Fred is a senior technical writer at Synopsys. He is a Mini Cooper fanboy and has worked for both Google and Bob Dylan at various points in his career.
Managing open source risk is essential today, when open source use is abundant but can threaten your business. Here are three key points from our webinar.
Posted in Mergers & Acquisitions, Open Source Security, Webinars | Comments Off on 3 takeaways from “Managing the Business Risks of Open Source” webinar
From vulnerability detection to API security, these nine topics hit the highlights from our coverage of software security and quality this year.
Posted in General | Comments Off on 9 highlights from the 2018 Software Integrity Blog
The U.S. House Committee on Oversight and Government Reform has more than a few things to say about responsible enterprise application security.
Posted in Data Breach, Open Source Security | Comments Off on Security lessons from the House Oversight and Government Reform Committee
Explore 10 critical cloud security threats: data breaches, human error, data loss, insider threats, DDoS attacks, insecure APIs, exploits, account hijacking, APTs, and CPU flaws.
Posted in Cloud Security | Comments Off on 10 critical cloud security threats in 2018 and beyond
Most software today contains open source. That’s why you need software composition analysis. See open source security presentations from FLIGHT East 2018.
Posted in Mergers & Acquisitions, Open Source Security | Comments Off on FLIGHT East 2018 open source security presentations
Today’s software contains more than 50% open source. Companies involved in technology M&A need to know why and how to perform open source due diligence.
Posted in Mergers & Acquisitions, Open Source Security | Comments Off on Why you need to perform open source due diligence in an M&A transaction
In August I wrote about a new Apache Struts vulnerability that affected Struts 2.3 and Struts 2.5. Apache Struts, an open source framework for developing web applications, is widely used by enterprises worldwide, including (at least at one point in time) the Equifax credit reporting agency. When Equifax did not identify and patch a vulnerable version of Struts, attackers were able to capture personal consumer information, including names, Social Security numbers, birth dates, and addresses of over 148 million U.S. consumers, nearly 700,000 U.K. residents, and more than 19,000 Equifax Canadian customers.
Posted in Open Source Security | Comments Off on CVE-2018-11776 and why you need Black Duck Security Advisories
We wind up the month of August with stories on the latest Apache Struts hack—bad news, if you remember Equifax—and what you need to do now to protect yourself. Plus news on plane, ATM, and even water heater hacks, and a primer on what to look for in SAST, DAST, IAST, and RASP tools.
Posted in Open Source Security | Comments Off on Struts flaw, SAST, IAST, DAST & RASP primer, hacking planes, ATMs, and water heaters
About a week ago, a security researcher disclosed a critical remote code execution vulnerability in the Apache Struts web application framework that could allow remote attackers to run malicious code on the affected servers. The vulnerability (CVE-2018-11776) affects all supported versions of Struts 2 and was patched by the Apache Software Foundation on Aug. 22. Users of Struts 2.3 should upgrade to 2.3.35; users of Struts 2.5 need to upgrade to 2.5.17. They should do so as soon as possible, given that bad actors are already working on exploits. More critical than the Equifax vulnerability “On the whole, this is more critical than the highly critical Struts RCE vulnerability that the Semmle Security Research Team discovered and announced last September,” Man Yue Mo, the researcher who uncovered the flaw, told the media, referring to CVE-2017-9805. CVE-2017-9805 was announced the same day (September 7, 2017) that Equifax announced the massive data breach via CVE-2017-5638, which led to the lifting of personal details of over 148 million consumers.
Posted in Data Breach, Open Source Security, Software Composition Analysis | Comments Off on CVE-2018-11776: The latest Apache Struts vulnerability
Every application security testing tool—SAST, IAST, DAST, and RASP—has its distinct advantages, but you’ll get the best results when you use them together.
Posted in Interactive Application Security Testing (IAST), Static Analysis (SAST), Web Application Security | Comments Off on The AppSec alphabet soup: A guide to SAST, DAST, IAST, and RASP