By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
TechgoonduTechgoonduTechgoondu
  • Audio-visual
  • Enterprise
    • Software
    • Cybersecurity
  • Gaming
  • Imaging
  • Internet
  • Media
  • Mobile
    • Cellphones
    • Tablets
  • PC
  • Telecom
Search
© 2023 Goondu Media Pte Ltd. All Rights Reserved.
Reading: Q&A: Businesses need to see what’s inside their software, says Synopsys
Share
Font ResizerAa
TechgoonduTechgoondu
Font ResizerAa
  • Audio-visual
  • Enterprise
  • Gaming
  • Imaging
  • Internet
  • Media
  • Mobile
  • PC
  • Telecom
Search
  • Audio-visual
  • Enterprise
    • Software
    • Cybersecurity
  • Gaming
  • Imaging
  • Internet
  • Media
  • Mobile
    • Cellphones
    • Tablets
  • PC
  • Telecom
Follow US
© 2023 Goondu Media Pte Ltd. All Rights Reserved.
Techgoondu > Blog > Cybersecurity > Q&A: Businesses need to see what’s inside their software, says Synopsys
CybersecurityEnterpriseSoftware

Q&A: Businesses need to see what’s inside their software, says Synopsys

Alfred Siew
Last updated: April 27, 2023 at 5:44 PM
Alfred Siew
Published: April 27, 2023
7 Min Read
SHARE
Kelvin Lim, director of security engineering for Asia-Pacific at Synopsys’ Software Integrity Group. PHOTO: Synopsys.

One of the least known secrets about the Internet – at least until recently – is how much the entire interconnected network that every business depends on is built on open source software that is maintained by a small group of individuals.

Often working through their own passion to contribute to new technologies, these enthusiasts create code for software such as the Log4j application that many of today’s Internet machines need to record and log events and connections.

A Log4j vulnerability in late 2021, during the holiday season, caused widespread disruption. Without a patch or update, servers everywhere were vulnerable to hackers that could exploit this publicised loophole.

This was a wakeup call. In a study released in February this year, software testing and design company Synopsys found that an overwhelming majority of open source codebases (84 per cent) contain at least one known open source vulnerability, up by about 4 per cent from last year.

It says businesses should have a comprehensive inventory of all the software it uses, regardless of where it comes from or how it’s acquired, so they can better see what’s in the code.

Businesses have to better understand the open source software that so much of their business operations depend on, says Kelvin Lim, director of security engineering for Asia-Pacific at Synopsys’ Software Integrity Group.

Just like car makers have a bill of materials of what goes into each vehicle, business should maintain a software bill of materials (SBOM) that they can refer to should any of these components face problems such as a security loophole, he tells Techgoondu, in this month’s Q&A.

NOTE: Responses have been edited for style and clarity.

Q: As we learnt from the Log4j debacle in 2021, so much of the work used to secure the most important foundations of today’s digital infrastructure falls on a small group of open-source volunteers. Is this tenable?

A: This is not tenable. Businesses must take a holistic approach to protecting their digital assets and infrastructures. There are always alternatives to every tool, so Log4j can easily be replaced, including an alternative by the same author Ceki Gülcü, known as Reload4j.

It is up to the investigative prudence of businesses to uncover the best tools to do the job, and replace them as and when necessary if patching is not sufficient.

In the same trajectory, it is also important for businesses to seriously define their SBOM (software bill of materials), so that every component within the digital assets inventory is accounted for, and in turn provide clarity for management and CISOs to manage risk better.

Additionally, with a lack of capable professionals, many businesses may need to look into working with third-parties to uncover software vulnerabilities and lapses.

Q: Given the complex dependencies for much of today’s open-source software, how deep can businesses typically go when it comes to a SBOM?

A: SBOM springs from the manufacturing BOM concept, and so, SBOM should be addressed in as much depth and detail just as a BOM in a manufacturing company.

Imagine an automobile manufacturer, which would have a BOM of every nut and bolt, fabric, electronic component, cabling, glass, elastomer and polymer, and metal parts, that go into making a car. A typical car would have about 30,000 parts, and every part demands precision and quality.

So, if we reimagine SBOM to exact the same standards as a BOM, then we should examine every software component, including any APIs and connected code, that would form the total software we run.

This whole depth of code analysis is not trivial, so we need direct human intervention coupled with assistive automated software tools, iteration by iteration, and at every turn of software updates and upgrades to ensure that quality and security remain intact.

Q: What can most businesses do when they find a vulnerability, given that they lack the capabilities to contribute a meaningful patch or update?

A: For most businesses, security tends to be a holistic ecosystem of external and internal defensive technologies, as well as application and code scanning tools for runtimes and development.

This means that external and internal cybersecurity solutions can attempt to track every node in the network for possible intrusions, while analysis tools help to uncover code weaknesses that may either allow intrusions or cause legal ramifications.

External third party consultants and integrators can often supplement the internal practice, and may be able to provide transient patching or workarounds until official patches are released.

Q: Some businesses might even argue that it is better to keep running software with a known vulnerability (and wait for a patch) than to take down a service that will impact business adversely, because that’s the same as DDoS’ing yourself. How would you advise these businesses?

A: It really depends on the vulnerability. If it is a non-critical vulnerability, perhaps the business, having weighed all risks, decides to run with the software until official fixes are released.

For example, as of March 14, 2023, WordPress 6.1.1 still has an unpatched blind SSRF vulnerability. Rather than shut down websites, sysadmins can mitigate the situation by turning off pingbacks, and/or blocking access to the xmlrpc.php file.

Therefore, there are always workarounds, on top of existing cybersecurity defenses that would log and block many intrusions and such attempts.

VMWare’s Tanzu products, services promise to help enterprises modernise apps
New, souped up Nexus 7 out in the US by end-July
As data becomes crucial to business, SMEs have to rethink data protection: Dell EMC
Made-in-Singapore tech – the next leap
SPTel pitches its SDN as alternative network for Singapore businesses
TAGGED:DDoSLog4Jopen source softwareQ&ASBOMSynopsys

Sign up for the TG newsletter

Never miss anything again. Get the latest news and analysis in your inbox.

By signing up, you agree to our Terms of Use and acknowledge the data practices in our Privacy Policy. You may unsubscribe at any time.
Share This Article
Facebook Whatsapp Whatsapp LinkedIn Copy Link Print
Avatar photo
ByAlfred Siew
Follow:
Alfred is a writer, speaker and media instructor who has covered the telecom, media and technology scene for more than 20 years. Previously the technology correspondent for The Straits Times, he now edits the Techgoondu.com blog and runs his own technology and media consultancy.
Previous Article Vivo V27 review: A decent midrange option for imaging and performance
Next Article DJI Mavic 3 Pro review: New 3x zoom aims to attract video professionals
Leave a Comment

Leave a ReplyCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Stay Connected

FacebookLike
XFollow

Latest News

Stunning AI advancements could transform healthcare, education and agriculture globally: Bill Gates
Internet
May 7, 2025
NRF 2025 APAC show in Singapore to spotlight latest in retail innovation
Enterprise
May 7, 2025
LG gram Pro 2in1 16 review: Large-screen convertible laptop without the weight
PC
May 5, 2025
Running off a tropical data centre now, Ready Server looks to liquid cooling to support AI
Enterprise
May 5, 2025

Techgoondu.com is published by Goondu Media Pte Ltd, a company registered and based in Singapore.

.

Started in June 2008 by technology journalists and ex-journalists in Singapore who share a common love for all things geeky and digital, the site now includes segments on personal computing, enterprise IT and Internet culture.

banner banner
Everyday DIY
PC needs fixing? Get your hands on with the latest tech tips
READ ON
banner banner
Leaders Q&A
What tomorrow looks like to those at the leading edge today
FIND OUT
banner banner
Advertise with us
Discover unique access and impact with TG custom content
SHOW ME

 

 

POWERED BY READYSPACE
The Techgoondu website is powered by and managed by Readyspace Web Hosting.

TechgoonduTechgoondu
© 2024 Goondu Media Pte Ltd. All Rights Reserved | Privacy | Terms of Use | Advertise | About Us | Contact
Join Us!
Never miss anything again. Get the latest news and analysis in your inbox.

Zero spam, Unsubscribe at any time.
 

Loading Comments...
 

    Welcome Back!

    Sign in to your account

    Username or Email Address
    Password

    Lost your password?