Photo by Christina @ on Unsplash

If software is eating the world, as venture capitalist, Mosaic creator and Netscape cofounder Mark Andreessen famously said a decade ago, then one variety of software — open source — is now doing virtually all the eating.

That’s one of the major findings of the sixth Open Source Security & Risk Analysis (OSSRA) report, released last week by the Synopsys Cybersecurity Research Center (CyRC).

Not that this is at all a surprise. It simply confirms an ongoing trend. Open source software has been a majority of all existing codebases for years. It’s just that every year it’s a bigger majority.

Photo by FLY:D on Unsplash

If you have never heard of the BSIMM or OWASP SAMM, you need to read this, if only to find out what the heck they stand for.

But more importantly, because they can help you keep your software secure. And that’s something you really need to do. Really.

As boring and esoteric as it may sound, software security is just as important—now even more so—than putting locks on your doors, making sure you don’t misplace your wallet and, for businesses, making sure only employees get into your building and keeping your intellectual property safe.

These days, both your physical and…

“If it ain’t broke, don’t fix it,” is one of the all-time common-sense clichés. Which makes the corollary true as well: If it is broke, fix it.

But what if you don’t know it’s broke? It would help if somebody would let you know.

And in the world of software, issuing those warnings is the goal of the Common Vulnerabilities and Exposures (CVE) Program, launched in 1999.

The need is obvious. Software essentially runs the modern world. It’s everywhere and in just about everything. It’s also made by humans, which means it’s not perfect. …

Photo by ThisisEngineering RAEng on Unsplash

“Keep your stuff up to date” is one of the closest things to a religious mantra in cybersecurity. And that means everything — your networks, your systems, your applications.

For good reason. If you don’t apply patches when they become available, you’re asking for trouble because malicious hackers know, just like everybody else, when vulnerabilities become public and immediately start looking for organizations that are too distracted or clueless to apply those patches.

Fail to update and you’re in effect asking to be the next Equifax, the credit bureau giant breached in 2017 after it failed to install a patch…

Photo by Michael Geiger on Unsplash

What’s in a name?

As we all know, that iconic Shakespearean question applies to way more than an Elizabethan-era family feud intruding on adolescent romance.

It has, for generations, applied to everything from diseases to galaxies, insects, musical groups, teams, commercial products, and more. Sometimes things are named for a famous person (Lou Gehrig), a place (Lyme), a classic myth (Andromeda), the founder of an enterprise (Ford), an historic gold rush (49ers) or perhaps the major industry in a company town (Packers, Brewers).

But it also applies now — at least in some cases — to the weapons and vulnerabilities…

Photo by Douglas Bagg on Unsplash

Suddenly, “supply chain” is hot. Suddenly, a term that usually tends to make eyes glaze over unless you’re a member of the green-eyeshade accounting fraternity, is in the headlines, even leading the mainstream evening news.

Because, as the recently discovered cyberattack on SolarWinds/Orion illustrates, a weak link in the supply chain can break every other link on that chain. Even if there are 18,000 or more of them.

SolarWinds, which provides system management tools for network and infrastructure monitoring, has an IT performance monitoring system called Orion.

The thumbnail version of the story is that hackers were able to inject…

Photo by Christina @ on Unsplash

International Women’s Day — today! — is one of those classic good-news/bad-news events. Especially when it comes to women in technology.

On the good side, the event has demonstrated major staying power. It began more than a century ago — the first was in 1911 and was observed by more than a million people. This year it involves hundreds of millions, if not billions. It is a national holiday, or partial holiday, in more than two dozen countries although, notably, not in the U.S.

Its advocacy has yielded measurable results. In the U.S., women are close to half of the…


Getting a spacecraft all the way to Mars — a trip of about 300 million miles — and landing a rover vehicle on the equivalent of a postage stamp target obviously requires sophisticated technology and a team effort.

Because, as is also obvious, it’s unbelievably risky and complex. But the team at NASA’s Jet Propulsion Laboratory (JPL) in Pasadena, California got it done. Americans saw images beamed back to earth from Perseverance on Feb. 18, just hours after it landed safely in Jezero Crater, which scientists believe was a river delta and lake 3.5 billion to 3.9 billion years ago…

Photo by Bluewater Globe on Unsplash

By now, just about everybody has seen or heard at least the headline version of the story: A hacker tried to poison the drinking water supply of a small Florida town near Tampa earlier this month.

But as was also reported, the attack was detected and blocked long before there was any damage. A supervisor monitoring the Oldsmar (population 15,000) water plant systems saw a mouse pointer move across a screen and “immediately noticed the change in dosing amounts,” which could eventually have boosted the amount of sodium hydroxide (lye) in drinking water by 100 times. That caustic chemical, at…

Photo by Natanael Melchor on Unsplash

Another year, another flurry of reports on the precarious security of connected medical devices.

Which should prompt another reminder that while those security risks are real, should be taken seriously, and need to be addressed more aggressively, there is general agreement among experts that the benefits of those devices still outweigh the risks, by a lot. Indeed, there are potentially deadly risks in many areas of life — driving a car, flying in a plane, climbing a mountain and more.

But as we all know there are numerous things that have been done to make those activities much safer. And…

Taylor Armerding

I’m a security advocate at the Synopsys Software Integrity Group. I write mainly about software security, data security and privacy.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store