The Synopsys Software Integrity Group is pleased to announce the public launch of CyRC (Cybersecurity Research Center).
Our mission is simple—to advance the state of software security through research, innovation, and evangelism. More specifically, we strive to provide resources and information around the identification, severity, exploitation, mitigation, and defense against software vulnerabilities. CyRC leverages Synopsys’ expertise, technology, initiatives, and resources to conduct high-quality primary and secondary software security research and publishes its findings for the benefit of the broader security, developer, and DevSecOps communities.
You may have already come across some of the initiatives that are aligned under the CyRC charter. Here are a few we’re excited to share:
Our analysts tap into the vast pool of anonymized data produced by Synopsys tools and services to identify and explain meaningful trends and provide insights that help readers prioritize their software security efforts. The findings from this analysis are published in CyRC market trend reports such as the annual Open Source Security and Risk Analysis (OSSRA) report.
Our Black Duck Security Research (BDSR) team in Belfast is charged with the identification, research, and augmentation of vulnerabilities reported in open source software—independent of their reporting state within the National Vulnerability Database (NVD). This research manifests as a data feed containing enhanced vulnerability information and is provided to our Black Duck customers in the form of Black Duck Security Advisories (BDSA). Where an NVD entry exists, our in-depth analysis results in clarifications, additions, and corrections to entries published by the NVD, with the core analysis often preceding the NVD entry. Read about how the BDSR team uncovered 23 additional versions of Apache Struts that are vulnerable to CVE-2018-11776.
Synopsys security engineers are continuously improving our identification technologies to detect more software weaknesses with higher precision. Similarly, our team of 650+ security consultants and analysts are constantly honing their craft and exploring new ways to break software. In the process, we often discover previously unknown vulnerabilities. CyRC secures the community by working with the appropriate stakeholders to responsibly disclose and resolve security defects. Five years ago, Defensics security engineers in Oulu, Finland, discovered the Heartbleed vulnerability while testing a new feature for the Defensics SSL/TLS protocol fuzz testing suite. Five months ago, Defensics security engineer Tuomo Untinen discovered an authentication bypass vulnerability in a popular home router in a similar fashion. Tuomo and the CyRC team pursued a coordinated disclosure with National Cyber Security Centre Finland (NCSC-FI) and worked with the router company to reproduce and fix the vulnerability, before penning a blog post about the vulnerability, how it was found, and how similar issues can be avoided in the future.
Nascent technologies like AI, enterprise blockchain, and serverless computing hold promise and potential for the future, but from a security standpoint, they often represent more risk than reward today. Our CyRC researchers are working directly with the community and clients to explore the unique security challenges presented by these emerging technologies—challenges that have not or cannot be detected or resolved using existing methods or technologies. CyRC is publishing white papers, blogs, conference presentations, and open source tools. Our researchers spent three months probing the security posture of the Hyperledger Fabric enterprise blockchain platform and presented their findings at DEF CON 26. They also published Tineola, the first and only open source dynamic security testing tool for enterprise blockchain systems, on GitHub.
Tim Mackey is a principal security strategist within the Synopsys CyRC (Cybersecurity Research Center). He joined Synopsys as part of the Black Duck Software acquisition where he worked to bring integrated security scanning technology to Red Hat OpenShift and the Kubernetes container orchestration platforms. As a security strategist, Tim applies his skills in distributed systems engineering, mission critical engineering, performance monitoring, large-scale data center operations, and global data privacy regulations to customer problems. He takes the lessons learned from those activities and delivers talks globally at well-known events such as RSA, Black Hat, Open Source Summit, KubeCon, OSCON, DevSecCon, DevOpsCon, Red Hat Summit, and Interop. Tim is also an O'Reilly Media published author and has been covered in publications around the globe including USA Today, Fortune, NBC News, CNN, Forbes, Dark Reading, TEISS, InfoSecurity Magazine, and The Straits Times. Follow Tim at @TimInTech on Twitter and at mackeytim on LinkedIn.