Software Integrity Blog

Author Archive

Fred Bals

fbals

Fred is a senior technical writer at Synopsys. He is a Mini Cooper fanboy and has worked for both Google and Bob Dylan at various points in his career.


Posts by Fred Bals:

 

Half a billion IoT devices vulnerable, breaches at Homeland Security, FedEx, and the fastest growing cyberthreat

Software Integrity Insight is switching over to a monthly schedule, but we’ll still bring you the best SAST, DAST, and SCA security news as we find it. And don’t despair: You can still get your weekly fix of application security (and insecurity) news by following our colleague Taylor Armerding’s video blog, Security Mashup. With so many eyeballs, is open source security better? via eSecurity Planet: Dirk Hohndel, VP and chief open source officer at VMware: “One of the biggest challenges for any software product, whether it’s open source or not, is to get enough qualified reviewers to make sure that you don’t get overwhelmed by the speed of innovation and you take the time to actually do decent code review.” AppSec at the speed of DevOps in the age of open source via JAXenter: In the world of DevOps, traditional application security is no longer enough. How can we improve AppSec? What are the newest security challenges that arise as DevOps becomes more mature? JAXenter editor Gabriela Motroc caught up with Tim Mackey, technical evangelist for Black Duck by Synopsys at DevOpsCon 2018 to talk about all this and more. Retailers need to get real about security via Xconomy: There is big opportunity in online retailing. However, until retailers stop treating software as an ancillary aspect of their business and begin to think and act like software companies, security breaches will continue to plague them. IoT security flaw leaves 496 million devices vulnerable at businesses: Report via CRN: Nearly a half-billion Internet of Things devices are vulnerable to cyberattacks at businesses worldwide because of a 10-year-old security flaw, according to a new report from a security software vendor. Under GDPR, data breach reports in UK have quadrupled via BankInfoSecurity: In both March and April, the total number of breaches reported to the ICO was about 400, according to data released by the ICO last week. But the number of breach reports climbed to about 700 in May and hit about 1,750 in June, the ICO says. These are 2018’s biggest hacks, leaks, and data breaches [so far] via ZDNet: Homeland Security, FedEx, Orbitz, Aadhaar, L’Express, Cambridge Analytica, Twitter, T-Mobile, and more. Equifax’s security overhaul, a year after its epic breach via Wired: Jamil Farshchi, chief information security officer at Equifax: “The barriers you face at any company not post-breach is you’re always fighting for budget, you’re always fighting for face time, trying to justify and convince people about the importance of security and risk management. When you’re in a post-breach environment, everyone already knows that it’s critically important.” Best practices for application security testing in the era of DevOps and AI via DevOps.com: As the pace of application development techniques (and their inevitable vulnerabilities) evolve, AppSec personnel have found themselves caught between the desire to keep pace with their management of security testing requirements and their ability to allow the developer teams to operate in the modern, fast-paced ecosystem of DevOps and artificial intelligence. A guide to DevSecOps tools via SD Times: Synopsys, a recognized leader in application security, provides static analysis, software composition analysis, and dynamic analysis solutions that enable teams to quickly find and fix vulnerabilities and defects in proprietary code, open source components, and application behavior. Secure code: You are the solution to open source’s biggest problem via Dark Reading: Seventy-eight percent of open source codebases examined in a recent study contain at least one unpatched vulnerability, with an average of 64 known vulnerabilities per codebase. Unsecured server exposes 157 GB of highly sensitive data from Tesla, Toyota and more via CSO: A security researcher discovered 157 GB of highly sensitive data from more than 100 companies, including automakers such as Ford, GM, Tesla, Toyota, Chrysler, Fiat, and Volkswagen, exposed on the web. What is the fastest growing cyberthreat? 80% say supply chain attacks via TechRepublic: According to the report, nearly 90% of respondents believe they are currently at risk for a supply chain attack. . . . On average, supply chain attacks cost organizations $1.1 million. For US companies however, the average cost per attack is $1.27 million. Timehop breach provides GDPR response template via Synopsys Software Integrity blog: With the disclosure of 21 million individuals’ account information being accessed in a data breach at Timehop, we now have a blueprint for what public disclosure of a breach might look like under the new GDPR rules.

Continue Reading...

Posted in Open Source Security | Comments Off on Half a billion IoT devices vulnerable, breaches at Homeland Security, FedEx, and the fastest growing cyberthreat

 

Creating a secure SDLC, solving open source’s biggest problem, government unprepared for cyber attacks

This week in the news: creating a secure SDLC, solving open source’s biggest problem, our government is unprepared for cyber attacks, and more.

Continue Reading...

Posted in Open Source Security | Comments Off on Creating a secure SDLC, solving open source’s biggest problem, government unprepared for cyber attacks

 

Traffic systems at risk of cyber attack, Cortana and Alexa news, PyRoMineIoT cryptojacker

The cyber security and open source security news that made headlines this week: Traffic systems at risk of cyber attack, Cortana and Alexa news, and the PyRoMineIoT cryptojacker.

Continue Reading...

Posted in Internet of Things, Open Source Security | Comments Off on Traffic systems at risk of cyber attack, Cortana and Alexa news, PyRoMineIoT cryptojacker

 

Big temperature drop in Hades as Microsoft buys GitHub

The big news for open source last week was Microsoft’s announced purchase of GitHub. A major win for open source? The beginning of the end? Read Software Integrity Insight to see both sides of the coin, as well as the rest of the cyber security and open source security news that made headlines this week!

Continue Reading...

Posted in Open Source Security, Webinars | Comments Off on Big temperature drop in Hades as Microsoft buys GitHub

 

North Korea hacking, JScript RCE, World Cup a cyberthreat target?

One of the ways hackers could ruin the World Cup 2018 for travelers is by hijacking the self-printed ticket kiosks or connected QR code readers for e-tickets, warns Steve Giguere, lead engineer at cyber security firm Synopsys.

Continue Reading...

Posted in Agile, CI/CD & DevOps, Open Source Security | Comments Off on North Korea hacking, JScript RCE, World Cup a cyberthreat target?

 

Open source security risk on the rise owing to unpatched software

A slight change of pace for this week’s issue of Software Integrity Insight, as we focus on the release of the 2018 Open Source Security and Risk Analysis, which analyzes the audit results of over 1,100 commercial codebases from over 500 organizations and examines the open source security and licensing news of 2017. We think you’ll find some of the results from the report surprising, such as the fact that 33% of the codebases that contained Apache Struts still had the vulnerability that resulted in the Equifax breach. Learn about the open source security risks uncovered, and more, in this week’s Insight. Download the full 2018 Open Source Security and Risk Analysis Open source report exposes management gaps after turbulent 2017

Continue Reading...

Posted in Open Source Security | Comments Off on Open source security risk on the rise owing to unpatched software

 

OpsSight Container Security 2.0, Integrating SAST into DevSecOps, building hacker-proof voting

Black Duck by Synopsys announces OpsSight 2.0. Abbott strengthens pacemaker software against vulnerabilities. A year after disclosure, the Struts vulnerability is still a danger to thousands of companies. And the new Synopsys Security Mashup video is up.

Continue Reading...

Posted in Agile, CI/CD & DevOps, Container Security, Medical Device Security, Static Analysis (SAST) | Comments Off on OpsSight Container Security 2.0, Integrating SAST into DevSecOps, building hacker-proof voting

 

NIST report on container security, GitLab Developer Report, VW and Audi remote hacks

Software Integrity Insight is your resource on the cyber security and open source security that made the headlines!

Continue Reading...

Posted in Automotive Security, Container Security, Open Source Security | Comments Off on NIST report on container security, GitLab Developer Report, VW and Audi remote hacks

 

RSA news, Israel shifts to open source, latest on TaskRabbit breach

RSA happened last week, and a ton of news—some gloomy, some encouraging—has come from the world’s largest cyber security conference. The Israeli government follows Great Britain, the U.S., and France and moves to open source. TaskRabbit pledges “more security” after a data breach, and nine things you can expect to have an impact on cyber security in the coming year.

Continue Reading...

Posted in Agile, CI/CD & DevOps, Data Breach, General, Open Source Security | Comments Off on RSA news, Israel shifts to open source, latest on TaskRabbit breach

 

Data breaches, SirenJack, and serverless apps vulns

It’s nearly an all-Tim Mackey issue of Software Integrity Insight as our technical evangelist weighs in on data breaches, container adoption, GitHub, and open source serverless applications. Other stories in this week’s software integrity news include the SirenJack vulnerability, a security vulnerability potentially putting warning sirens across the city of San Francisco at risk, and more.

Continue Reading...

Posted in Container Security, Data Breach, Internet of Things, Open Source Security, Webinars | Comments Off on Data breaches, SirenJack, and serverless apps vulns