Software Integrity

Archive for the 'Open Source Security' Category

 

Did an Apache Struts vulnerability trigger the Equifax hack?

In recent days, more details concerning the Equifax breach have come to light. There’s now speculation that attackers exploited a vulnerability in Apache Struts to steal data. There has also been plenty of speculation regarding the exact vulnerability that may have been exploited. The Apache Struts theory The Apache Struts Program Management Committee released a […]

Continue Reading...

Posted in Data Breach, Open Source Security | No Comments »

 

Synopsys finds 3 Linux kernel vulnerabilities

At Synopsys, our R&D teams routinely organize internal hackathons to verify the Synopsys Software Integrity Portfolio’s performance in real-world environments. During one hackthon, focused on open source software, Tuomas Haanpää, from the Synopsys Fuzz Testing (Defensics) R&D group, ran our NFSv3 test suite against the Linux kernel and found several interesting errors. Initial analysis found that anomalized […]

Continue Reading...

Posted in Application Security, Featured, Fuzz Testing, Open Source Security | Comments Off on Synopsys finds 3 Linux kernel vulnerabilities

 

What does the recent NPM malware mean for the future of open source trust?

Co-authored by Amit Sethi and Arthur Hinds Earlier this month, the open source community went into high alert. The problem’s epicenter was the Node Package Manager (NPM) which affected what is currently believed to be 40 packages. Typosquatting Specifically, someone performed a ‘typosquatting’ attack against packages distributed via the NPM. First, the attacker downloaded popular […]

Continue Reading...

Posted in JavaScript Security, Open Source Security | Comments Off on What does the recent NPM malware mean for the future of open source trust?

 

How to use FOSS management systems to manage FOSS components

In modern software development, the importance of using free and open source software (FOSS) components to build software products and systems isn’t debatable. Using FOSS components for commonly available functionalities such as logging (e.g., Log4j), text search (e.g., Apache Lucene), and secure communication (e.g., OpenSSL) has become an important factor to speed product time-to-market (TTM). […]

Continue Reading...

Posted in Open Source Security | Comments Off on How to use FOSS management systems to manage FOSS components

 

Webinar: Do you know what’s in your software?

Much of today’s software is created using third-party code, and why not? After all, it’s quicker and more cost effective than building it from scratch. Using third-party software, however, comes with its own challenges. The recent State of Software Composition Analysis 2017 report explores these challenges. The report is based on the analysis of 128,782 software […]

Continue Reading...

Posted in Open Source Security, Software Composition Analysis | Comments Off on Webinar: Do you know what’s in your software?

 

The pros and cons of adding open source to your software

For years, free and open source software (FOSS) has a had a negative connotation, with some developers forbidden to use it in final software product releases. The obvious downside in avoiding open source is that organizations run the additional risk of introducing avoidable vulnerabilities. For example, an organization with no cryptographic experience should not be […]

Continue Reading...

Posted in Open Source Security, Software Composition Analysis | Comments Off on The pros and cons of adding open source to your software

 

Synopsys report finds old, vulnerable software components still in use

In a new report, Synopsys identifies that 50% of the vulnerabilities found in software today are more than four years old. In almost every case, a newer, more secure version of the vulnerable software component is available. The Synopsys report, The State of Software Composition 2017 uses the Synopsys Software Composition Analysis tool, Protecode SC, […]

Continue Reading...

Posted in Application Security, Open Source Security | Comments Off on Synopsys report finds old, vulnerable software components still in use

 

Fault Injection Podcast .002: What’s in your software?

Fault Injection is a podcast from Synopsys that digs into software quality and security issues. This week, hosts Robert Vamosi, CISSP and Security Strategist at Synopsys, and Chris Clark, Principal Security Engineer at Synopsys, go into detail about a new report: The State of Software Composition 2017. You can always join the discussion by sending us […]

Continue Reading...

Posted in Application Security, Open Source Security, Software Composition Analysis, Vulnerability Assessment | Comments Off on Fault Injection Podcast .002: What’s in your software?

 

NodeJS: Preventing common vulnerabilities in the MEAN stack

Before jumping into the final post within our discussion on vulnerabilities in the MEAN stack, look back at the other four posts within this series discussing MongoDB, ExpressJS (Core), ExpressJS (Sessions and CSRF), and AngularJS. Development mode (NodeJS/ExpressJS) By default, Express applications run in development mode unless the NODE_ENV environmental variable is set to another value. In development mode, Express […]

Continue Reading...

Posted in Open Source Security, Vulnerability Assessment, Web Application Security | Comments Off on NodeJS: Preventing common vulnerabilities in the MEAN stack

 

ExpressJS: Preventing common vulnerabilities in the MEAN stack (Part 2)

Before diving into the latest post within our discussion on vulnerabilities in the MEAN stack, look back at the first two posts discussing MongoDB and ExpressJS (Part 1). Client-side session storage (ExpressJS) With MEAN stack applications, it is fairly common to store the session state client-side in either a JSON Web Token (JWT) or custom cookie object […]

Continue Reading...

Posted in Open Source Security, Web Application Security | Comments Off on ExpressJS: Preventing common vulnerabilities in the MEAN stack (Part 2)