In this episode of AppSec Decoded, we discuss the major open source trends identified within the 2021 OSSRA report. The explosive growth of open source is not new. Developers have been using this collaborative method of building software applications to meet the market demands for quality and speed for many years. Synopsys has conducted research on trends in open source usage with commercial applications since 2015.

Black Duck provides a comprehensive SCA solution for managing security, quality, and license compliance risks associated with open source use. Given today’s development trends, your organization is undoubtedly leaning heavily on open source in any number of ways. According to Synopsys’ annual Open Source Security and Risk Analysis (OSSRA) report.

Invisible application security is the concept of integrating and automating AppSec testing with little interruption to developer workflows. I really love the keyless entry system on my car. The “key” is not a key in the traditional sense; all I have to do is put it in my pocket and forget about it. When I reach for the car door handle, it simply unlocks. When I leave the car, I wave my hand over the handle to lock the car.

Learn how Synopsys AppSec tools and services can help your organization deliver a holistic security approach to address rising cyber threats. Not only has the number of cyber attacks increased dramatically in 2020, but the ingenuity and scale of the attacks has also jumped way off the charts. The SolarWinds attack was “the largest and most sophisticated attack the world has ever seen” with the number of software engineers working on these attacks estimated to be over 1,000.

In this post we explore how an attacker who has compromised a Jenkins instance can backdoor software built with it and what security measures are critical to ensure protection against attacks.

Black Duck ranks highest in Strategy and receives highest possible scores in Product Vision, Market Approach, and Corporate Culture criteria. This week, Synopsys was named a Leader in “ The Forrester Wave™: Software Composition Analysis, Q3, 2021 ,” by Forrester based on its evaluation of Black Duck, our Software Composition Analysis solution. Forrester evaluated 10 of the most significant SCA providers against 37 criteria.

Infrastructure as code is a key concept in DevOps for cloud deployments. Learn how to secure it using Rapid Scan SAST. It was not long ago when we needed to submit an IT support ticket to help launch infrastructure configurations (virtual machines, networks configurations, load balancers, databases, etc.) every time we needed to deploy a new application. It worked when we needed those less frequently, but it was not easily scalable.

IoT devices are ubiquitous in our daily lives—whether it’s at home with connected home automation devices, or at work with connected factories, hospitals, and even connected cars. According to Gartner, there were over 20 billion IoT devices in 2020. As businesses globally over the past decade have transformed their processes with more embedded IoT-driven intelligence, these billions of connected devices have also become a soft target for cyber criminals.

Manual security testing services and automated AppSec tools have their place in DevOps. Knowing which to use will make your security efforts more effective. AppSec tools that can quickly identify secrets or sensitive data accidentally (or intentionally) inserted in source code are crucial in automatically scanning millions of lines of code to find critical security issues.

In part two of our series on writing checkers with CodeXM, we explore how to run your CodeXM checker with Coverity using a command line interface. In the last post, we discussed how to write a simple checker using CodeXM. But writing the checker is not our final purpose; our target is to use that checker on our own business code. In this post, we look at how to run your CodeXM checker with Coverity® using a command line interface.

Don’t let myths undermine the security of financial software. We examine the seven myths and misconceptions found in FSI application security. It’s obvious why cyber criminals are drawn to the financial services industry (FSI). It’s the Willie Sutton logic updated: he robbed banks because “that’s where the money is.” But today it’s not just banks.