Software Integrity Blog

Author Archive

Tim Mackey

tmackey

Tim Mackey is a principal security strategist within the Synopsys CyRC (Cybersecurity Research Center). He joined Synopsys as part of the acquisition of Black Duck Software, where he worked to bring integrated security scanning technology to Red Hat OpenShift and the Kubernetes container orchestration platforms. As a security strategist, Tim applies his skills in distributed systems engineering, mission critical engineering, performance monitoring, and large-scale data center operations to customer problems. He takes the lessons learned from those activities and delivers talks globally at well-known events such as RSA, OSCON, Open Source Summit, KubeCon, Interop, CA World, Container World, DevSecCon, DevOps Days, and the IoT Summit. Tim is also an O’Reilly Media published author. Follow Tim at @TimInTech on Twitter and at mackeytim on LinkedIn.


Posts by Tim Mackey:

 

Review of Apache Struts vulnerabilities yields 24 updated advisories

We found that 24 Apache Struts Security Advisories incorrectly list impacted versions and that previously disclosed vulns affect an additional 61 versions.

Continue Reading...

Posted in News & Announcements, Open Source Security | Comments Off on Review of Apache Struts vulnerabilities yields 24 updated advisories

 

The Synopsys Cybersecurity Research Center (CyRC): Advancing the state of software security

The Synopsys Software Integrity Group is pleased to announce the public launch of CyRC (Cybersecurity Research Center).

Continue Reading...

Posted in Software Security Research | Comments Off on The Synopsys Cybersecurity Research Center (CyRC): Advancing the state of software security

 

The intersection between IAST and SCA and why you need both in your security toolkit

Interactive application security testing (IAST) and software composition analysis (SCA) are both powerful technologies for your software security program.

Continue Reading...

Posted in Agile, CI/CD & DevOps, Interactive Application Security Testing (IAST), Software Composition Analysis (SCA) | Comments Off on The intersection between IAST and SCA and why you need both in your security toolkit

 

Electoral trust meets software security

Without adequate software security, from voter registration through the certification of results, electoral trust can be called into question.

Continue Reading...

Posted in Application Security | Comments Off on Electoral trust meets software security

 

LifeLock lesson—Third party security is your security

On July 25, on his blog Krebs on Security, Brian Krebs covered a flaw in how LifeLock processed “unsubscribe” information related to its marketing activities. For those unfamiliar with LifeLock, it is a subsidiary of Symantec offering identity monitoring and protection services in the U.S. market. Brian outlined an issue impacting recipients of LifeLock marketing material who wished to opt out of further email communications by clicking on a “please remove me from this list” style link within the marketing material. Unfortunately, there was a flaw in that process that allowed anyone to discover email addresses associated with other users. In Symantec’s response, they indicate the issue was limited to the use of a third-party marketing platform used to process marketing communications, not the core LifeLock service, and that with the exception of the security researchers’ efforts, there was no indication of other access attempts. The areas we can all learn from With this as background, we can see several activities occurring here:

Continue Reading...

Posted in Software Compliance, Quality & Standards | Comments Off on LifeLock lesson—Third party security is your security

 

Timehop breach provides GDPR response template

The Timehop breach disclosed 21 million individuals’ account information. And now we know what public disclosure of a breach might look like under GDPR.

Continue Reading...

Posted in Data Breach Security, Software Compliance, Quality & Standards | Comments Off on Timehop breach provides GDPR response template

 

8 takeaways from NIST’s Application Container Security Guide

Companies are leveraging containers on a massive scale to rapidly package and deliver software applications. But because it is difficult for organizations to see the components and dependencies in all their container images, container security risks associated with containerized delivery has become a hot topic in DevOps. This puts the spotlight on operations teams to find security vulnerabilities in the production environment.

Continue Reading...

Posted in Agile, CI/CD & DevOps, Container Security, Open Source Security | Comments Off on 8 takeaways from NIST’s Application Container Security Guide

 

RSA 2018 recap: Detecting vulnerabilities and avoiding snake oil

With RSA 2018 behind us, a recap is in order. For any readers who have never attended the RSA Conference (RSA) in North America, it’s worth setting the stage. For practical purposes, RSA is the premier technology security conference. There are tens of thousands of attendees, well over a dozen conference tracks, and the show floor itself spans two buildings. Exhibitors range from the NSA and FBI (love their dogs, by the way), through service providers like CenturyLink and AT&T, major technology vendors like F5 and Trend Micro, to smaller vendors around the edges of the expo halls.

Continue Reading...

Posted in Software Architecture & Design | Comments Off on RSA 2018 recap: Detecting vulnerabilities and avoiding snake oil

 

Data breaches and more data breaches—oh my!

It’s been quite an interesting few weeks in the land of data breach disclosures. We started with Under Armour disclosing a breach in their MyFitnessPal application that impacted 150 million users. A few days later, Lord & Taylor and Saks Fifth Avenue disclosed a breach impacting millions of their in-store shoppers. Later the same day, we learned that Panera Bread had been leaking private user details for its millions of online users for eight months. Three days later we had yet another breach disclosure from Delta Airlines and Sears Holdings, who were using third-party chat services from [24]7.ai. The [24]7.ai breach then expanded to include Kmart and Best Buy a few days later.

Continue Reading...

Posted in Data Breach Security, Software Compliance, Quality & Standards | Comments Off on Data breaches and more data breaches—oh my!

 

Using containers? What’s hidden in your container images?

Do you know what’s in your containers? No, the question has nothing to do with those mystery containers in your fridge. But if you don’t know what’s in those lovely Docker containers which are all the rage, you could be in store for just as rude a surprise as discovering what might be hiding deep in your fridge.

Continue Reading...

Posted in Container Security | Comments Off on Using containers? What’s hidden in your container images?