Software Integrity Blog

Author Archive

Tim Mackey


Tim Mackey is a principal security strategist within the Synopsys CyRC (Cybersecurity Research Center). He joined Synopsys as part of the Black Duck Software acquisition where he worked to bring integrated security scanning technology to Red Hat OpenShift and the Kubernetes container orchestration platforms. As a security strategist, Tim applies his skills in distributed systems engineering, mission critical engineering, performance monitoring, large-scale data center operations, and global data privacy regulations to customer problems. He takes the lessons learned from those activities and delivers talks globally at well-known events such as RSA, Black Hat, Open Source Summit, KubeCon, OSCON, DevSecCon, DevOpsCon, Red Hat Summit, and Interop. Tim is also an O'Reilly Media published author and has been covered in publications around the globe including USA Today, Fortune, NBC News, CNN, Forbes, Dark Reading, TEISS, InfoSecurity Magazine, and The Straits Times. Follow Tim at @TimInTech on Twitter and at mackeytim on LinkedIn.

Posts by Tim Mackey:


Review of Apache Struts vulnerabilities yields 24 updated advisories

We found that 24 Apache Struts Security Advisories incorrectly list impacted versions and that previously disclosed vulns affect an additional 61 versions.

Continue Reading...

Posted in News & Announcements, Open Source Security, Security news and research


The Synopsys Cybersecurity Research Center (CyRC): Advancing the state of software security

The Synopsys Software Integrity Group is pleased to announce the public launch of CyRC (Cybersecurity Research Center).

Continue Reading...

Posted in Software Security Research


The intersection between IAST and SCA and why you need both in your security toolkit

Interactive application security testing (IAST) and software composition analysis (SCA) are both powerful technologies for your software security program.

Continue Reading...

Posted in Agile, CI/CD, & DevOps, Interactive Application Security Testing (IAST), Software Composition Analysis (SCA)


Electoral trust meets software security

Without adequate software security, from voter registration through the certification of results, electoral trust can be called into question.

Continue Reading...

Posted in Application Security, Public Sector Cyber Security, Security news and research


LifeLock lesson—Third party security is your security

On July 25, on his blog Krebs on Security, Brian Krebs covered a flaw in how LifeLock processed “unsubscribe” information related to its marketing activities. For those unfamiliar with LifeLock, it is a subsidiary of Symantec offering identity monitoring and protection services in the U.S. market. Brian outlined an issue impacting recipients of LifeLock marketing material who wished to opt out of further email communications by clicking on a “please remove me from this list” style link within the marketing material. Unfortunately, there was a flaw in that process that allowed anyone to discover email addresses associated with other users. In Symantec’s response, they indicate the issue was limited to the use of a third-party marketing platform used to process marketing communications, not the core LifeLock service, and that with the exception of the security researchers’ efforts, there was no indication of other access attempts. The areas we can all learn from With this as background, we can see several activities occurring here:

Continue Reading...

Posted in Software Compliance, Quality & Standards


Timehop breach provides GDPR response template

The Timehop breach disclosed 21 million individuals’ account information. And now we know what public disclosure of a breach might look like under GDPR.

Continue Reading...

Posted in Data Breach Security, Software Compliance, Quality & Standards


8 takeaways from NIST’s Application Container Security Guide

Companies are leveraging containers on a massive scale to rapidly package and deliver software applications. But because it is difficult for organizations to see the components and dependencies in all their container images, container security risks associated with containerized delivery has become a hot topic in DevOps. This puts the spotlight on operations teams to find security vulnerabilities in the production environment.

Continue Reading...

Posted in Agile, CI/CD, & DevOps, Container Security, Open Source Security, Security news and research


RSA 2018 recap: Detecting vulnerabilities and avoiding snake oil

The message at RSA 2018 was clear: stronger regulations and stiffer penalties haven’t slowed data breaches. It’s time to look at the cost of noncompliance.

Continue Reading...

Posted in Security news and research


Data breaches and more data breaches—oh my!

What are the consequences of data breaches under GDPR? Complying with increased regulations means better understanding application security.

Continue Reading...

Posted in Data Breach Security, Software Compliance, Quality & Standards


Using containers? What’s hidden in your container images?

Do you know what’s in your containers? No, the question has nothing to do with those mystery containers in your fridge. But if you don’t know what’s in those lovely Docker containers which are all the rage, you could be in store for just as rude a surprise as discovering what might be hiding deep in your fridge.

Continue Reading...

Posted in Container Security