The cyber security and open source security news that made headlines this week!
Case Study: Like members of many other development teams, Synopsys’ own engineers initially resisted anything that might slow developer productivity. However, their reluctance to adopt security practices during development was hindering their achievement of agile release cycles and continuous delivery. Learn how Synopsys engineering and security are working together toward a more secure SDLC.
via TechCrunch: Open source maintainers are exhausted and rarely paid. A new generation wants to change the economics.
via Synopsys Software Integrity blog (video): Taylor Armerding, Synopsys Software Integrity Group senior strategist, gives you the scoop on application security and insecurity in this week’s Security Mashup episode. What’s in this week’s Security Mashup episode, you ask? Ex-CIA employee insider threat and how he was outed, insight into the Flightradar24 hack, and what you need to know about the RedHat pen source license copyright conundrum.
via Dark Reading: Black Duck by Synopsys technical evangelist Tim Mackey notes that unpatched software vulnerabilities are the biggest cyberthreat organizations face. The problem is that no one is listening, or, worse, they don’t know what software they have and how to patch it. According to Black Duck’s recently released annual report, “Open Source Security and Risk Analysis (OSSRA),” unpatched, vulnerable open source components are the leading security risk across multiple industries.
via SearchSecurity: A recent public backlash against the way wireless carriers share mobile location data led to questioning from Sen. Ron Wyden (D-Ore.), but experts aren’t fully sold on the carriers’ responses… Gary McGraw, vice president of security technology at Synopsys, said the carriers “likely knew about this all along [and] so did most sophisticated security-aware users of mobile technology. What is happening is that political circles are just beginning to get a technical clue.
via Daily Express: There’s a wide variety of malicious apps currently on the internet that are looking to fool you into thinking they are a version of Fortnite on Android… Steve Giguere, lead EMEA engineer at Synopsys, highlights the risks, as well as the need for people to become knowledgeable and prepared for these kind of scams.
via ZDNet (Japan): At a briefing session on June 19th, Tim Mackey of Synopsys Software Integrity Group, senior technology evangelist, remarked on the risks of open source software.
via Dark Reading: More than two-thirds (69%) of cybersecurity experts predict a successful cyberattack will hit US infrastructure within the next two years—and a majority express low confidence both in security technology to protect their organizations and in the US government to defend the nation against attacks.
via TechRadar: Of the codebases audited for the 2018 Open Source Security and Risk Analysis (OSSRA) report, 8% were found to contain Apache Struts, and of those, a third contained the Struts vulnerability that resulted in the Equifax breach.
via Synopsys Software Integrity blog: The timeless demand to reduce time to market has put DevOps in a position to solidify itself as a defining characteristic of modern SDLCs. While the need to accelerate software development is as old as software development is, the need to produce secure software is currently gaining traction in light of recent software security blunders. The only problem: Software security practices have garnered a reputation for being painfully slow and incompatible with DevOps initiatives.
Stay up to date on the latest cybersecurity news.
Subscribe to the Software Integrity blog today!
*** This is a Security Bloggers Network syndicated blog from Software Integrity authored by Fred Bals. Read the original post at: https://www.synopsys.com/blogs/software-security/secure-sdlc-open-source-biggest-problem/