Software Integrity Blog


North Korea hacking, JScript RCE, World Cup a cyberthreat target?

One of the ways hackers could ruin the World Cup 2018 for travelers is by hijacking the self-printed ticket kiosks or connected QR code readers for e-tickets, warns Steve Giguere, lead engineer at cyber security firm Synopsys.

North Korea hacking, JScript RCE, World Cup a cyberthreat target?

Software Integrity Insight is your resource on the cyber security and open source security news that made headlines this week, including news on North Korea hacking, the remote code execution vulnerability exposed in JScript, and how the World Cup 2018 might be a ripe target for cyber crime. Read on!

The Cybersecurity 202: North Korea is even less likely to give up hacking than nukes

via The Washington Post: North Korea’s ability to carry out highly disruptive cyberattacks against the United States and its allies is one of the hermit country’s most powerful assets. Its digital army allows the country to project power on the world stage where its traditional military might fall short. And as the Trump administration tries to coax Kim toward nuclear disarmament, the regime’s cyberweapons could become even more valuable, experts said.

Study shows admins are doing a terrible job of patching servers

via Network World: Open source has taken over the server side of things, but admins are doing a terrible job of keeping the software patched and up to date. Black Duck by Synopsys, a developer of auditing software for open-source security, has released its annual Open Source Security and Risk Analysis, which finds enterprise open source to be full of security vulnerabilities and compliance issues.

Remote code execution vulnerability disclosed in Windows JScript component

via BleepingComputer: Yesterday, ZDI published a summary containing light technical details about the bug. According to this summary, the vulnerability allows remote attackers to execute malicious code on users’ PCs.

World Cup 2018 is ‘ripe target’ for cybercrime as expert warns over ticket scams and hacked livestreams

via The Sun: When you consider the scope and scale of technology infrastructure required to host and broadcast one of the largest sporting events in the world, there is plenty of opportunity for malicious cyber-activity,” said Steve Giguere, lead engineer at cyber-security firm Synopsys. One of the ways hackers could ruin the event for travellers is by hijacking the self-printed ticket kiosks or connected QR code readers for e-tickets, warns Giguere.

The state of application security testing: 6 best practices

via TechBeacon: Application security testing is not optional. Experts share six best practices for DevOps environments. “Use automated tools in your toolchain. Leverage automated application security testing tools that plug directly into your CI/CD toolchain,” says Meera Subbarao, senior principal consultant at Synopsys Software Integrity Group.

DevOpsCon 2018 takeaways: Question everything & focus-forward thinking

via JAXenter: Tim Mackey from Black Duck by Synopsys discussed containers in his session “AppSec at the Speed of DevOps in the Age of Open Source”. Mackey reported that containers are immutable (they are created once and run many instances) and ephemeral (a container’s life should only be as long as necessary). Containers must be sacrificed and a system may terminate a container if needed; there is no guarantee of a container’s lifespan.  The final takeaway of Tim Mackey’s session is that we are all researchers and when you find a security issue, you should report it.

Takeaways from the 2018 Open Source Security and Risk Analysis Report

via Computer Business Review: “Each year after publishing the report the authors face criticisms,” says OSSRA co-author Fred Bals. “One being that we are arguing for the use of proprietary software over open source, the other that we claim that open source is less secure than proprietary alternatives. Here’s our response.”

Admins aren’t patching open source, says Black Duck security report

via ITPro Today: Earlier this month, Black Duck Software released its annual Open Source Security and Risk Analysis, the first time the report has been issued since the company was acquired by the integrated systems design company, Synopsys, in December. As expected from Black Duck, the company has again found open source to be rife with security vulnerabilities and compliance issues.

Alexa eavesdropping flub re-sparks voice assistant privacy debate

via Threatpost: “It is not clear if this was simply a software flaw or a malicious attack, but it is a stark wake-up call nonetheless,” Andreas Kuehlmann, senior vice president and general manager at Synopsys said, in an email. “The reports that a popular voice assistant unexpectedly recorded a personal conversation and leaked information to a third party should be a reminder of the potential security and privacy risks of our… always-connected world.”

The real state of DevSecOps: Checking on automation, speed, and accuracy

via Enterprise CIO: Synopsys commissioned 451 Research to conduct a study on the state of DevSecOps. As described in the report “DevSecOps Realities and Opportunities,” it was found that only half of DevOps teams include application security testing (AST) in their continuous integration and continuous deployment (CI/CD) workflows. DevOps teams face both challenges and opportunities as they apply application security tools and best practices in their CI/CD workflows. Automation, speed, accuracy, and CI/CD integration are critical to making DevSecOps successful.

VPNFilter, BMW connected car vulnerability, and Nest IoT devices go offline

via Synopsys Software Integrity (video): Taylor Armerding, Synopsys Software Integrity Group senior strategist, gives you the scoop on application security and unsecurity in this week’s Security Mashup episode. What’s in this week’s episode, you ask? Russia vs. Ukraine, Beemer as the ultimate hackable machine, and Nest “smart home” devices. It’s a must watch.

Keep up with the software integrity news every week. Subscribe to the blog today.

More by this author