Software Integrity Blog

Archive for the 'Software Composition Analysis' Category

 

Customer questions: What is Docker anyway?

We’re shifting the Black Duck Hub to a Docker-based architecture, so we created this quick video to give you an overview of some key questions we’ve heard from our customers about this change.

Continue Reading...

Posted in Container Security, Open Source Security, Software Composition Analysis | Comments Off on Customer questions: What is Docker anyway?

 

A voracious appetite for open source software worldwide

At Synopsys, we work with the community and organizations to understand what responsible open source usage means. As part of that process, we view our connection to the open source community as a key component to both understanding where the development community is and educating them on how to build better code. Earlier this year, the Synopsys Center for Open Source Research and Innovation (COSRI) released the Open Source Software Risk Analysis Report (OSSRA), which distilled data from over 1000 customer audits performed by the Black Duck by Synopsys On-Demand Audit team. Building on these results, we’re releasing the results of our Open Source 360⁰ survey.

Continue Reading...

Posted in General, Open Source Security, Software Composition Analysis, Webinars | Comments Off on A voracious appetite for open source software worldwide

 

The pros and cons of adding open source to your software

The State of Software Composition 2017 identified 16,868 unique software components and versions, a majority of which were FOSS packages and libraries. Clearly, open source is here to stay. So what are the pros and cons of using it?

Continue Reading...

Posted in Open Source Security, Software Composition Analysis | Comments Off on The pros and cons of adding open source to your software

 

Fault Injection Podcast .002: What’s in your software?

Fault Injection is a podcast from Synopsys that digs into software quality and security issues. This week, hosts Robert Vamosi, CISSP and Security Strategist at Synopsys, and Chris Clark, Principal Security Engineer at Synopsys, go into detail about a new report: The State of Software Composition 2017.

Continue Reading...

Posted in General, Open Source Security, Software Architecture and Design, Software Composition Analysis | Comments Off on Fault Injection Podcast .002: What’s in your software?

 

Does software quality equal software security? It depends.

Software quality and security assurance both concern risk to the organization, but they do so for different reasons. Risk might be mission critical such as software on a scientific robot crawling another planet. Or risk might be associated with sensitive financial information. In the first example the integrity of the software is paramount; it is hard to fix something on another planet. In the latter example both quality and security are important, with security perhaps paramount.

Continue Reading...

Posted in Security Standards and Compliance, Software Architecture and Design, Software Composition Analysis | Comments Off on Does software quality equal software security? It depends.

 

Is software composition analysis compatible with Agile DevOps?

 

Continue Reading...

Posted in Agile, CI/CD & DevOps, Software Composition Analysis | Comments Off on Is software composition analysis compatible with Agile DevOps?

 

New Apache Struts 2 zero-day vulnerability: What you need to know

At this time, hackers are actively exploiting the critical Apache Struts 2 zero-day vulnerability and are able to take complete control of web servers. Run a scan using software composition analysis to see whether you’re using any version of Struts 2 and whether you need to upgrade now.

Continue Reading...

Posted in Open Source Security, Software Composition Analysis | Comments Off on New Apache Struts 2 zero-day vulnerability: What you need to know

 

Bug elimination: Code scanning, fuzzing, and composition analysis

When it comes to software vulnerabilities, Dr. Jared DeMott knows his stuff. Formerly a vulnerability analyst with the National Security Agency (NSA), Dr. DeMott holds a Ph.D. from Michigan State University. He has been on three winning DEF CON capture-the-flag (CTF) teams and talks about his vulnerability research at conferences like DerbyCon, Black Hat, ToorCon, GrrCON, and HITB. He is currently the co-founder of VDA Labs.

Continue Reading...

Posted in Fuzz Testing, Software Composition Analysis, Static Analysis (SAST), Web Application Security | Comments Off on Bug elimination: Code scanning, fuzzing, and composition analysis

 

Ticketbleed: The next black swan

Last week a researcher disclosed a software vulnerability in a feature of the TLS/SSL stack that allowed a remote attacker to extract sensitive information. Sound familiar? In 2014, the Heartbleed vulnerability in the OpenSSL implementation of the heartbeat function in SSL affected some 600,000 websites worldwide and risked exposing passwords and other private keys. Ticketbleed, announced last Wednesday, has some similarity, but, at the end of the day, is no Heartbleed.

Continue Reading...

Posted in Fuzz Testing, Software Composition Analysis | Comments Off on Ticketbleed: The next black swan

 

Philips honors Synopsys researcher with responsible disclosure honor

Philips has named Mike Ahmadi, global director of critical systems security for Synopsys Software Integrity Group, to its Responsible Disclosure Hall of Honors.

Continue Reading...

Posted in Medical Device Security, Software Composition Analysis | Comments Off on Philips honors Synopsys researcher with responsible disclosure honor