The EventStream incident shows just how easily attackers can infiltrate the open source software supply chain by adding a malicious dependency to a trusted component.
Many contracts contain language saying that if the licensee breaches/violates the license, the licensee will have an opportunity to cure that breach. But the GPLv2 provides no right to cure. Many contracts, either in their boilerplate form or as part of the negotiated give and take, contain some language that says that if the licensee […]
Most software today contains open source. That’s why you need software composition analysis. See open source security presentations from FLIGHT East 2018.
In our Nov. 14 Black Duck Legal Certification Course with Hal Hearst and Phil Odence (Synopsys), you’ll learn about software due diligence and how to answer your clients’ open source questions.
In our on-demand webinar with Bryan Cross (GitHub) and Dave Meurer (Synopsys), you’ll learn how to use integrated application security tools to secure containers at every layer.
Most companies involved with technology M&A understand the importance of open source risks in software. Today’s software contains significant amounts of open source, on average more than 50%, according to a 2018 Synopsys study. Consequently, it has become the norm for acquirers to raise open source questions as part of technical and legal due diligence. […]
In our on-demand webinar with Mark Radcliffe (DLA Piper and OSI) and Tony Decicco (GTC), you’ll learn about using and releasing open source safely, and what it means for tech due diligence.
In August I wrote about a new Apache Struts vulnerability that affected Struts 2.3 and Struts 2.5. Apache Struts, an open source framework for developing web applications, is widely used by enterprises worldwide, including (at least at one point in time) the Equifax credit reporting agency. When Equifax did not identify and patch a vulnerable version of […]
Posted in Open Source Security
Taylor Armerding, Synopsys Software Integrity Group senior strategist, gives you the scoop on application security and insecurity in this week’s Security Mashup. What’s in this week’s Security Mashup, you ask? It’s open season on enterprise open source, the Infinite Campus DDoS attack takes the company to its limits, and a Mojave zero-day vulnerability makes that […]
I have blogged before about the pervasiveness of open source in applications today. Synopsys and other organizations have been tracking its growth for years, particularly as it relates to the amount of open source code we find in the applications we scan. Our Black Duck On-Demand Audit team scans thousands of applications every year, mostly […]