Synopsys Software Integrity Group Security Week 2019

During Cybersecurity Awareness Month, the Software Integrity Group hosted Security Week 2019, with presentations, guest speakers, and a capture-the-flag.

As part of Synopsys Cybersecurity Awareness Month 2019, the Synopsys Software Integrity Group hosted our first annual Security Week. Our goals were to spread awareness about everyone’s role in maintaining security at our company and to celebrate all the hard work we do as a team to build a robust security program. Given that Synopsys is in the software security and quality business, it is no surprise that we had a lot of interest and participation in the week’s events, and Security Week 2019 was a huge success!

Security Week 2019 presentations

We started Security Week 2019 with two days of security-related presentations from members of many different teams sharing how security affects their roles. Some of our 10 participating offices had viewing parties, and other employees streamed the presentations live. Marisa Fagan gave a presentation on how the product security team implements a secure software development life cycle. Andrew van der Stock presented on the OWASP Top 10 2020, giving us a preview of the most critical web application security risks as of next year.

We also heard from Wagner Nascimento, who gave us a tour of the Synopsys phishing program with some interesting statistics on which teams were most likely to fall for a phishing attack.

Then Jim Fussell, director of the Synopsys global safety and security team, instructed us how to keep ourselves and our assets safe from would-be attackers while in the office and when traveling.

At the end of the second day, we had a guest speaker, Joseph Menn, author of the book “Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World.” This fascinating story is a perfectly timed allegory for our own pursuits of technological creativity and innovation here at Synopsys.

Capture-the-flag

On day 3 of Security Week 2019, the Software Integrity R&D team took the day off from coding and put on their hacker hats. We ran a 24-hour capture-the-flag competition, and our developers found a record-breaking number of issues. It was a great success! We could see that trainings from earlier in the year had an impact on the vulnerabilities found during the CTF. At the same time, we sponsored a charity fundraiser for Women in CyberSecurity (WiCyS). Synopsys leadership donated money to WiCyS for every hour of the 24 hours that the R&D team spent hacking.

A screen capture of the Shadow Bank vulnerable website with 100 points scored for a SQL injection authentication bypass.

Internal bug bounty

On day 4 of Security Week 2019, we kicked off our internal bug bounty on the Polaris platform. All Software Integrity Group employees (except for Polaris developers) were invited to a three-week open season hacking challenge with our own product, Polaris, as the target. With prizes at stake, bounty hunters from every department in the Software Integrity Group can submit vulnerabilities to be validated by a panel of judges and then sent to our vulnerability management team. Thanks to the power of this unusual collaboration, we’ll be able to find and fix many issues before they go live.

Wrapping up Security Week 2019

On day 5, the final guest speaker joined us in San Francisco to talk about security in the cloud. We enjoyed a fascinating discussion led by Byron Cook, director of automated reasoning at AWS. It was the perfect end to a week of learning and celebration.

Security Week 2019 was a fun and educational way to celebrate the past year of a growing, successful security program in the Software Integrity Group. We communicated important information to all our employees but also highlighted how strong our security mindset already is. The week was a huge success, and we’re looking forward to Security Week 2020!