close search bar

Sorry, not available in this language yet

close language selection

The Synopsys Cybersecurity Research Center (CyRC): Advancing the state of software security

The Synopsys Software Integrity Group is pleased to announce the public launch of CyRC (Cybersecurity Research Center).

Introducing the Cybersecurity Research Center (CyRC)

Our mission is simple—to advance the state of software security through research, innovation, and evangelism. More specifically, we strive to provide resources and information around the identification, severity, exploitation, mitigation, and defense against software vulnerabilities. CyRC leverages Synopsys’ expertise, technology, initiatives, and resources to conduct high-quality primary and secondary software security research and publishes its findings for the benefit of the broader security, developer, and DevSecOps communities.

You may have already come across some of the initiatives that are aligned under the CyRC charter. Here are a few we’re excited to share:

Market trend reports

Our analysts tap into the vast pool of anonymized data produced by Synopsys tools and services to identify and explain meaningful trends and provide insights that help readers prioritize their software security efforts. The findings from this analysis are published in CyRC market trend reports such as the annual Open Source Security and Risk Analysis (OSSRA) report.

Open source risk research

The CyRC Belfast team work to identify, research, and augment open source vulnerabilities.

Our Black Duck Security Research (BDSR) team in Belfast is charged with the identification, research, and augmentation of vulnerabilities reported in open source software—independent of their reporting state within the National Vulnerability Database (NVD). This research manifests as a data feed containing enhanced vulnerability information and is provided to our Black Duck customers in the form of Black Duck Security Advisories (BDSA). Where an NVD entry exists, our in-depth analysis results in clarifications, additions, and corrections to entries published by the NVD, with the core analysis often preceding the NVD entry. Read about how the BDSR team uncovered 23 additional versions of Apache Struts that are vulnerable to CVE-2018-11776.

Vulnerability research

Synopsys security engineers are continuously improving our identification technologies to detect more software weaknesses with higher precision. Similarly, our team of 650+ security consultants and analysts are constantly honing their craft and exploring new ways to break software. In the process, we often discover previously unknown vulnerabilities. CyRC secures the community by working with the appropriate stakeholders to responsibly disclose and resolve security defects. Five years ago, Defensics security engineers in Oulu, Finland, discovered the Heartbleed vulnerability while testing a new feature for the Defensics SSL/TLS protocol fuzz testing suite. Five months ago, Defensics security engineer Tuomo Untinen discovered an authentication bypass vulnerability in a popular home router in a similar fashion. Tuomo and the CyRC team pursued a coordinated disclosure with National Cyber Security Centre Finland (NCSC-FI) and worked with the router company to reproduce and fix the vulnerability, before penning a blog post about the vulnerability, how it was found, and how similar issues can be avoided in the future.

Emerging technologies

Our CyRC researchers work directly with the community and clients to explore the unique security challenges presented by emerging technologies.

Nascent technologies like AI, enterprise blockchain, and serverless computing hold promise and potential for the future, but from a security standpoint, they often represent more risk than reward today. Our CyRC researchers are working directly with the community and clients to explore the unique security challenges presented by these emerging technologies—challenges that have not or cannot be detected or resolved using existing methods or technologies. CyRC is publishing white papers, blogs, conference presentations, and open source tools. Our researchers spent three months probing the security posture of the Hyperledger Fabric enterprise blockchain platform and presented their findings at DEF CON 26. They also published Tineola, the first and only open source dynamic security testing tool for enterprise blockchain systems, on GitHub.

Security tools for the community

Synopsys is committed to empowering open source development teams with free tooling powered by our research efforts. The Coverity Scan service helps teams find security weaknesses and fix defects in Java, C/C++, C#, JavaScript, Ruby, and Python open source projects. Open Hub is an online community and public directory of free and open source software (FOSS) offering analytics and search services for the discovery, evaluation, and comparison of open source projects. At Synopsys, we recognize the value the technology community provides in making our research better, and in turn we strive to help the community build secure, high-quality software faster.

Download OSSRA 2021 report | Synopsys

Visit our CyRC landing page to learn more or contact us with any questions or suggestions for public or private research.

Learn more about CyRC

Tim Mackey

Posted by

Tim Mackey

Tim Mackey

Tim Mackey is the Head of Software Supply Chain Risk Strategy within the Synopsys Software Integrity Group. He joined Synopsys as part of the Black Duck Software acquisition where he worked to bring integrated security scanning technology to Red Hat OpenShift and the Kubernetes container orchestration platforms. In this role, Tim applies his skills in distributed systems engineering, mission critical engineering, performance monitoring, large-scale data center operations, and global data privacy regulations to customer problems. He takes the lessons learned from those activities and delivers talks globally at well-known events such as RSA, Black Hat, Open Source Summit, KubeCon, OSCON, DevSecCon, DevOpsCon, Red Hat Summit, and Interop. Tim is also an O'Reilly Media published author and has been covered in publications around the globe including USA Today, Fortune, NBC News, CNN, Forbes, Dark Reading, TEISS, InfoSecurity Magazine, and The Straits Times Follow Tim at @TimInTech on Twitter and at mackeytim on LinkedIn.

More from Security news and research