Software Integrity

Archive for the 'Open Source Security' Category

 

Synopsys strengthens Software Integrity Platform with Black Duck acquisition

Today, Synopsys announced that it has signed a definitive agreement to acquire Black Duck Software, a well-respected, established leader in Software Composition Analysis (SCA), which helps organizations identify open source components in their software and check those components for known security vulnerabilities. The two companies are strategically aligned, with a shared vision of building security […]

Continue Reading...

Posted in Application Security, Featured, Open Source Security | Comments Off on Synopsys strengthens Software Integrity Platform with Black Duck acquisition

 

Examining open source security and the road ahead in the 2017 Coverity Scan Report

Coverity Scan’s impact on open source software (OSS) is both extensive and largely unacknowledged. Since its inception, Scan has enabled developers to fix over 600,000 defects across some of the most important projects in open source. As part of that effort, it has also helped improve the maturity of the software development practices of active […]

Continue Reading...

Posted in Application Security, Open Source Security, Static Analysis (SAST) | Comments Off on Examining open source security and the road ahead in the 2017 Coverity Scan Report

 

Eliminate cyber supply chain security vulnerabilities at the point of introduction

Nordic IT Security is the key meeting place for the brave new world of IT security. On November 7, 2017, at the upcoming premier security conference, Synopsys’ Michael White presents an actionable and inspiring talk on how to enhance security measures throughout the software development life cycle (SDLC). What to expect at the Nordic IT […]

Continue Reading...

Posted in Application Security, Open Source Security | Comments Off on Eliminate cyber supply chain security vulnerabilities at the point of introduction

 

Did an Apache Struts vulnerability trigger the Equifax hack?

In recent days, more details concerning the Equifax breach have come to light. There’s now speculation that attackers exploited a vulnerability in Apache Struts to steal data. There has also been plenty of speculation regarding the exact vulnerability that may have been exploited. The Apache Struts theory The Apache Struts Program Management Committee released a […]

Continue Reading...

Posted in Data Breach, Open Source Security | Comments Off on Did an Apache Struts vulnerability trigger the Equifax hack?

 

Synopsys finds 3 Linux kernel vulnerabilities

At Synopsys, our R&D teams routinely organize internal hackathons to verify the Synopsys Software Integrity Portfolio’s performance in real-world environments. During one hackthon, focused on open source software, Tuomas Haanpää, from the Synopsys Fuzz Testing (Defensics) R&D group, ran our NFSv3 test suite against the Linux kernel and found several interesting errors. Initial analysis found that anomalized […]

Continue Reading...

Posted in Application Security, Fuzz Testing, Open Source Security | Comments Off on Synopsys finds 3 Linux kernel vulnerabilities

 

What does the recent NPM malware mean for the future of open source trust?

Co-authored by Amit Sethi and Arthur Hinds Earlier this month, the open source community went into high alert. The problem’s epicenter was the Node Package Manager (NPM) which affected what is currently believed to be 40 packages. Typosquatting Specifically, someone performed a ‘typosquatting’ attack against packages distributed via the NPM. First, the attacker downloaded popular […]

Continue Reading...

Posted in JavaScript Security, Open Source Security | Comments Off on What does the recent NPM malware mean for the future of open source trust?

 

How to use FOSS management systems to manage FOSS components

In modern software development, the importance of using free and open source software (FOSS) components to build software products and systems isn’t debatable. Using FOSS components for commonly available functionalities such as logging (e.g., Log4j), text search (e.g., Apache Lucene), and secure communication (e.g., OpenSSL) has become an important factor to speed product time-to-market (TTM). […]

Continue Reading...

Posted in Open Source Security | Comments Off on How to use FOSS management systems to manage FOSS components

 

Webinar: Do you know what’s in your software?

Much of today’s software is created using third-party code, and why not? After all, it’s quicker and more cost effective than building it from scratch. Using third-party software, however, comes with its own challenges. The recent State of Software Composition Analysis 2017 report explores these challenges. The report is based on the analysis of 128,782 software […]

Continue Reading...

Posted in Open Source Security, Software Composition Analysis | Comments Off on Webinar: Do you know what’s in your software?

 

The pros and cons of adding open source to your software

For years, free and open source software (FOSS) has a had a negative connotation, with some developers forbidden to use it in final software product releases. The obvious downside in avoiding open source is that organizations run the additional risk of introducing avoidable vulnerabilities. For example, an organization with no cryptographic experience should not be […]

Continue Reading...

Posted in Open Source Security, Software Composition Analysis | Comments Off on The pros and cons of adding open source to your software

 

Synopsys report finds old, vulnerable software components still in use

In a new report, Synopsys identifies that 50% of the vulnerabilities found in software today are more than four years old. In almost every case, a newer, more secure version of the vulnerable software component is available. The Synopsys report, The State of Software Composition 2017 uses the Synopsys Software Composition Analysis tool, Protecode SC, […]

Continue Reading...

Posted in Application Security, Open Source Security | Comments Off on Synopsys report finds old, vulnerable software components still in use