques.
My personal opinion on these different approaches is that if you start with DevSecOps or security in IT in general, the SAST approach makes the most sense. This is where the greatest potential threat can be eliminated with minimal effort.
Here you can identify four main groups, which we will go through briefly one after another to illustrate the advantages and disadvantages.
-
CVSS 101: First Steps with Common Vulnerability Scoring System
What is the Common Vulnerability Scoring System (CVSS), who is behind it, what are we doing with it, and what does a CVSS Value mean for you?
With CVSS, we have a value system for evaluating security gaps in software. Since there are no alternatives, the system has been in use worldwide for over ten years and is constantly being developed, it is a defacto standard.
The evaluation consists of three components.
-
The Lifecycle of a Security Vulnerability
Again and again, we read in the IT news about new security gaps that have been identified.
Most of the time, you don’t even hear or read anything about all the security holes found that are not as well known as the SolarWinds Hack, for example.
But what is the typical lifecycle of such a security gap?
-
Delegation vs. Inheritance in Graphical User Interfaces
At this point, we have seen how you can achieve a more robust variant of a composition by delegation rather than inheritance.
You can also use this if you are confronted with legacy source codes with this anti-pattern.
It’s not always possible to clean up everything or change it to the last detail.
But I hope this has given an incentive to approach this situation.
-
Getting Started with DevSecOps
Even as a software developer, you will often hear this phrase during meetings with the company’s management and sales part. The phrase is called “Make or Buy”. Typically, we have to decide if we want to do something ourselves or spend money to buy the requested functionality. It could be less or more functionality or different so that we have to adjust ourself to use it in our context.
But as a software developer, we have to deal with the same question every day. I am talking about dependencies. Should we write the source code by ourselves or just adding the next dependencies? Who will be responsible for removing bugs, and what is the total cost of this decision? But first, let’s take a look at the make-or-buy association inside the full tech-stack.