Software Integrity Blog

Archive for the 'Software Composition Analysis' Category

 

The intersection between IAST and SCA and why you need both in your security toolkit

Interactive application security testing (IAST) and software composition analysis (SCA) are powerful technologies—and you need both in your security toolkit.

Continue Reading...

Posted in Agile, CI/CD & DevOps, Interactive Application Security Testing (IAST), Software Composition Analysis | Comments Off on The intersection between IAST and SCA and why you need both in your security toolkit

 

CVE-2018-11776: The latest Apache Struts vulnerability

About a week ago, a security researcher disclosed a critical remote code execution vulnerability in the Apache Struts web application framework that could allow remote attackers to run malicious code on the affected servers. The vulnerability (CVE-2018-11776) affects all supported versions of Struts 2 and was patched by the Apache Software Foundation on Aug. 22. Users of Struts 2.3 should upgrade to 2.3.35; users of Struts 2.5 need to upgrade to 2.5.17. They should do so as soon as possible, given that bad actors are already working on exploits. More critical than the Equifax vulnerability “On the whole, this is more critical than the highly critical Struts RCE vulnerability that the Semmle Security Research Team discovered and announced last September,” Man Yue Mo, the researcher who uncovered the flaw, told the media, referring to CVE-2017-9805. CVE-2017-9805 was announced the same day (September 7, 2017) that Equifax announced the massive data breach via CVE-2017-5638, which led to the lifting of personal details of over 148 million consumers.

Continue Reading...

Posted in Data Breach, Open Source Security, Software Composition Analysis | Comments Off on CVE-2018-11776: The latest Apache Struts vulnerability

 

Lock the vote, ‘Spamalot’ returns, and SamSam ransomware

Taylor Armerding, Synopsys Software Integrity Group senior strategist, gives you the scoop on application security and insecurity in this week’s Security Mashup. What’s in this week’s Security Mashup, you ask? Lock the vote (election insecurity), “Spamalot” returns for a second act, and SamSam hits a grand slam as a heavy ransomware hitter.

Continue Reading...

Posted in General, Software Composition Analysis | Comments Off on Lock the vote, ‘Spamalot’ returns, and SamSam ransomware

 

Everything you need to know about Black Duck Security Advisories

When we released Black Duck 4.4, we announced the creation of our own Black Duck Security Advisories (BDSAs). BDSAs offer a more complete and in-depth view of your vulnerabilities.

Continue Reading...

Posted in Open Source Security, Software Composition Analysis | Comments Off on Everything you need to know about Black Duck Security Advisories

 

Fine-tuning roles, controlling licenses, and matching code snippets in Black Duck 4.5

Any tradesperson, specialist, expert, aficionado, or technologist will tell you that the key to a quality outcome is a set of tools specific to the project and oriented to the goal. The realm of software security and secure DevOps is no exception to this truth, and in Black Duck’s version 4.5 release, we further hone the functions and controls used by development and security teams around the globe to establish the most effective tool for the job: to build secure, high-quality software faster. Identify open source code fragment reuse (snippet matching) Let’s start by introducing one of the most-requested enhancements to Black Duck: the ability to find open source code snippets in applications. Snippets are fragments of open source code that compose a larger open source component and that may carry with them license requirements present in their source component.

Continue Reading...

Posted in Mergers & Acquisitions, Open Source Security, Software Composition Analysis | Comments Off on Fine-tuning roles, controlling licenses, and matching code snippets in Black Duck 4.5

 

Customer driven features live in Black Duck 4.4 release

How can you not love customer feedback when it helps you improve your product? At our recent FLIGHT conference, I had the opportunity to speak to a lot of customers, plus detailed discussions with our Customer Advisory Board members. This knowledge helped us build out the latest release of Black Duck with new features that enhance both security and license compliance management.

Continue Reading...

Posted in Open Source Security, Software Composition Analysis | Comments Off on Customer driven features live in Black Duck 4.4 release

 

Migrating to Docker on Black Duck

Before Black Duck began leveraging Docker, customers utilized the App Manager Install Method to deploy it. Black Duck now deploys as a set of containers, so customers need to install Docker to take advantage of updates to the application. By the end of this guide, you’ll have a basic understanding of how to migrate Black Duck to a containerized environment, as well as the benefits of using containers.

Continue Reading...

Posted in Container Security, Open Source Security, Software Composition Analysis | Comments Off on Migrating to Docker on Black Duck

 

Open source vulnerabilities: Are you prepared to run the race?

Originally posted on SecurityWeek. 

Continue Reading...

Posted in Data Breach, Open Source Security, Software Composition Analysis | Comments Off on Open source vulnerabilities: Are you prepared to run the race?

 

Improving stability, installs, and updates with Docker

We heard our customers loud and clear. Our old AppManager product on which we ran the Hub on wasn’t working for you. That’s why we replatformed our Black Duck Hub solution on the Docker platform.

Continue Reading...

Posted in Container Security, Open Source Security, Software Composition Analysis | Comments Off on Improving stability, installs, and updates with Docker

 

Devil’s Ivy security vulnerability leaves IoT devices at risk

A vulnerability in a single software component, found in an internet-connected security camera, may leave thousands of different security camera models (and other Internet of Things devices) at risk. But Devil’s Ivy and other such flaws can be avoided with effective software supply chain management.

Continue Reading...

Posted in Internet of Things, Software Composition Analysis | Comments Off on Devil’s Ivy security vulnerability leaves IoT devices at risk