Software Integrity

Search Results for 'security metrics'

 

How effective are your software security metrics?

Many firms present metrics in a vastly oversimplified way, calculating too few measurements to share. Many other firms barrage the audience with a variety of highly detailed metrics. This often overwhelms the reader. Both approaches are weak. If you want to share key software security metrics, it’s critical to focus on the impact that the metrics […]

Continue Reading...

Posted in Software Security Initiative (SSI), Webinars | Comments Off on How effective are your software security metrics?

 

Building meaningful security metrics

Many people in various security disciplines are looking to metrics as a way to demonstrate the efficacy of their efforts and show continuous process improvement. Unfortunately, poorly constructed metrics usually create more confusion than insight. If I told you that testing discovered nine critical vulnerabilities last month, what knowledge have I imparted? Does it clarify […]

Continue Reading...

Posted in Software Security Initiative (SSI) | Comments Off on Building meaningful security metrics

 

CVE-2018-11776 and why you need Black Duck Security Advisories

In August I wrote about a new Apache Struts vulnerability that affected Struts 2.3 and Struts 2.5. Apache Struts, an open source framework for developing web applications, is widely used by enterprises worldwide, including (at least at one point in time) the Equifax credit reporting agency. When Equifax did not identify and patch a vulnerable version of […]

Continue Reading...

Posted in Open Source Security | Comments Off on CVE-2018-11776 and why you need Black Duck Security Advisories

 

Hacking Security Episode 2: The 4 CISO tribes

Hacking Security is a monthly podcast on emerging trends in application security development hosted by Steve Giguere, lead EMEA engineer at Synopsys. The CISO Report In Episode 2, we discuss notable CISOs and then dive into the four tribes found in the Synopsys CISO Report. Take 20 minutes to listen to the latest episode below. Transcript […]

Continue Reading...

Posted in Hacking Security, Podcasts, Web Application Security | Comments Off on Hacking Security Episode 2: The 4 CISO tribes

 

Common security challenges in CI/CD workflows

What are the most common security challenges in CI/CD workflows? Organizations report CI/CD security challenges related to tools, approach, speed, false positives, developer resistance, and compliance. Meera Rao, director of the secure development practice at Synopsys, explains how to deal with each one effectively. In a recent webinar that I co-presented with Jay Lyman, principal […]

Continue Reading...

Posted in Agile, CI/CD & DevOps, Static Analysis (SAST) | Comments Off on Common security challenges in CI/CD workflows

 

Announcing OpsSight Container Security 2.0 GA

Containers have restructured the way we think about our infrastructure, bringing development and operations teams closer together than ever before, and placing applications center stage in the infrastructure environment. Teams are massively scaling containerized deployments with Kubernetes and Kubernetes-based solutions, like Red Hat’s enterprise-grade container orchestration platform, OpenShift Container Platform. But in containerized deployments, because […]

Continue Reading...

Posted in Container Security, Open Source Security | Comments Off on Announcing OpsSight Container Security 2.0 GA

 

Verizon DBIR puts security burden on users

The 2018 Verizon Data Breach Investigations Report (DBIR)—the 11th annual exhaustive collection of good advice and (mostly) bad news—which dropped a couple of weeks ago, doesn’t contain any major surprises about the state of online security. The number of confirmed breaches—at least the ones reported by 67 contributors globally—was 2,216, among 53,308 “real-world incidents.” In […]

Continue Reading...

Posted in Data Breach, Maturity Model (BSIMM), Software Architecture and Design | Comments Off on Verizon DBIR puts security burden on users

 

Synopsys eLearning empowers developers to achieve security compliance with security competency

Written in coordination with Prasaath Velu According to 451 Research, 19% of about 800 organizations listed security awareness training ineffectiveness or difficulty as a top information security pain point. In fact, (ISC)2 has estimated that there will be a 20% increase in software security jobs—from 1.5 million in 2015 to 1.8 million in 2022—further stressing […]

Continue Reading...

Posted in Security Training | Comments Off on Synopsys eLearning empowers developers to achieve security compliance with security competency

 

Examining open source security and the road ahead in the 2017 Coverity Scan Report

Coverity Scan’s impact on open source software (OSS) is both extensive and largely unacknowledged. Since its inception, Scan has enabled developers to fix over 600,000 defects across some of the most important projects in open source. As part of that effort, it has also helped improve the maturity of the software development practices of active […]

Continue Reading...

Posted in Open Source Security, Static Analysis (SAST) | Comments Off on Examining open source security and the road ahead in the 2017 Coverity Scan Report

 

iPhone X Face ID: Evaluating the security of biometric systems

Several frameworks have been proposed to evaluate the security of biometric systems. Popular ones include the simpler Ratha’s framework [1] and the enhanced Bartlow and Cukic framework [2]. To employ these frameworks to evaluate iPhone X’s biometric security, we need a lot of data points that we don’t have yet. We won’t speculate on the […]

Continue Reading...

Posted in Mobile Application Security | Comments Off on iPhone X Face ID: Evaluating the security of biometric systems