Software Integrity Blog

Archive for the 'Software Composition Analysis' Category

 

A voracious appetite for open source software worldwide

At Synopsys, we work with the community and organizations to understand what responsible open source usage means. As part of that process, we view our connection to the open source community as a key component to both understanding where the development community is and educating them on how to build better code. Earlier this year, […]

Continue Reading...

Posted in General, Open Source Security, Software Composition Analysis, Webinars | Comments Off on A voracious appetite for open source software worldwide

 

The pros and cons of adding open source to your software

The State of Software Composition 2017 identified 16,868 unique software components and versions, a majority of which were FOSS packages and libraries. Clearly, open source is here to stay. So what are the pros and cons of using it? For years, free and open source software (FOSS) has a had a negative connotation, with some […]

Continue Reading...

Posted in Open Source Security, Software Composition Analysis | Comments Off on The pros and cons of adding open source to your software

 

Fault Injection Podcast .002: What’s in your software?

Fault Injection is a podcast from Synopsys that digs into software quality and security issues. This week, hosts Robert Vamosi, CISSP and Security Strategist at Synopsys, and Chris Clark, Principal Security Engineer at Synopsys, go into detail about a new report: The State of Software Composition 2017. You can always join the discussion by sending us […]

Continue Reading...

Posted in General, Open Source Security, Software Architecture and Design, Software Composition Analysis | Comments Off on Fault Injection Podcast .002: What’s in your software?

 

Does software quality equal software security? It depends.

Software quality and security assurance both concern risk to the organization, but they do so for different reasons. Risk might be mission critical such as software on a scientific robot crawling another planet. Or risk might be associated with sensitive financial information. In the first example the integrity of the software is paramount; it is […]

Continue Reading...

Posted in Security Standards and Compliance, Software Architecture and Design, Software Composition Analysis | Comments Off on Does software quality equal software security? It depends.

 

Is software composition analysis compatible with Agile DevOps?

  You can integrate SCA with your DevOps environment if you choose your tools wisely. Last month Forrester Research published their first-ever Wave for Software Composition Analysis (SCA). Wave’s provide enterprise IT and development teams with Forrester’s assessment of the state of the vendor landscape, grading vendors on their strategy, solution, and market presence. Vendors are […]

Continue Reading...

Posted in Agile, CI/CD & DevOps, Software Composition Analysis | Comments Off on Is software composition analysis compatible with Agile DevOps?

 

New Apache Struts 2 zero-day vulnerability: What you need to know

At this time, hackers are actively exploiting the critical Apache Struts 2 zero-day vulnerability and are able to take complete control of web servers. Run a scan using software composition analysis to see whether you’re using any version of Struts 2 and whether you need to upgrade now. It has been more than 48 hours […]

Continue Reading...

Posted in Open Source Security, Software Composition Analysis | Comments Off on New Apache Struts 2 zero-day vulnerability: What you need to know

 

Spotlight on open source AppDev preeminence driving change

For the last six months, Forrester Research has been gathering and analyzing comparative information on technology vendors — including Black Duck — that provide Software Composition Analysis, an increasingly important job in helping organizations secure their software applications.

Continue Reading...

Posted in Open Source Security, Software Composition Analysis | Comments Off on Spotlight on open source AppDev preeminence driving change

 

Bug elimination: Code scanning, fuzzing, and composition analysis

When it comes to software vulnerabilities, Dr. Jared DeMott knows his stuff. Formerly a vulnerability analyst with the National Security Agency (NSA), Dr. DeMott holds a Ph.D. from Michigan State University. He has been on three winning DEF CON capture-the-flag (CTF) teams and talks about his vulnerability research at conferences like DerbyCon, Black Hat, ToorCon, […]

Continue Reading...

Posted in Fuzz Testing, Software Composition Analysis, Static Analysis (SAST), Web Application Security | Comments Off on Bug elimination: Code scanning, fuzzing, and composition analysis

 

Internet of Things (IoT): Rethinking the threat model

On February 4, 2017, a Saturday night, a high-school student in the U.K. realized he wasn’t going to university to study computer science so he wrote a short program in C, and within a few hours had 150,000 internet-connected printers across the world spitting out ASCII art and messages. All this was harmless although the […]

Continue Reading...

Posted in Internet of Things, Software Architecture and Design, Software Composition Analysis | Comments Off on Internet of Things (IoT): Rethinking the threat model

 

Ticketbleed: The next black swan

Last week a researcher disclosed a software vulnerability in a feature of the TLS/SSL stack that allowed a remote attacker to extract sensitive information. Sound familiar? In 2014, the Heartbleed vulnerability in the OpenSSL implementation of the heartbeat function in SSL affected some 600,000 websites worldwide and risked exposing passwords and other private keys. Ticketbleed, […]

Continue Reading...

Posted in Fuzz Testing, Software Composition Analysis | Comments Off on Ticketbleed: The next black swan