We’re shifting the Black Duck Hub to a Docker-based architecture, so we created this quick video to give you an overview of some key questions we’ve heard from our customers about this change.
At Synopsys, we work with the community and organizations to understand what responsible open source usage means. As part of that process, we view our connection to the open source community as a key component to both understanding where the development community is and educating them on how to build better code. Earlier this year, the Synopsys Center for Open Source Research and Innovation (COSRI) released the Open Source Software Risk Analysis Report (OSSRA), which distilled data from over 1000 customer audits performed by the Black Duck by Synopsys On-Demand Audit team. Building on these results, we’re releasing the results of our Open Source 360⁰ survey.
The State of Software Composition 2017 identified 16,868 unique software components and versions, a majority of which were FOSS packages and libraries. Clearly, open source is here to stay. So what are the pros and cons of using it?
Fault Injection is a podcast from Synopsys that digs into software quality and security issues. This week, hosts Robert Vamosi, CISSP and Security Strategist at Synopsys, and Chris Clark, Principal Security Engineer at Synopsys, go into detail about a new report: The State of Software Composition 2017.
Software quality and security assurance both concern risk to the organization, but they do so for different reasons. Risk might be mission critical such as software on a scientific robot crawling another planet. Or risk might be associated with sensitive financial information. In the first example the integrity of the software is paramount; it is hard to fix something on another planet. In the latter example both quality and security are important, with security perhaps paramount.
At this time, hackers are actively exploiting the critical Apache Struts 2 zero-day vulnerability and are able to take complete control of web servers. Run a scan using software composition analysis to see whether you’re using any version of Struts 2 and whether you need to upgrade now.
When it comes to software vulnerabilities, Dr. Jared DeMott knows his stuff. Formerly a vulnerability analyst with the National Security Agency (NSA), Dr. DeMott holds a Ph.D. from Michigan State University. He has been on three winning DEF CON capture-the-flag (CTF) teams and talks about his vulnerability research at conferences like DerbyCon, Black Hat, ToorCon, GrrCON, and HITB. He is currently the co-founder of VDA Labs.
Last week a researcher disclosed a software vulnerability in a feature of the TLS/SSL stack that allowed a remote attacker to extract sensitive information. Sound familiar? In 2014, the Heartbleed vulnerability in the OpenSSL implementation of the heartbeat function in SSL affected some 600,000 websites worldwide and risked exposing passwords and other private keys. Ticketbleed, announced last Wednesday, has some similarity, but, at the end of the day, is no Heartbleed.
Philips has named Mike Ahmadi, global director of critical systems security for Synopsys Software Integrity Group, to its Responsible Disclosure Hall of Honors.