Software Integrity

Search Results for 'javascript'

 

Strengthen your security defenses when programming in JavaScript

The number of developers applying defensive coding techniques to JavaScript isn’t nearly as widespread as those taking defensive measures in Java (among other coding languages). Well, we’re working to change that! It’s not impossible to code defensively in JavaScript—it just takes a bit of training. We recently sat down with Aman Ali, one of our […]

Continue Reading...

Posted in Security Training | Comments Off on Strengthen your security defenses when programming in JavaScript

 

The sacred knowledge of securing JavaScript

JavaScript is gaining more and more popularity not just on the front-end, but also on the back-end, with new frameworks coming out almost every month. On the client-side, we are watching an overwhelming encroachment of AngularJS, which is slowly pushing out Knockout.js, React.js, and Ember.js. On the server-side, Node.js has established its base with Express […]

Continue Reading...

Posted in Security Training, Webinars | Comments Off on The sacred knowledge of securing JavaScript

 

Android WebViews and the JavaScript to Java bridge

Since a WebView is a browser control in an app, it invites traditional attacks associated with the web. We examine how to protect against these attacks. Introduction It’s been several months since I presented on Android WebViews at OWASP AppSec EU 2015 in Amsterdam, and I finally have the chance to put the content into […]

Continue Reading...

Posted in Mobile Application Security | Comments Off on Android WebViews and the JavaScript to Java bridge

 

Coverity 2018.12: Securing enterprise applications

Coverity 2018.12 adds analysis without build, covers more languages and frameworks, finds more vulnerabilities, and supports enterprise application security goals.

Continue Reading...

Posted in Announcements, Static Analysis (SAST) | Comments Off on Coverity 2018.12: Securing enterprise applications

 

NPM dependencies, supply chain attacks, and Bitcoin wallets

The EventStream incident shows just how easily attackers can infiltrate the open source software supply chain by adding a malicious dependency to a trusted component.

Continue Reading...

Posted in Featured, Open Source Security, Software Composition Analysis | Comments Off on NPM dependencies, supply chain attacks, and Bitcoin wallets

 

Why you need to perform open source due diligence in an M&A transaction

Most companies involved with technology M&A understand the importance of open source risks in software. Today’s software contains significant amounts of open source, on average more than 50%, according to a 2018 Synopsys study. Consequently, it has become the norm for acquirers to raise open source questions as part of technical and legal due diligence. […]

Continue Reading...

Posted in Legal, Open Source Security | Comments Off on Why you need to perform open source due diligence in an M&A transaction

 

Porous portals, Newegg is a broken egg, and Mirai’s creators have new hats

Taylor Armerding, Synopsys Software Integrity Group senior strategist, gives you the scoop on application security and insecurity in this week’s Security Mashup. What’s in this week’s Security Mashup, you ask? Porous payment portals lead to government data breaches, Magecart pwns Newegg, and the Mirai creators trade in their black hats for white ones. Watch this week’s […]

Continue Reading...

Posted in Data Breach, Government Security, Weekly Security Mashup | Comments Off on Porous portals, Newegg is a broken egg, and Mirai’s creators have new hats

 

CodeXM: Awesome code checker power (itty-bitty learning curve!)

What you need to know, and (more importantly) what you don’t, about the CodeXM checkers. When you develop your software, you may not be aware of what the compiler is doing to transform source into an executable. The neat thing is you don’t need to. Just know things like what a variable declaration is, what a […]

Continue Reading...

Posted in Static Analysis (SAST) | Comments Off on CodeXM: Awesome code checker power (itty-bitty learning curve!)

 

NetSpectre: An ominous Spectre variant, but no immediate danger

NetSpectre sounds like it could be Spectre on steroids. Then again, it sounds like it could be more like a lab mutation of probably the most serious design flaw in CPUs (central processing units) or computer chips in a generation—interesting, but not much of a threat in the real world. At least not yet. So […]

Continue Reading...

Posted in General | Comments Off on NetSpectre: An ominous Spectre variant, but no immediate danger

 

6 months later, Spectre still haunts

It’s now more than six months since the major design flaw in computer chips labeled Spectre became public. And as predicted, it is still haunting the world of information technology. That’s largely because, as experts explained at the time, Spectre is not a software bug that can be fixed by rolling out a patch or […]

Continue Reading...

Posted in General | Comments Off on 6 months later, Spectre still haunts