Black Duck Supply Chain Edition does software composition analysis (SCA) that makes use of a number of security analysis techniques to determine the components in a piece of software, such as package dependency, CodePrint, snippet, binary, and container analysis. 

Customers can import SBOMs of their third-party components and automatically catalog the components found within. It performs continuous risk analysis on both internal SBOMs and the SBOMs of third-party components. 

This also allows it to identify not just security issues, but issues with licenses of third-party components. This includes analyzing AI-generated code and detecting if any part of it might be subject to license requirements.

The tool also performs post-build analysis that can help detect malware or potentially unwanted applications. 

SBOMs can be exported in SPDX or CycloneDX formats, which makes it easier to meet customer, industry, or regulatory requirements, according to Synopsys. 

“With the rise in software supply chain attacks targeting vulnerable or maliciously altered open source and third-party components, it’s critical for organizations to understand and thoroughly scrutinize the composition of their software portfolios,” said Jason Schmitt, general manager of the Synopsys Software Integrity Group. “This requires constant vigilance over the patchwork of software dependencies that get pulled in from a variety of sources, including open source components downloaded from public repositories, commercial software packages purchased from vendors, code generated from AI coding assistants, and the containers and IT infrastructure used to deploy applications. It also requires the ability to detect and generate actionable insights for a wide range of risk factors such as known vulnerabilities, exposed secrets, and malicious code.”

The post Synopsys hopes to mitigate upstream risks in software supply chains with new SCA tool appeared first on SD Times.

According to the company’s announcement, fAST Dynamic is built upon scanning technology Synopsys acquired from WhiteHat Security, and adds on to fAST Static and fAST SCA, which were built into the company’s Polaris platform last year. This allows users to deal with vulnerabilities in their own code, open-source dependencies and application behaviors in one solution.

“Dynamic analysis is an essential technology for securing modern web applications, but legacy DAST tools can be too slow and difficult to use in fast-paced development environments,” said Jason Schmitt, general manager of the Synopsys Software Integrity Group. “With fAST Dynamic, we have evolved the powerful and accurate scanning technology from Whitehat Security to create a solution designed for the speed of modern development. Synopsys fAST Dynamic enables DevOps teams to scan their applications quickly and accurately, eliminating the need for time-consuming configuration and triage efforts which are often required with legacy tools. With the addition of fAST Dynamic, Polaris customers can orchestrate rapid static, SCA, and dynamic scans through a unified SaaS platform, enabling them to simplify and accelerate their DevSecOps workflows.”

Among the features Synopsys has introduced with fAST Dynamic are:

• Simplified onboarding and configuration
• Smart attack execution, offering the ability to navigate and analyze web applications to ensure comprehensive test coverage
• An optimized analysis engine that targets critical and high-impact vulnerabilities and minimizes false positives and which can be integrated into organizations’ CI/CD pipelines

Synopsys fAST Dynamic will be available in April on the Polaris platform. To learn more, read the blog post. 

The post Synopsys releases fAST Dynamic test solution appeared first on SD Times.

According to Synopsys’ Open Source Security and Risk Analysis report, which was released today, 91% of codebases contain components that are at least 10 versions out-of-date.

Furthermore, 49% of codebases contain components that haven’t had any development activity in the last two years. 

The mean age of open source vulnerabilities in the codebases surveyed was 2.5 years old, though almost a quarter of the codebases had a vulnerability over 10 years old. 

The overall security has also worsened year-over-year. In Synopsys’ 2022 report, 48% of codebases had high-risk vulnerabilities, and in 2023 the number jumped to 74%. Synopsys attributes this increase to factors such as layoffs affecting tech workers, which has resulted in there being fewer developers available to fix these issues. 

“This year’s OSSRA report indicates an alarming rise in high-risk open source vulnerabilities across a variety of critical industries, leaving them at risk for exploitation by cybercriminals,” said Jason Schmitt, general manager of Synopsys Software Integrity Group. “The increasing pressure on software teams to move faster and do more with less in 2023 has likely contributed to this sharp rise in open source vulnerabilities. Malicious actors have taken note of this attack vector, so maintaining proper software hygiene by identifying, tracking and managing open source effectively is a key element to strengthening the security of the software supply chain.”

Another finding of the report is that companies are struggling with open-source license compliance. Fifty-three percent of the codebases have open-source license conflicts and 31% have either no known license or a custom license. 

The report also found that eight of the top 10 vulnerabilities can be attributed to one vulnerability type: Improper Neutralization.

The post Report: Security suffering due to a “zombie code” apocalypse appeared first on SD Times.

According to Synopsys, Software Risk Manager allows teams to centrally define and enforce their security policies, which can have specific parameters for testing and managing vulnerabilities.

It also allows for the consolidation of different security tools, which helps to unify the user experience for testing and security teams, the company explained. 

Reporting can also be consolidated across different projects, teams, and tools, and this provides a big-picture view of security risks. 

In addition, teams can integrate Software Risk Manager with other tools in their toolchain, enabling quick onboarding of existing projects. 

“Application security programs need to be effective and efficient at reducing software risk in order to deliver value,” said Jason Schmitt, general manager of Synopsys’ Software Integrity Group. “Many organizations embracing digital transformation are struggling with the complexity and operational costs of managing their software risk at scale. Synopsys Software Risk Manager provides teams with a holistic view of their application security posture while accelerating time to value and reducing the overall cost of their AppSec programs.”

The post Synopsys Software Risk Manager aims to simplify security and testing strategies appeared first on SD Times.

With dependencies on databases and third-party APIs, and sensitive information and secrets such as certificates and passwords exposed, organizations need to have a mechanism

to track and catalog all the APIs used in their environment. They need visibility into all the inbound and outbound traffic, most importantly, to ensure the mutual communication channels are kept safe and that APIs are properly authenticated. 

Proper upfront design and planning of APIs is crucial to help ensure any event-driven APIs are secured and that there is proper handling of all secrets and sensitive data that gets transmitted in the process.

To begin to properly secure cloud-native applications, it is necessary to have a full understanding of the interfaces that are being exposed, Kimm Yeo, who works in application security at Synopsys, wrote in a recent blog post. “Organizations with internally developed cloud-native applications faced a variety of security incidents in recent years, with the leading causes being insecure use of APIs, vulnerable source codes and compromised account credentials,” she wrote.

It is the expanded use of APIs in today’s applications that create the biggest security challenges. In a report, Gartner found that 90% of a web application’s attack surface area are APIs, and that in 2022, APIs would be the most frequent attack vector. 

“Effective API security can’t be done by merely protecting and blocking vulnerable APIs with some web firewalls and monitoring tools,” Yeo wrote in a recent blog post. “API-based apps need to be treated and managed as a complete development life cycle of their own. Just as the software app development life cycle goes through upfront planning and design, so must the API life cycle. There needs to be proper API design with API policies built into an organization’s overall business risk and continuity program.”

Yeo points out that traditional application security scanning tools were not designed for cloud-native applications, and lack visibility into modern application development and deployment architectures. This is because, she wrote, that “most API and serverless function calls are event-driven triggers…” 

In her blog, Yeo states that organizations need to view and treat APIs holistically as a life cycle development and deployment framework of its own – like how they look at application development as a life cycle. This would entail up-front design and planning, as well as policies around API management to ensure vulnerabilities are kept to a minimum.

 Further, she encourages organizations to do risk assessments of all API-based applications, with the goal of focusing on those apps with the highest risk factors. She wrote that effective API security practices require continuous testing to verify vulnerable APIs during application tests at runtime compilation with third-party components.

Beyond all that, the use of modern scanning tools and techniques can further ensure that any vulnerabilities can be addressed (or the risk mitigated) before the apps are deployed. SCA, SAST,  and DAST tools – which have been more commonly used as app security test practices – and now, more frequently, IAST tools can provide insights to where those security holes are, so they can be fixed before the application is released, when it is less expensive to remediate and can do less damage to the organization’s business and reputation.

“This,” Yeo wrote, “is the key essence of effective API security strategy in my opinion.  An organization needs the ability to quickly identify and proactively test and remediate the apps with highest risk (as defined by its security policies and API risk classifications) before they go into production release. An API risk classification system can use criteria such as the application’s exposure (internal- or external-facing apps), the types of information it handles (such as PII/ PCI-DSS payment related), the record size that the app manages (which can get into thousands and millions), and the cost of data breaches, disaster recovery, and business continuity impact.

Content provided by SD Times and Synopsys.

The post Cloud-native success requires API security appeared first on SD Times.

This is so because development teams are focused on delivering new functionality and features as quickly as possible. They are not usually trained in security practices, and often have little desire to do so.

Meanwhile, that can leave modern applications – which are more likely to be assembled from open-source and third-party components, and tied together with APIs and other connectors – vulnerable to intrusion.

Development today is driven by short-term benefits, but faces long-term risk, according to Jonathan Knudsen, the head of global research in the Synopsys Software Integrity Group’s Cybersecurity Research Center. “You’re trying to make something that works as fast as you can, and that means that you’re not necessarily thinking about how somebody could misuse the thing” down the road, Knudsen said. “The short-term benefit is you build something that works, that’s useful, that people will pay for and you make money. And the long-term thing is, if you don’t build it carefully, and if you don’t think about security all along the way, something bad is going to happen. But it’s not so immediate, so you get caught up in the immediacy of making something that works.”

According to Knudsen, there are three kinds of software vulnerabilities: design vulnerabilities, configuration vulnerabilities and code vulnerabilities. “Developers are making the code vulnerability mistakes, or somebody who developed an open source package that you’re using. Design time vulnerabilities are, before you write code, you’re thinking about the application or an application feature, and you’re figuring out how it should work and what the requirements are and so on and so forth. And if you don’t do the design carefully you can make something that even if the developers implement it perfectly, it’ll still be wrong because it’s got a design flaw.”

Knudsen explained a number of factors behind these vulnerabilities. First is the use of open-source components. A Synopsys report from earlier this year found that 88% of organizations do not keep up with open-source updates. “If I choose to use this open source component, how risky is it?,” he said. “There are many things to look at, like, how many people are already using that thing? Because the more it’s used, the more it gets exercised, the more the bad stuff shakes out before you get to it, hopefully.” 

Another thing to look at is the team behind that component, he added. “Who is the development team behind it? You know, who are these people? Are they full time? Are they volunteers? How active are they? Did they last update this thing eight months ago, two years ago? Those are just sort of operational concerns. But then, if you are going to get more specific, you’d ask,  did the development team ever run any security test tools on it? Have they even thought about security?”

This, he pointed out, is largely impractical for a development team to research, because they just need a component with a particular function, and want to grab it and drop it into the application and start using it. Knudsen added that there are a number of efforts underway on how to score open-source projects based on risk, “but nobody’s come up with a magic formula.”

The need for speed in application development and delivery had led to the “shift left” movement, as organizations try to bring things like testing and security earlier in the life cycle, so those tasks aren’t left to the end, where it can slow down release of new functionality. That means that more of those efforts are being put on developers. As Knudsen explained, “One of the things is this focus on the developer, because everybody thinks, ‘Okay, developers write code, and code can have mistakes or vulnerabilities in it.'”

But, he noted, it’s not really all about the developers; it’s also the process around them. ‘When you create software, you start out, you design it. You’re not writing any code, you’re just thinking about what it should do. And then, you write it, and you test it, and you deploy it or release it or whatever. And the developers are really only one part of that. And so you can help developers make fewer mistakes by giving them training and helping them understand security and the issues. But it shouldn’t be on them. Developers are fundamentally creative people who solve problems and make things work and, and you should just let them run with that and do that. But if you put them in a process where there’s threat analysis going on, when you design the application, where there’s security testing going on during the testing phase, and, and just feeding back those results to the development team, they will fix the stuff. And you’ll have a better product when you release it.”

To help create an optimal security process for developers, Synopsys offers many application security testing products and tools including industry leading solutions in SAST, DAST, and SCA.” To learn more visit synopsys.com.

Content provided by SD Times and Synopsys

The post Development today: Short-term benefits, long-term risks. appeared first on SD Times.

BOMs have been used for years by organizations; they are a list of the raw materials, sub-assemblies, intermediate assemblies, sub-components, parts, and the quantities of each needed to manufacture an end product. 

In today’s software world, it applies to all the code that goes into an application, license requirements for third-party components, dependencies on other components, and compliance with any other industry-specific regulations. According to a May 2021 executive order from U.S. President Joe Biden aimed at tightening up cybersecurity, “an SBOM is useful to those who develop or manufacture software, those who select or purchase software, and those who operate software.”

Michael White, technical director and principal architect at the Software Integrity Group at Synopsys, said there are a couple of different ways to look at SBOMs – either as a static artifact or report, or as a process. “As we add components into our software, or change the version of the components, or update the components, we should be maintaining that SBOM on an ongoing basis,” he said. The continual process of software maintenance, he pointed out, saves you from having to scramble to assemble all the information about changes. As a continual process, you’re building up the SBOM piece by piece as you go along.

As for what SBOMs mean for developers, White said those are the people who are in the middle of the supply chain, as producers of software and consumers of software used to create their applications. As such, they have to worry about two different sets of obligations, White explained. “They have to worry about doing what they’re required to do for the end user of our product. But then also, are we passing that requirement down to the people that we consume software from?” 

With open source, that could be in the form of generating export information about a particular package; with commercial software, an organization should have the requirement that the supplier provide an SBOM. “That kind of information should kind of filter down the supply chain so that the information kind of bubbles up again.”

Today’s modern software comes with a long tail of dependencies, and studies have shown that as much as 90% of a modern application today is not written as first-party code by your development team, White said. “The SBOM does have to include your own components, the things you’re developing,” he said, as well as components assembled from other sources.

White said Synopsys talks more about building trust than simply discussing security, because organizations also have to think about safety, quality, compliance – and how to make that available to developers.

“We’re very much about the developer experience,” White said. “So, surfacing up that information at the right time, providing meaningful feedback that tells developers about something they can understand and act on. Once that is embedded and visible in the process, a lot of other concerns go away. It keeps the security people happy, it keeps the market compliance people happy, and the legal team and risk team happy.”

With its platform, White said, Synopsys is building the bridge between developers and the other stakeholders in an application to ensure those requirements are being met as well.

Content provided by SD Times and Synopsys

The post SBOMs can help ensure software integrity appeared first on SD Times.

Organizations have come to understand that the cost to remediate defects grows exponentially the farther along into production an application travels. Prevention costs are the least expensive, while the cost of correcting something is 10x greater, and the cost of an application failure is 100x greater.

So asking developers to prevent defects is an important step, but most developers aren’t security experts, and tools that are optimized for the needs of the security team can be too complex and disruptive to be embraced by developers. To make matters worse, these solutions often require developers to leave their integrated development environment (IDE) to analyze issues and determine potential fixes. All this tool- and context-switching kills developer productivity, so even though teams recognize the upside of checking their code and open-source dependencies for security issues, they avoid using the security tools they’ve been given due to the downside of decreased productivity.

To help developers maintain productivity without sacrificing security, they should look for a comprehensive SAST solution that identifies security and quality defects early in the software development life cycle (SDLC), they should look for solutions that:

• enable them to find issues quickly as they code. If developers can fix these issues in real-time, that means these issues don’t leave the developer workstation;
• provide a full scan if they need it; and
• see issues on the servers from CI/CD scans directly in their IDE without having to scan locally in the IDE.

In response to these needs, Synopsys developed Code Sight and recently released Code Sight Standard Edition (SE). Code Sight SE is an IDE-based application security solution that helps developers find and fix security issues as they code, without switching tools or interrupting their workflow.

“We have spent enormous amounts of time designing Code Sight,” said Raj Kesarapalli, senior manager of product management at Synopsys. He said the core strength of Code Sight is its ability to give priority to developer relevancy. It delivers that benefit by identifying vulnerabilities while still in the developer environment. It also ensures that no new issues are introduced as a result of the changes made.

It will scan only the select files in question for issues. It handles the remaining hundreds or thousands of files by leveraging context from a previous scan. Making use of that vast knowledge base eliminates the need for an immediate and lengthy comprehensive scan of the full universe of files. This frees the developer to continue writing code at the same time that issues are being found and fixed − all within the developer environment.

The process is not unlike the way a spell-checker operates in a Microsoft Word document, said Kesarapalli: While corrections are being made to specific words or phrases in the document, the author or editor is able to continue working, losing little or no time as the process goes forward.

For a software team, that means a major productivity gain.

“This gives them what is relevant and what they can find quickly,” he said. At the same time, fewer flaws make their way to the extended cycle of central analysis. “It short-circuits the loop for some of the issues,” Kesarapalli said.

Code Sight enhances  developer productivity and Its early intervention means there is less for the rest of the team to do. In fact, some of the issues caught early on in the development environment never find their way to the other stakeholders at all.

Developers anywhere in the world can gain access to the software by downloading a free trial that enables them to start using it in less than five minutes. The link to the download is: 

https://marketplace.visualstudio.com/items?itemName=SynopsysCodeSight.vscode-codesight

Another way to preview Code Sight Standard is with this demo video:

https://community.synopsys.com/s/article/Getting-Started-With-Code-Sight-Standard-Edition

Content provided by SD Times and Synopsys

The post Asking developers to do security is a risk in itself without training appeared first on SD Times.

“We are very excited to join Tricentis,” said Oren Rubin, founder and CEO of Testim. “Tricentis has built a comprehensive offering to support the full testing lifecycle across the enterprise application landscape. The unique capabilities of both companies complement one another perfectly, and devs around the world will enjoy a more robust, comprehensive platform and higher productivity.”

SmartBear releases Bugsnag updates

SmartBear today introduced the Features Dashboard within Bugsnag, the company’s application stability management solution. This decision-support tool brings users the ability to access real-time visibility as well as actionable insights geared at speeding up software innovation.

The new Features Dashboard offers developers key advantages, including:

• Observability 
• Data-driven decisions
• Increased confidence  

For more information, see here.

TigerGraph announces “Graph for All Million Dollar Challenge”

TigerGraph, provider of a graph analytics platform, today launched “Graph for All Million Dollar Challenge” in order to search for new ways to utilize graph technology and machine learning to solve real world issues.

This is a global search and winners will be selected across four main categories and then announced at the 2022 Graph + AI Summit this May. 

“We’re giving one million dollars to innovators who push the boundaries of graph and AI technology to uncover new, transformational ways to solve real world issues. The challenge is officially on and we look forward to seeing thousands of registrants, hundreds of mind-blowing entries, and countless new ideas and concepts,” said Dr. Yu Xu, founder and CEO of TigerGraph.

Copado launches Spring 22 release

With this release, the DevOps company Copado has natively integrated testing into its low-code CI/CD DevOps platform, allowing organizations to “shift-left” on testing and improve the quality and velocity of their multi-cloud releases. 

In this release, the Copado DevOps platform has been reworked in order to enable users to develop quality-driven pipelines across multiple clouds, platforms, and applications. With this comes Copado Actions, which define new DevOps building blocks that work to automate several different actions, including commit, test, deploy and backup across any cloud application development process.

Synopsys introduces Code Sight Standard Edition

Code Sight Standard Edition comes as a standalone version of the Code Sight plugin for IDEs. It enables developers to easily locate and fix security issues within source code, open source dependencies, infrastructure-as-code files, and more before they commit their code.

Additionally, it leverages Synopsys’ Rapid Scan Static and Rapid Scan SCA technology in order to provide fast and lightweight application security analysis in the IDE.

“In the age of modern software development, speed is king and software risk equates to business risk,” said Jason Schmitt, general manager of the Synopsys Software Integrity Group. “That means developers shoulder a tremendous responsibility in protecting their organizations and they do not have the luxury of time to stop and scan.”

The post SD Times news digest: Tricentis acquires Testim; SmartBear releases Bugsnag updates; TigerGraph to launch “Graph for All Million Dollar Challenge”; appeared first on SD Times.

The newly released 12th Building Security In Maturity Model (BSIMM12) report found a 61% increase in software security groups’ identification and management of open source over the past two years. 

The report was created by Synopsys, a company that focuses on software security and quality. 

Synopsys gathered data from 128 firms from multiple industry verticals including financial services, independent software vendors, cloud, health care, and IoT. It describes the work of nearly 3,000 software security group members and over 6,000 satellite members.

The increased security for open-source components is both due to the prevalence of open-source components and the rise of attacks on those popular components, according to the report. 

Security leaders are prioritizing cloud and open-source capabilities by developing in-house capabilities for managing cloud security rather than having a reliance on cloud vendors, and also, organizations are placing increased emphasis on software suppliers and open-source risk management. 

The report also found a 30% increase in the “publish data about software security internally” activity over the past 24 months, meaning that organizations are exerting more effort to collect and publish their software security initiative data. 

Software Bill of Materials activities increased by 367%, which shows an emphasis on understanding how software is built, configured, and deployed, and it increased the organizations’ ability to re-deploy based on security telemetry.

Also, security teams are lending resources, staff, and knowledge to DevOps practices, and the concept of “shift left” progressed to “shift everywhere,” according to the report. “Shift everywhere” encourages companies to use containers to enforce security controls, orchestration, and scanning infrastructure as code.

The post Report: Companies prioritize securing open-source components in modern software appeared first on SD Times.