Software Integrity Insight is switching over to a monthly schedule, but we’ll still bring you the best SAST, DAST, and SCA security news as we find it. And don’t despair: You can still get your weekly fix of application security (and insecurity) news by following our colleague Taylor Armerding’s video blog, Security Mashup.
via eSecurity Planet: Dirk Hohndel, VP and chief open source officer at VMware: “One of the biggest challenges for any software product, whether it’s open source or not, is to get enough qualified reviewers to make sure that you don’t get overwhelmed by the speed of innovation and you take the time to actually do decent code review.”
via JAXenter: In the world of DevOps, traditional application security is no longer enough. How can we improve AppSec? What are the newest security challenges that arise as DevOps becomes more mature? JAXenter editor Gabriela Motroc caught up with Tim Mackey, technical evangelist for Black Duck by Synopsys at DevOpsCon 2018 to talk about all this and more.
via Xconomy: There is big opportunity in online retailing. However, until retailers stop treating software as an ancillary aspect of their business and begin to think and act like software companies, security breaches will continue to plague them.
via CRN: Nearly a half-billion Internet of Things devices are vulnerable to cyberattacks at businesses worldwide because of a 10-year-old security flaw, according to a new report from a security software vendor.
via BankInfoSecurity: In both March and April, the total number of breaches reported to the ICO was about 400, according to data released by the ICO last week. But the number of breach reports climbed to about 700 in May and hit about 1,750 in June, the ICO says.
via ZDNet: Homeland Security, FedEx, Orbitz, Aadhaar, L’Express, Cambridge Analytica, Twitter, T-Mobile, and more.
via Wired: Jamil Farshchi, chief information security officer at Equifax: “The barriers you face at any company not post-breach is you’re always fighting for budget, you’re always fighting for face time, trying to justify and convince people about the importance of security and risk management. When you’re in a post-breach environment, everyone already knows that it’s critically important.”
via DevOps.com: As the pace of application development techniques (and their inevitable vulnerabilities) evolve, AppSec personnel have found themselves caught between the desire to keep pace with their management of security testing requirements and their ability to allow the developer teams to operate in the modern, fast-paced ecosystem of DevOps and artificial intelligence.
via SD Times: Synopsys, a recognized leader in application security, provides static analysis, software composition analysis, and dynamic analysis solutions that enable teams to quickly find and fix vulnerabilities and defects in proprietary code, open source components, and application behavior.
via Dark Reading: Seventy-eight percent of open source codebases examined in a recent study contain at least one unpatched vulnerability, with an average of 64 known vulnerabilities per codebase.
via CSO: A security researcher discovered 157 GB of highly sensitive data from more than 100 companies, including automakers such as Ford, GM, Tesla, Toyota, Chrysler, Fiat, and Volkswagen, exposed on the web.
via TechRepublic: According to the report, nearly 90% of respondents believe they are currently at risk for a supply chain attack. . . . On average, supply chain attacks cost organizations $1.1 million. For US companies however, the average cost per attack is $1.27 million.
via Synopsys Software Integrity blog: With the disclosure of 21 million individuals’ account information being accessed in a data breach at Timehop, we now have a blueprint for what public disclosure of a breach might look like under the new GDPR rules.