Software Integrity Blog

Author Archive

Mike Pittenger

mike-pittenger

Mike Pittenger has 30 years of experience in technology and business, more than 25 years of management experience, and 15 years in security. He previously served as Vice President and General Manager of the product division of @stake. After @stake’s acquisition by Symantec, Pittenger led the spin-out of his team to form Veracode. He later served as Vice President of the product and training division of Cigital. For the past several years, he has consulted independently, helping security companies identify, define and prioritize the benefit to customers of their technologies, structure solutions appropriately and bring those offerings to market. Mike earned his AB in Economics from Dartmouth College and an MBA with a finance concentration from Bentley College.


Posts by Mike Pittenger:

 

What’s happening with the National Vulnerability Database?

The image below is what you saw if you search the National Vulnerability Database (NVD) on February 16. As you can see, vulnerabilities are being added on a daily basis. The far right column, however, is blank. None of the vulnerabilities are being scored using NIST’s Common Vulnerability Scoring System (CVSS).

Continue Reading...

Posted in Software Architecture and Design | Comments Off on What’s happening with the National Vulnerability Database?

 

Hustling and hacking lessons from Paul Newman

Was Equifax first hit with a non-targeted attack? The details of the Equifax breach will unfold slowly over the next several weeks and months. One interesting detail came out recently when the company reported that “an actor interacted with our server on March 10, 2017.” That’s four days after the vulnerability was reported and three days […]

Continue Reading...

Posted in Open Source Security | Comments Off on Hustling and hacking lessons from Paul Newman

 

Now it’s personal—4 takeaways from the Equifax breach

You’ve probably heard that personal information, including social security numbers, was stolen from Equifax. Here’s what you need to know. If you’re reading this, you have no doubt heard that personal information, including social security numbers, was stolen from Equifax—one of the Big 3 credit reporting agencies. From an industry standpoint, here’s a quick takeaway. […]

Continue Reading...

Posted in Data Breach, Open Source Security, Software Architecture and Design | Comments Off on Now it’s personal—4 takeaways from the Equifax breach

 

Critical vulnerability CVE-2017-5638 attacks escalating

Attacks on Apache Struts 2 have escalated over the past couple of days as hackers exploit this critical vulnerability (CVE-2017-5638), which allows attackers to exploit a code-execution bug in the web application framework. Although a patch was available on Monday, hackers have been exploiting it on Struts implementations that don’t have the update installed yet. There are (at […]

Continue Reading...

Posted in Software Architecture and Design | Comments Off on Critical vulnerability CVE-2017-5638 attacks escalating

 

“Easy” to hack Apache Struts vulnerability CVE-2017-9805

“This is as serious as it gets; if remote attackers are allowed to exploit the newly identified vulnerability it can critically damage thousands of enterprises.” Oege de Moor, CEO and founder of Semmle. Dozens of Fortune 100 companies are at risk after security researchers at lgtm.com discovered a critical Apache Struts security flaw (CVE-2017-9805) that […]

Continue Reading...

Posted in Open Source Security, Software Architecture and Design | Comments Off on “Easy” to hack Apache Struts vulnerability CVE-2017-9805

 

6 recommendations for healthcare cybersecurity

Early last year, in response to the Cybersecurity Act of 2015, the US Department of Health and Human Services (HHS) established The Health Care Industry Cybersecurity Task Force. This month the task force published its recommendations to improve healthcare cybersecurity. While non-binding (today), the recommendations should be considered a heads up to health care organizations, “covered […]

Continue Reading...

Posted in Healthcare Security, Medical Device Security | Comments Off on 6 recommendations for healthcare cybersecurity

 

4 risks in connected cars

Black Duck (now Synopsys) held its inaugural European user conference this month in Amsterdam. Turnout was great, with almost 100 representatives from European businesses attending our training and presentations. I was privileged to lead a panel discussion on the security implications of open source in connected cars. Gordon Haff, Technology Evangelist at Red Hat, and Simon Gutteridge, […]

Continue Reading...

Posted in Automotive Security, Webinars | Comments Off on 4 risks in connected cars

 

Commercial application security: 6 facts you didn’t know

Many people know Black Duck from our security and software license compliance business. However, we also have a very strong On-Demand business. Our On-Demand business performs one-time audits of software, typically as part of due diligence in an M&A transaction. In these engagements, the entities acquiring a software company will “Black Duck” the codebase of […]

Continue Reading...

Posted in Open Source Security | Comments Off on Commercial application security: 6 facts you didn’t know

 

Vulnerability remediation: You only have 4 options

In my previous post, I wrote about a simple process for triaging vulnerabilities across applications. Once you have the issues prioritized, the vulnerability remediation process is pretty straightforward. You don’t have a lot of options; either remediate the issue, ignore it, or apply other measures (compensating controls) to mitigate the risk posed by the vulnerability.

Continue Reading...

Posted in Developer Enablement, Open Source Security | Comments Off on Vulnerability remediation: You only have 4 options

 

Vulnerability management and triage in 3 steps

Security testing tools can help organizations build better software by identifying vulnerabilities early in the SDLC. For security professionals and developers, however, the hard work begins when the testing is complete. Once you have a list of vulnerabilities across multiple applications, what’s your next step in vulnerability management and triage? And how do you ensure […]

Continue Reading...

Posted in Open Source Security, Software Architecture and Design | Comments Off on Vulnerability management and triage in 3 steps