Black Duck® introduced the concept of managing open source, and the licensing and security risks that come with it, back in 2002. The process and the products have matured over the last two decades. Open source management has now become nearly as commonplace as source code control, whether development shops are using tools such as Black Duck or simply maintaining a spreadsheet of what is in their code.

As we go into 2024, many organizations are looking at their cybersecurity programs and considering how to allocate their application security testing resources. Although making sure that you’re allocating testing resources to OWASP top 10 vulnerabilities like cross-site scripting (XSS) may not feel innovative, it’s one of the best ways to ensure your organization’s security posture.

Using anonymized data from three years of tests conducted on commercial software systems and applications, the recently published 2023 Software Vulnerability Snapshot report from Synopsys focuses on exposing persistent vulnerabilities that are significant challenges to web and software application security, including the top three vulnerability types related to.

What do the Log4J zero-day vulnerability, the SolarWinds attack, and Alex Birsan’s hacking of Apple and Microsoft have in common? The answer is simple: software supply chain security. But while the answer may be simple, each example highlights a different aspect of software supply chain security.

The cloud-native development model entered the mainstream in recent years, with technologies such as microservices and serverless computing, containers, APIs, and infrastructure-as-code (IaC) at the forefront of this trend. Thanks to these emerging technologies, organizations can build and run their apps fast, in a distributed manner, and without reliance on physical hardware infrastructures.

If software is an important part of your business and you need to comply with license terms and protect against security vulnerabilities, you need to know and track what is inside your software. Lists of software components and dependencies are typically referred to as Software Bills of Materials (SBOMs).

The digital realm is an ever-expanding universe, and web applications serve as the gateway to valuable customer data, sensitive information, and financial transactions. Threat actors and cybercriminals are constantly devising new techniques to exploit vulnerabilities within these applications. Further, data privacy is a paramount concern, and organizations are entrusted with safeguarding information.

An interesting data point in the recently released Synopsys “Global State of DevSecOps 2023” report is the growing use of application security orchestration and correlation (ASOC), now more commonly referred to as application security posture management (ASPM).

In the fast-paced world of technology business, mergers and acquisitions (M&As) have become commonplace. Companies often seek growth, innovation, and market expansion through these strategic moves. However, amidst the excitement of potential synergies and increased market share, there is a lurking danger that can significantly impact the success of an M&A deal: technical debt.

As referenced in our previous post, the software development world has been bracing for additional details regarding two vulnerabilities associated with cURL, one of which was assessed as critical by the maintainer and original creator of the project. The wait ended this morning, as a fixed version was released and details about the vulnerabilities were provided.