Software Integrity Blog

Author Archive

Fred Bals

fbals

Fred is a senior technical writer at Synopsys. He is a Mini Cooper fanboy and has worked for both Google and Bob Dylan at various points in his career.


Posts by Fred Bals:

 

3 takeaways from “Managing the Business Risks of Open Source” webinar

Managing open source risk is essential today, when open source use is abundant but can threaten your business. Here are three key points from our webinar.

Continue Reading...

Posted in Mergers & Acquisitions, Open Source Security, Webinars | Comments Off on 3 takeaways from “Managing the Business Risks of Open Source” webinar

 

9 highlights from the 2018 Software Integrity Blog

From vulnerability detection to API security, these nine topics hit the highlights from our coverage of software security and quality this year.

Continue Reading...

Posted in General | Comments Off on 9 highlights from the 2018 Software Integrity Blog

 

Security lessons from the House Oversight and Government Reform Committee

The U.S. House Committee on Oversight and Government Reform has more than a few things to say about responsible enterprise application security.

Continue Reading...

Posted in Data Breach, Open Source Security | Comments Off on Security lessons from the House Oversight and Government Reform Committee

 

10 critical cloud security threats in 2018 and beyond

Don’t let cloud security threats rain on your parade. Explore our list of the top 10 security risks in cloud computing and what you can do to mitigate them.

Continue Reading...

Posted in Cloud Security | Comments Off on 10 critical cloud security threats in 2018 and beyond

 

FLIGHT East 2018 open source security presentations

Most software today contains open source. That’s why you need software composition analysis. See open source security presentations from FLIGHT East 2018.

Continue Reading...

Posted in Mergers & Acquisitions, Open Source Security | Comments Off on FLIGHT East 2018 open source security presentations

 

Why you need to perform open source due diligence in an M&A transaction

Today’s software contains more than 50% open source. Companies involved in technology M&A need to know why and how to perform open source due diligence.

Continue Reading...

Posted in Mergers & Acquisitions, Open Source Security | Comments Off on Why you need to perform open source due diligence in an M&A transaction

 

CVE-2018-11776 and why you need Black Duck Security Advisories

In August I wrote about a new Apache Struts vulnerability that affected Struts 2.3 and Struts 2.5. Apache Struts, an open source framework for developing web applications, is widely used by enterprises worldwide, including (at least at one point in time) the Equifax credit reporting agency. When Equifax did not identify and patch a vulnerable version of Struts, attackers were able to capture personal consumer information, including names, Social Security numbers, birth dates, and addresses of over 148 million U.S. consumers, nearly 700,000 U.K. residents, and more than 19,000 Equifax Canadian customers.

Continue Reading...

Posted in Open Source Security | Comments Off on CVE-2018-11776 and why you need Black Duck Security Advisories

 

CVE-2018-11776: The latest Apache Struts vulnerability

About a week ago, a security researcher disclosed a critical remote code execution vulnerability in the Apache Struts web application framework that could allow remote attackers to run malicious code on the affected servers. The vulnerability (CVE-2018-11776) affects all supported versions of Struts 2 and was patched by the Apache Software Foundation on Aug. 22. Users of Struts 2.3 should upgrade to 2.3.35; users of Struts 2.5 need to upgrade to 2.5.17. They should do so as soon as possible, given that bad actors are already working on exploits. More critical than the Equifax vulnerability “On the whole, this is more critical than the highly critical Struts RCE vulnerability that the Semmle Security Research Team discovered and announced last September,” Man Yue Mo, the researcher who uncovered the flaw, told the media, referring to CVE-2017-9805. CVE-2017-9805 was announced the same day (September 7, 2017) that Equifax announced the massive data breach via CVE-2017-5638, which led to the lifting of personal details of over 148 million consumers.

Continue Reading...

Posted in Data Breach, Open Source Security, Software Composition Analysis | Comments Off on CVE-2018-11776: The latest Apache Struts vulnerability

 

The AppSec alphabet soup: A guide to SAST, DAST, IAST, and RASP

Every application security testing tool—SAST, IAST, DAST, and RASP—has its distinct advantages, but you’ll get the best results when you use them together.

Continue Reading...

Posted in Interactive Application Security Testing (IAST), Static Analysis (SAST), Web Application Security | Comments Off on The AppSec alphabet soup: A guide to SAST, DAST, IAST, and RASP

 

Big temperature drop in Hades as Microsoft buys GitHub

The big news for open source last week was Microsoft’s announced purchase of GitHub. A major win for open source? The beginning of the end? Read Software Integrity Insight to see both sides of the coin, as well as the rest of the cyber security and open source security news that made headlines this week!

Continue Reading...

Posted in Open Source Security, Webinars | Comments Off on Big temperature drop in Hades as Microsoft buys GitHub