In recent days, more details concerning the Equifax breach have come to light. There’s now speculation that attackers exploited a vulnerability in Apache Struts to steal data. There has also been plenty of speculation regarding the exact vulnerability that may have been exploited. The Apache Struts theory The Apache Struts Program Management Committee released a […]
Posted in Data Breach, Open Source Security | No Comments »
At Synopsys, our R&D teams routinely organize internal hackathons to verify the Synopsys Software Integrity Portfolio’s performance in real-world environments. During one hackthon, focused on open source software, Tuomas Haanpää, from the Synopsys Fuzz Testing (Defensics) R&D group, ran our NFSv3 test suite against the Linux kernel and found several interesting errors. Initial analysis found that anomalized […]
Posted in Application Security, Featured, Fuzz Testing, Open Source Security | Comments Off on Synopsys finds 3 Linux kernel vulnerabilities
Co-authored by Amit Sethi and Arthur Hinds Earlier this month, the open source community went into high alert. The problem’s epicenter was the Node Package Manager (NPM) which affected what is currently believed to be 40 packages. Typosquatting Specifically, someone performed a ‘typosquatting’ attack against packages distributed via the NPM. First, the attacker downloaded popular […]
Posted in JavaScript Security, Open Source Security | Comments Off on What does the recent NPM malware mean for the future of open source trust?
In modern software development, the importance of using free and open source software (FOSS) components to build software products and systems isn’t debatable. Using FOSS components for commonly available functionalities such as logging (e.g., Log4j), text search (e.g., Apache Lucene), and secure communication (e.g., OpenSSL) has become an important factor to speed product time-to-market (TTM). […]
Posted in Open Source Security | Comments Off on How to use FOSS management systems to manage FOSS components
Much of today’s software is created using third-party code, and why not? After all, it’s quicker and more cost effective than building it from scratch. Using third-party software, however, comes with its own challenges. The recent State of Software Composition Analysis 2017 report explores these challenges. The report is based on the analysis of 128,782 software […]
Posted in Open Source Security, Software Composition Analysis | Comments Off on Webinar: Do you know what’s in your software?
For years, free and open source software (FOSS) has a had a negative connotation, with some developers forbidden to use it in final software product releases. The obvious downside in avoiding open source is that organizations run the additional risk of introducing avoidable vulnerabilities. For example, an organization with no cryptographic experience should not be […]
Posted in Open Source Security, Software Composition Analysis | Comments Off on The pros and cons of adding open source to your software
In a new report, Synopsys identifies that 50% of the vulnerabilities found in software today are more than four years old. In almost every case, a newer, more secure version of the vulnerable software component is available. The Synopsys report, The State of Software Composition 2017 uses the Synopsys Software Composition Analysis tool, Protecode SC, […]
Posted in Application Security, Open Source Security | Comments Off on Synopsys report finds old, vulnerable software components still in use
Fault Injection is a podcast from Synopsys that digs into software quality and security issues. This week, hosts Robert Vamosi, CISSP and Security Strategist at Synopsys, and Chris Clark, Principal Security Engineer at Synopsys, go into detail about a new report: The State of Software Composition 2017. You can always join the discussion by sending us […]
Posted in Application Security, Open Source Security, Software Composition Analysis, Vulnerability Assessment | Comments Off on Fault Injection Podcast .002: What’s in your software?
Before jumping into the final post within our discussion on vulnerabilities in the MEAN stack, look back at the other four posts within this series discussing MongoDB, ExpressJS (Core), ExpressJS (Sessions and CSRF), and AngularJS. Development mode (NodeJS/ExpressJS) By default, Express applications run in development mode unless the NODE_ENV environmental variable is set to another value. In development mode, Express […]
Posted in Open Source Security, Vulnerability Assessment, Web Application Security | Comments Off on NodeJS: Preventing common vulnerabilities in the MEAN stack
Before diving into the latest post within our discussion on vulnerabilities in the MEAN stack, look back at the first two posts discussing MongoDB and ExpressJS (Part 1). Client-side session storage (ExpressJS) With MEAN stack applications, it is fairly common to store the session state client-side in either a JSON Web Token (JWT) or custom cookie object […]
Posted in Open Source Security, Web Application Security | Comments Off on ExpressJS: Preventing common vulnerabilities in the MEAN stack (Part 2)