Our 10 most popular software security posts from 2018 show clear trends in DevSecOps, CI/CD, open source, blockchain, GDPR, and other topics.
We’ve seen a lot of instances recently where the terms “agile,” “CI/CD,” and “DevOps” are used interchangeably. The truth is that they’re rather different. In our most popular post of the year, we explain the difference between agile, CI/CD, and DevOps and what each one focuses on, highlights, and emphasizes.
Software security practices have garnered the reputation for being painfully slow and incompatible with DevOps initiatives. DevSecOps has emerged as a response to the demand to produce secure software quickly. From analysis to remediation, Coverity, our static analysis tool, is designed to help organizations enable DevSecOps.
What are the most common security challenges in CI/CD workflows? Organizations report CI/CD security challenges related to tools, approach, speed, false positives, developer resistance, and compliance. Meera Rao, director of the secure development practice at Synopsys, explains how to deal with each one effectively.
A critical remote code execution vulnerability in the Apache Struts web application framework discovered in late summer could allow remote attackers to run malicious code on affected servers. CVE-2018-11776 affects all supported versions of Struts 2 (the Apache Software Foundation issued a patch on Aug. 22).
With early adoption of technology, there’s risk—thus the natural inclination to question blockchain security and its potential for cyber attack. We break down blockchain from a security perspective and look at its history, its successes and failures, and what we can do to keep ahead of the risk of cryptocurrency investing.
Chip flaws such as Spectre and Meltdown were all over the news this year. And for good reason: These exploits are particularly tenacious, seeing as you can’t patch a chip. But you can find vulnerable code using static analysis, and you can patch it. We released a Coverity checker that can identify code patterns that are vulnerable to the Spectre attack.
Integrating static analysis tools into the DevSecOps pipeline is critical to building a sustainable program, but it’s also important to automate them to drive efficiency, consistency, and early detection. Here we explain five steps to fully integrating SAST tools into your workflows for a cost-effective, proactive, and secure DevOps process.
When the General Data Protection Regulation (GDPR) took effect, it replaced the Data Protection Directive (DPD) of 1995. But there are important differences between the two related to personal data, individual rights, data controllers and processors, information governance and security, and data breach notification and penalties.
Every application security testing tool—SAST, IAST, DAST, and RASP—has its distinct advantages, but you’ll get the best results when you use them together. Here’s a quick overview of static analysis, dynamic analysis, interactive application security testing, and runtime application self-protection and what each tool does best.
Fuzz testing is a method of feeding applications automatically generated, unexpected inputs. Fuzz testing efficiently addresses the question “What happens if I purposely input invalid values into an application?” And it’s one of our favorite methods of finding vulnerabilities and issues in Bluetooth-enabled devices.