Software Integrity

Archive for the 'Open Source Security' Category

 

NPM dependencies, supply chain attacks, and Bitcoin wallets

The EventStream incident shows just how easily attackers can infiltrate the open source software supply chain by adding a malicious dependency to a trusted component.

Continue Reading...

Posted in Featured, Open Source Security, Software Composition Analysis

 

GPLv2 and the right to cure

Many contracts contain language saying that if the licensee breaches/violates the license, the licensee will have an opportunity to cure that breach. But the GPLv2 provides no right to cure. Many contracts, either in their boilerplate form or as part of the negotiated give and take, contain some language that says that if the licensee […]

Continue Reading...

Posted in Legal, Open Source Security

 

Black Duck by Synopsys FLIGHT East 2018 presentations

Most software today contains open source. That’s why you need software composition analysis. See open source security presentations from FLIGHT East 2018.

Continue Reading...

Posted in Events, Open Source Security

 

Webinar: Black Duck Legal Certification Course

In our Nov. 14 Black Duck Legal Certification Course with Hal Hearst and Phil Odence (Synopsys), you’ll learn about software due diligence and how to answer your clients’ open source questions.

Continue Reading...

Posted in General, Legal, Open Source Security, Webinars

 

Webinar: Secure your containers with GitHub and Synopsys

In our on-demand webinar with Bryan Cross (GitHub) and Dave Meurer (Synopsys), you’ll learn how to use integrated application security tools to secure containers at every layer.

Continue Reading...

Posted in Container Security, Open Source Security, Webinars

 

Why you need to perform open source due diligence in an M&A transaction

Most companies involved with technology M&A understand the importance of open source risks in software. Today’s software contains significant amounts of open source, on average more than 50%, according to a 2018 Synopsys study. Consequently, it has become the norm for acquirers to raise open source questions as part of technical and legal due diligence. […]

Continue Reading...

Posted in Legal, Open Source Security

 

Webinar: Effective policies for managing and releasing open source software

In our on-demand webinar with Mark Radcliffe (DLA Piper and OSI) and Tony Decicco (GTC), you’ll learn about using and releasing open source safely, and what it means for tech due diligence.

Continue Reading...

Posted in Legal, Open Source Security, Webinars

 

CVE-2018-11776 and why you need Black Duck Security Advisories

In August I wrote about a new Apache Struts vulnerability that affected Struts 2.3 and Struts 2.5. Apache Struts, an open source framework for developing web applications, is widely used by enterprises worldwide, including (at least at one point in time) the Equifax credit reporting agency. When Equifax did not identify and patch a vulnerable version of […]

Continue Reading...

Posted in Open Source Security

 

Open season on open source, Infinite Campus limited by DDoS, and Mojave’s a bad apple

Taylor Armerding, Synopsys Software Integrity Group senior strategist, gives you the scoop on application security and insecurity in this week’s Security Mashup. What’s in this week’s Security Mashup, you ask? It’s open season on enterprise open source, the Infinite Campus DDoS attack takes the company to its limits, and a Mojave zero-day vulnerability makes that […]

Continue Reading...

Posted in Open Source Security, Weekly Security Mashup

 

Open source security risk: Managing the threat in mergers and acquisitions

I have blogged before about the pervasiveness of open source in applications today. Synopsys and other organizations have been tracking its growth for years, particularly as it relates to the amount of open source code we find in the applications we scan. Our Black Duck On-Demand Audit team scans thousands of applications every year, mostly […]

Continue Reading...

Posted in Open Source Security, Software Composition Analysis