Software Integrity Blog

Author Archive

Meera Rao

msubbarao

Meera Rao (Subbarao) is a senior principal consultant and the director of the secure development practice. She has over 20 years of experience in software development organizations in a variety of roles including Architect, Lead Developer, Project Manager, and Security Architect. Meera has overseen and performed secure code reviews, static analysis implementations, architectural risk analyses, secure design reviews, and threat modeling of systems built from a few thousand lines of code to systems containing tens of millions of lines of code. She has developed multiple Synopsys training courses and is a certified instructor in architectural risk analysis, threat modeling, and more.


Posts by Meera Rao:

 

Common security challenges in CI/CD workflows

What are the most common security challenges in CI/CD workflows? Organizations report CI/CD security challenges related to tools, approach, speed, false positives, developer resistance, and compliance.

Continue Reading...

Posted in Agile, CI/CD & DevOps, Static Analysis (SAST) | Comments Off on Common security challenges in CI/CD workflows

 

How to integrate SAST into the DevSecOps pipeline in 5 simple steps

To build a sustainable program, integrate SAST tools into your DevSecOps pipeline, and automate them for efficiency, consistency, and early detection.

Continue Reading...

Posted in Agile, CI/CD & DevOps, Static Analysis (SAST) | Comments Off on How to integrate SAST into the DevSecOps pipeline in 5 simple steps

 

In support of the #MentorHer movement

Last month, while I was in Bengaluru, India, for work, our HR manager for Asia asked me to address Synopsys women on women’s empowerment. I prepared a simple 10-slide presentation that outlined the key challenges I faced as a woman, how I had overcome them, and how the mentorship program at Cigital, now Synopsys, had a huge impact on my success.

Continue Reading...

Posted in Agile, CI/CD & DevOps | Comments Off on In support of the #MentorHer movement

 

Building your DevSecOps pipeline: 5 essential activities

This checklist describes the purpose, benefits, key enablers, and use cases of the top five key elements of the DevSecOps pipeline. Get started now.

Continue Reading...

Posted in Agile, CI/CD & DevOps | Comments Off on Building your DevSecOps pipeline: 5 essential activities

 

How to build security into the DevOps life cycle

As a kid, I often traveled by train in India. I always wondered what would happen if I pulled the chain under the sign that read, “To Stop Train, Pull Chain.” My parents warned me that it would cost them a fortune to pay the fine and that I’d be taken away by the police. Even though it scared me as a child, I was still tempted by the thrill of pulling that chain.

Continue Reading...

Posted in Agile, CI/CD & DevOps | Comments Off on How to build security into the DevOps life cycle

 

New Apache Struts 2 zero-day vulnerability: What you need to know

At this time, hackers are actively exploiting the critical Apache Struts 2 zero-day vulnerability and are able to take complete control of web servers. Run a scan using software composition analysis to see whether you’re using any version of Struts 2 and whether you need to upgrade now.

Continue Reading...

Posted in Open Source Security, Software Composition Analysis | Comments Off on New Apache Struts 2 zero-day vulnerability: What you need to know

 

#BeBoldForChange on International Women’s Day 2017

What better way to celebrate International Women’s Day than by reading about the women of Synopsys who are achieving great success?

Continue Reading...

Posted in General | Comments Off on #BeBoldForChange on International Women’s Day 2017

 

How to maximize returns on SAST tool investment

You probably hear time and time again that static application security testing (SAST) should be incorporated into the application development and deployment processes. In fact, the software security touchpoints also emphasize using code review tools. But, no SAST tool effectively addresses threats to a development environment “out of the box.” It is a misnomer to believe that the cost of tool adoption depends primarily on getting the tool working in a build environment, configuring the tool’s runtime parameters, or the tool’s execution time. Let’s explore how to get the most value out of SAST tools. Customize the tools The first step towards successfully adopting a tool is to incorporate additional rules that more accurately reflect the business logic embodied by the scanned code. Every tool has a fixed set of rules that represent available knowledge and best practices for the languages or APIs the tool can scan. Often, these guidelines are captured in APIs developed in-house. It’s unrealistic to expect any code analysis tools to have knowledge of such rules or be able to infer them.

Continue Reading...

Posted in Static Analysis (SAST) | Comments Off on How to maximize returns on SAST tool investment