Software Integrity Blog

Author Archive

Fred Bals

fbals

Fred is a senior technical writer at Synopsys. He is a Mini Cooper fanboy and has worked for both Google and Bob Dylan at various points in his career.


Posts by Fred Bals:

 

3 takeaways from “Managing the Business Risks of Open Source” webinar

Managing open source risk is essential today, when open source use is abundant but can threaten your business. Here are three key points from our webinar.

Continue Reading...

Posted in Mergers & Acquisitions, Open Source Security, Webinars | Comments Off on 3 takeaways from “Managing the Business Risks of Open Source” webinar

 

9 highlights from the 2018 Software Integrity Blog

From vulnerability detection to API security, these nine topics hit the highlights from our coverage of software security and quality this year.

Continue Reading...

Posted in General | Comments Off on 9 highlights from the 2018 Software Integrity Blog

 

Security lessons from the House Oversight and Government Reform Committee

The U.S. House Committee on Oversight and Government Reform has more than a few things to say about responsible enterprise application security.

Continue Reading...

Posted in Data Breach, Open Source Security | Comments Off on Security lessons from the House Oversight and Government Reform Committee

 

10 critical cloud security threats in 2018 and beyond

Explore 10 critical cloud security threats: data breaches, human error, data loss, insider threats, DDoS attacks, insecure APIs, exploits, account hijacking, APTs, and CPU flaws.

Continue Reading...

Posted in Cloud Security | Comments Off on 10 critical cloud security threats in 2018 and beyond

 

FLIGHT East 2018 open source security presentations

Most software today contains open source. That’s why you need software composition analysis. See open source security presentations from FLIGHT East 2018.

Continue Reading...

Posted in Mergers & Acquisitions, Open Source Security | Comments Off on FLIGHT East 2018 open source security presentations

 

Why you need to perform open source due diligence in an M&A transaction

Today’s software contains more than 50% open source. Companies involved in technology M&A need to know why and how to perform open source due diligence.

Continue Reading...

Posted in Mergers & Acquisitions, Open Source Security | Comments Off on Why you need to perform open source due diligence in an M&A transaction

 

CVE-2018-11776 and why you need Black Duck Security Advisories

In August I wrote about a new Apache Struts vulnerability that affected Struts 2.3 and Struts 2.5. Apache Struts, an open source framework for developing web applications, is widely used by enterprises worldwide, including (at least at one point in time) the Equifax credit reporting agency. When Equifax did not identify and patch a vulnerable version of Struts, attackers were able to capture personal consumer information, including names, Social Security numbers, birth dates, and addresses of over 148 million U.S. consumers, nearly 700,000 U.K. residents, and more than 19,000 Equifax Canadian customers.

Continue Reading...

Posted in Open Source Security | Comments Off on CVE-2018-11776 and why you need Black Duck Security Advisories

 

Struts flaw, SAST, IAST, DAST & RASP primer, hacking planes, ATMs, and water heaters

We wind up the month of August with stories on the latest Apache Struts hack—bad news, if you remember Equifax—and what you need to do now to protect yourself. Plus news on plane, ATM, and even water heater hacks, and a primer on what to look for in SAST, DAST, IAST, and RASP tools.

Continue Reading...

Posted in Open Source Security | Comments Off on Struts flaw, SAST, IAST, DAST & RASP primer, hacking planes, ATMs, and water heaters

 

CVE-2018-11776: The latest Apache Struts vulnerability

About a week ago, a security researcher disclosed a critical remote code execution vulnerability in the Apache Struts web application framework that could allow remote attackers to run malicious code on the affected servers. The vulnerability (CVE-2018-11776) affects all supported versions of Struts 2 and was patched by the Apache Software Foundation on Aug. 22. Users of Struts 2.3 should upgrade to 2.3.35; users of Struts 2.5 need to upgrade to 2.5.17. They should do so as soon as possible, given that bad actors are already working on exploits. More critical than the Equifax vulnerability “On the whole, this is more critical than the highly critical Struts RCE vulnerability that the Semmle Security Research Team discovered and announced last September,” Man Yue Mo, the researcher who uncovered the flaw, told the media, referring to CVE-2017-9805. CVE-2017-9805 was announced the same day (September 7, 2017) that Equifax announced the massive data breach via CVE-2017-5638, which led to the lifting of personal details of over 148 million consumers.

Continue Reading...

Posted in Data Breach, Open Source Security, Software Composition Analysis | Comments Off on CVE-2018-11776: The latest Apache Struts vulnerability

 

The AppSec alphabet soup: A guide to SAST, DAST, IAST, and RASP

Every application security testing tool—SAST, IAST, DAST, and RASP—has its distinct advantages, but you’ll get the best results when you use them together.

Continue Reading...

Posted in Interactive Application Security Testing (IAST), Static Analysis (SAST), Web Application Security | Comments Off on The AppSec alphabet soup: A guide to SAST, DAST, IAST, and RASP