SBN

The 10 most-read Software Integrity Blog posts from 2018

Our 10 most popular posts from 2018 show clear trends in software security topics of interests, including DevSecOps, CI/CD, open source, blockchain, and GDPR.

The 10 most-read Software Integrity Blog posts from 2018

1. What’s the difference between agile, CI/CD, and DevOps?

We’ve seen a lot of instances recently where the terms “agile,” “CI/CD,” and “DevOps” are used interchangeably. The truth is that they’re rather different. In our most popular post of the year, we explain the difference between agile, CI/CD, and DevOps and what each one focuses on, highlights, and emphasizes.

2. Enable DevSecOps with Coverity: Deliver secure code faster

Software security practices have garnered the reputation for being painfully slow and incompatible with DevOps initiatives. DevSecOps has emerged as a response to the demand to produce secure software quickly. From analysis to remediation, Coverity, our static analysis tool, is designed to help organizations enable DevSecOps.

A person looking through a telescope

3. Common security challenges in CI/CD workflows

What are the most common security challenges in CI/CD workflows? Organizations report CI/CD security challenges related to tools, approach, speed, false positives, developer resistance, and compliance. Meera Rao, director of the secure development practice at Synopsys, explains how to deal with each one effectively.

4. CVE-2018-11776: The latest Apache Struts vulnerability

A critical remote code execution vulnerability in the Apache Struts web application framework discovered in late summer could allow remote attackers to run malicious code on affected servers. CVE-2018-11776 affects all supported versions of Struts 2 (the Apache Software Foundation issued a patch on Aug. 22).

CVE-2018-11776 —The latest Apache Struts vulnerability

5. Blockchain security and the cryptocurrency boom, Part 1: Theory

With early adoption of technology, there’s risk—thus the natural inclination to question blockchain security and its potential for cyber attack. We break down blockchain from a security perspective and look at its history, its successes and failures, and what we can do to keep ahead of the risk of cryptocurrency investing.

6. Detecting Spectre vulnerability exploits with static analysis

Chip flaws such as Spectre and Meltdown were all over the news this year. And for good reason: These exploits are particularly tenacious, seeing as you can’t patch a chip. But you can find vulnerable code using static analysis, and you can patch it. We released a Coverity checker that can identify code patterns that are vulnerable to the Spectre attack.

A person looking through a magnifying glass

7. How to integrate SAST into the DevSecOps pipeline in 5 simple steps

Integrating static analysis tools into the DevSecOps pipeline is critical to building a sustainable program, but it’s also important to automate them to drive efficiency, consistency, and early detection. Here we explain five steps to fully integrating SAST tools into your workflows for a cost-effective, proactive, and secure DevOps process.

8. The Data Protection Directive versus the GDPR: Understanding key changes

When the General Data Protection Regulation (GDPR) took effect, it replaced the Data Protection Directive (DPD) of 1995. But there are important differences between the two related to personal data, individual rights, data controllers and processors, information governance and security, and data breach notification and penalties.

A person looking over a valley from a mountain peak

9. Wading through the alphabet soup of application security testing tools: A guide to SAST, IAST, DAST, and RASP

Every application security testing tool—SAST, IAST, DAST, and RASP—has its distinct advantages, but you’ll get the best results when you use them together. Here’s a quick overview of static analysis, dynamic analysis, interactive application security testing, and runtime application self-protection and what each tool does best.

10. How to break car kits with Bluetooth fuzz testing

Fuzz testing is a method of feeding applications automatically generated, unexpected inputs. Fuzz testing efficiently addresses the question “What happens if I purposely input invalid values into an application?” And it’s one of our favorite methods of finding vulnerabilities and issues in Bluetooth-enabled devices.

Fast traffic on the highway

*** This is a Security Bloggers Network syndicated blog from Software Integrity Blog authored by Synopsys Editorial Team. Read the original post at: https://www.synopsys.com/blogs/software-security/top-10-posts-2018/