Misuse of security tools can lead to defect overload for development teams. Knowing when and how to use these tools will yield more effective DevSecOps. It is a long-time mantra of security experts: There is no single, magical software testing tool or technique that will find every defect or flaw that developers should fix when they are building an application or any of the many things powered by software.
DevSecOps offers benefits—but it also has its challenges. Learn why companies are making the shift and why it’s not always easy. DevSecOps is the practice of integrating security into every stage of the DevOps pipeline. It unites development activities, operations support, and security checks, and coordinates the teams involved in the software development life cycle (SDLC). The synergy between the teams is helped by automation.
The rise of open source software is not without risks for today’s applications. Use a software composition analysis tool to mitigate these risks. Gartner, in its “Market Guide for Software Composition Analysis,” details the need to make software composition analysis (SCA) part of your application security testing tool suite. We discussed the what and why in a recent blog post; today let’s discuss the how.
CVE-2020-28052 is an authentication bypass vulnerability discovered in Bouncy Castle’s OpenBSDBcrypt class. It allows attackers to bypass password checks.
The burden of software security often falls solely on security teams, but to be successful, organizations need to make security a team effort. Remember group projects in school? Teachers love them because they have less grading to do; in a class of 25 students, they might only need to look at 5 projects. For team members, team projects can be difficult, usually when individual motivation levels don’t match up.
Defensics SDK makes fuzz testing possible for custom protocols. Learn how to create a custom injector using the Defensics SDK API. Fuzz testing is never a bad idea. If you aren’t testing your implementation with malformed or unexpected inputs, someone else may be able to exploit a weakness simply from running the system. And fuzz testing (or fuzzing) is not only about finding potential security issues—it can also increase the overall robustness of the system.
In part two of this series, learn how to create a data model for the Bitcoin network protocol and use the Defensics SDK to perform fuzzing on bitcoind. In the previous article, you saw how to set up a test bed for bitcoind. We created two containers, fleur and viktor, and set up communication between the two bitcoind instances. In this article, learn how to create a data model for the Bitcoin network protocol, and then use this model in the Defensics® SDK to perform fuzzing on bitcoind.
This week Synopsys released the “DevSecOps Practices and Open Source Management in 2020” report, findings from a survey of 1,500 IT professionals working in cyber security, software development, software engineering, and web development. The report explores the strategies that organizations around the world are using to address open source vulnerability management, as well as the problem of outdated or abandoned open source components in commercial code.
Experts share their 2021 software security predictions about DevSecOps adoption, the risks of social engineering and ransomware, cloud adoption, and more. Anybody who made predictions a year ago about 2020 could be forgiven for feeling a bit like the TV weather forecaster who got a note from an angry viewer telling him, “I just shoveled six inches of ‘partly cloudy’ off my driveway.”
This is the first part of a two-part advanced technical tutorial that describes how you can use the Defensics SDK to set up your own Bitcoin network. This is the first of two articles that describe how to use the Defensics® software development kit (SDK) to fuzz Bitcoin software. Specifically, you’ll learn how to model one of the Bitcoin network protocol messages and use the Defensics SDK to perform fuzzing on the bitcoind process.
