Software Integrity Blog

Author Archive

Tim Mackey

tmackey

Tim Mackey works within the Synopsys Software Integrity Group as a technology evangelist. He joined Synopsys as part of the Black Duck Software acquisition where he worked to bring integrated security scanning technology to Red Hat OpenShift and the Kubernetes container orchestration platforms. Prior to joining Black Duck, Tim worked at Citrix as the community manager for XenServer and was part of the Citrix Open Source Business Office.

Being a technology evangelist allows Tim to apply his skills in distributed systems engineering, mission critical engineering, performance monitoring and large-scale data center operations to customer problems. He takes the lessons learned from those activities and delivers talks globally at well-known events such as RSA, OSCON, Open Source Summit, KubeCon, Interop, CA World, Container World, DevSecCon, DevOps Days and the IoT Summit. Tim is also an O’Reilly Media published author. Follow Tim @TimInTech on Twitter and at mackeytim on LinkedIn.


Posts by Tim Mackey:

 

The Synopsys Cybersecurity Research Center (CyRC): Advancing the state of software security

The Synopsys Software Integrity Group is pleased to announce the public launch of CyRC (Cybersecurity Research Center).

Continue Reading...

Posted in General | Comments Off on The Synopsys Cybersecurity Research Center (CyRC): Advancing the state of software security

 

The intersection between IAST and SCA and why you need both in your security toolkit

Interactive application security testing (IAST) and software composition analysis (SCA) are powerful technologies—and you need both in your security toolkit.

Continue Reading...

Posted in Agile, CI/CD & DevOps, Interactive Application Security Testing (IAST), Software Composition Analysis | Comments Off on The intersection between IAST and SCA and why you need both in your security toolkit

 

Electoral trust meets software security

It’s fair to say that regardless of where you live, assuming you have democratic elections, you want your vote to count—without any form of external influence or tampering. It’s also fair to say that until the most recent election cycle, for many Americans, election tampering was pretty low on their list of things to worry about. But since the 2016 election, we’ve seen investigations into what impact foreign governments might have had on the electoral process, how social media might have influenced the perception of candidates, and even how data brokers like Cambridge Analytica could be part of how campaigns target specific voters. How secure is voting technology? All these are legitimate concerns, but as with most aspects of modern life, there’s a technology component getting lost. Next week the annual Black Hat conference will occur in Las Vegas, and as you’d expect, we have a session on electronic voting. In this session, a forensic analysis of the notoriously insecure WinVote machines used in Virginia elections from 2004 through 2015 will be presented. This session is particularly interesting in that it’ll move beyond issues of insecure configurations, well-known administrator passwords, and lack of a patch process.

Continue Reading...

Posted in General | Comments Off on Electoral trust meets software security

 

LifeLock lesson—Third party security is your security

On July 25, on his blog Krebs on Security, Brian Krebs covered a flaw in how LifeLock processed “unsubscribe” information related to its marketing activities. For those unfamiliar with LifeLock, it is a subsidiary of Symantec offering identity monitoring and protection services in the U.S. market. Brian outlined an issue impacting recipients of LifeLock marketing material who wished to opt out of further email communications by clicking on a “please remove me from this list” style link within the marketing material. Unfortunately, there was a flaw in that process that allowed anyone to discover email addresses associated with other users. In Symantec’s response, they indicate the issue was limited to the use of a third-party marketing platform used to process marketing communications, not the core LifeLock service, and that with the exception of the security researchers’ efforts, there was no indication of other access attempts. The areas we can all learn from With this as background, we can see several activities occurring here:

Continue Reading...

Posted in General, Security Standards and Compliance | Comments Off on LifeLock lesson—Third party security is your security

 

Timehop breach provides GDPR response template

The Timehop breach disclosed 21 million individuals’ account information. And now we know what public disclosure of a breach might look like under GDPR.

Continue Reading...

Posted in Data Breach, Security Standards and Compliance | Comments Off on Timehop breach provides GDPR response template

 

8 takeaways from NIST’s Application Container Security Guide

Companies are leveraging containers on a massive scale to rapidly package and deliver software applications. But because it is difficult for organizations to see the components and dependencies in all their container images, container security risks associated with containerized delivery has become a hot topic in DevOps. This puts the spotlight on operations teams to find security vulnerabilities in the production environment.

Continue Reading...

Posted in Agile, CI/CD & DevOps, Container Security | Comments Off on 8 takeaways from NIST’s Application Container Security Guide

 

RSA 2018 recap: Detecting vulnerabilities and avoiding snake oil

With RSA 2018 behind us, a recap is in order. For any readers who have never attended the RSA Conference (RSA) in North America, it’s worth setting the stage. For practical purposes, RSA is the premier technology security conference. There are tens of thousands of attendees, well over a dozen conference tracks, and the show floor itself spans two buildings. Exhibitors range from the NSA and FBI (love their dogs, by the way), through service providers like CenturyLink and AT&T, major technology vendors like F5 and Trend Micro, to smaller vendors around the edges of the expo halls.

Continue Reading...

Posted in Software Architecture and Design | Comments Off on RSA 2018 recap: Detecting vulnerabilities and avoiding snake oil

 

Data breaches and more data breaches—oh my!

It’s been quite an interesting few weeks in the land of data breach disclosures. We started with Under Armour disclosing a breach in their MyFitnessPal application that impacted 150 million users. A few days later, Lord & Taylor and Saks Fifth Avenue disclosed a breach impacting millions of their in-store shoppers. Later the same day, we learned that Panera Bread had been leaking private user details for its millions of online users for eight months. Three days later we had yet another breach disclosure from Delta Airlines and Sears Holdings, who were using third-party chat services from [24]7.ai. The [24]7.ai breach then expanded to include Kmart and Best Buy a few days later.

Continue Reading...

Posted in Data Breach, Security Standards and Compliance | Comments Off on Data breaches and more data breaches—oh my!

 

Using containers? What’s hidden in your container images?

Do you know what’s in your containers? No, the question has nothing to do with those mystery containers in your fridge. But if you don’t know what’s in those lovely Docker containers which are all the rage, you could be in store for just as rude a surprise as discovering what might be hiding deep in your fridge.

Continue Reading...

Posted in Container Security | Comments Off on Using containers? What’s hidden in your container images?

 

Digging deeper into the GitHub security alerts numbers

Within a month of the GitHub security alerts’ launch in November 2017, the security scan turned up over 4 million bugs in over 500,000 repositories. Let’s dig deeper into the GitHub security alerts numbers.

Continue Reading...

Posted in Open Source Security | Comments Off on Digging deeper into the GitHub security alerts numbers