Interactive application security testing (IAST) and software composition analysis (SCA) are powerful technologies—and you need both in your security toolkit.
Posted in Agile, CI/CD & DevOps, Interactive Application Security Testing (IAST), Software Composition Analysis | Comments Off on The intersection between IAST and SCA and why you need both in your security toolkit
About a week ago, a security researcher disclosed a critical remote code execution vulnerability in the Apache Struts web application framework that could allow remote attackers to run malicious code on the affected servers. The vulnerability (CVE-2018-11776) affects all supported versions of Struts 2 and was patched by the Apache Software Foundation on Aug. 22. Users of Struts 2.3 should upgrade to 2.3.35; users of Struts 2.5 need to upgrade to 2.5.17. They should do so as soon as possible, given that bad actors are already working on exploits.
More critical than the Equifax vulnerability
“On the whole, this is more critical than the highly critical Struts RCE vulnerability that the Semmle Security Research Team discovered and announced last September,” Man Yue Mo, the researcher who uncovered the flaw, told the media, referring to CVE-2017-9805. CVE-2017-9805 was announced the same day (September 7, 2017) that Equifax announced the massive data breach via CVE-2017-5638, which led to the lifting of personal details of over 148 million consumers.
Posted in Data Breach, Open Source Security, Software Composition Analysis | Comments Off on CVE-2018-11776: The latest Apache Struts vulnerability
Taylor Armerding, Synopsys Software Integrity Group senior strategist, gives you the scoop on application security and insecurity in this week’s Security Mashup.
What’s in this week’s Security Mashup, you ask?
Lock the vote (election insecurity), “Spamalot” returns for a second act, and SamSam hits a grand slam as a heavy ransomware hitter.
Posted in General, Software Composition Analysis | Comments Off on Lock the vote, ‘Spamalot’ returns, and SamSam ransomware
When we released Black Duck 4.4, we announced the creation of our own Black Duck Security Advisories (BDSAs). BDSAs offer a more complete and in-depth view of your vulnerabilities.
Posted in Open Source Security, Software Composition Analysis | Comments Off on Everything you need to know about Black Duck Security Advisories
Any tradesperson, specialist, expert, aficionado, or technologist will tell you that the key to a quality outcome is a set of tools specific to the project and oriented to the goal. The realm of software security and secure DevOps is no exception to this truth, and in Black Duck’s version 4.5 release, we further hone the functions and controls used by development and security teams around the globe to establish the most effective tool for the job: to build secure, high-quality software faster.
Identify open source code fragment reuse (snippet matching)
Let’s start by introducing one of the most-requested enhancements to Black Duck: the ability to find open source code snippets in applications. Snippets are fragments of open source code that compose a larger open source component and that may carry with them license requirements present in their source component.
Posted in Mergers & Acquisitions, Open Source Security, Software Composition Analysis | Comments Off on Fine-tuning roles, controlling licenses, and matching code snippets in Black Duck 4.5
How can you not love customer feedback when it helps you improve your product? At our recent FLIGHT conference, I had the opportunity to speak to a lot of customers, plus detailed discussions with our Customer Advisory Board members. This knowledge helped us build out the latest release of Black Duck with new features that enhance both security and license compliance management.
Posted in Open Source Security, Software Composition Analysis | Comments Off on Customer driven features live in Black Duck 4.4 release
Before Black Duck began leveraging Docker, customers utilized the App Manager Install Method to deploy it. Black Duck now deploys as a set of containers, so customers need to install Docker to take advantage of updates to the application. By the end of this guide, you’ll have a basic understanding of how to migrate Black Duck to a containerized environment, as well as the benefits of using containers.
Posted in Container Security, Open Source Security, Software Composition Analysis | Comments Off on Migrating to Docker on Black Duck
Originally posted on SecurityWeek.
Posted in Data Breach, Open Source Security, Software Composition Analysis | Comments Off on Open source vulnerabilities: Are you prepared to run the race?
We heard our customers loud and clear. Our old AppManager product on which we ran the Hub on wasn’t working for you. That’s why we replatformed our Black Duck Hub solution on the Docker platform.
Posted in Container Security, Open Source Security, Software Composition Analysis | Comments Off on Improving stability, installs, and updates with Docker
A vulnerability in a single software component, found in an internet-connected security camera, may leave thousands of different security camera models (and other Internet of Things devices) at risk. But Devil’s Ivy and other such flaws can be avoided with effective software supply chain management.
Posted in Internet of Things, Software Composition Analysis | Comments Off on Devil’s Ivy security vulnerability leaves IoT devices at risk