6 Steps to Securing Your Software Supply Chain

As the software supply chain has become global, there are increased concerns that applications may contain vulnerabilities or be substituted for compromised products during delivery or possibly during installation. Even without these direct attempts to compromise the software supply chain, vulnerabilities are often inadvertently introduced during development. Enterprises must take full responsibility for ensuring the security of both proprietary and third-party applications.

Securing the software supply chain has been a top concern among security providers, developers and global enterprises for years. In 2009, the Software Assurance Forum for Excellence in Code (SAFECode) released The Software Supply Chain Integrity Framework: Defining Risks and Responsibilities for Securing Software in the Global Supply Chain, intended as a guide for addressing software supply chain vulnerabilities in an efficient and cost-effective manner. The report outlines a number of essential considerations for making the software supply chain safer for developers, enterprises and end consumers. Veracode’s secure software supply chain toolkit also contains an abundance of up-to-date resources for making the right decisions throughout the development and supply chain process.

1. Thorough Testing of Software of Unknown Pedigree – To secure the software supply chain, it’s important that each transaction and change of hands is authorized, verifiable and transparent. This leaves less likelihood that entities with malicious intent would intentionally introduce vulnerabilities, knowing that it would likely be traceable.

Enterprises making use of software of unknown pedigree (SOUP) face additional challenges, usually necessitating the use of third-party application security testing to identify potential vulnerabilities. SOUP isn’t necessarily developed with malicious intent, but it’s often outdated code that has changed hands multiple times, been modified and adapted to meet various needs and hasn’t undergone adequate testing in its current form or application.

2. Minimizing Access Privileges – Software applications are a conglomerate of hardware components, portions of code obtained via various sources, cloud services, networks and outsourced operations. It’s no surprise that multitudes of individuals will have access to critical components throughout the product lifecycle. When access controls are implemented, restricting access to only what is necessary to complete tasks, the risk of compromised code or components being introduced is minimized.

3. Distributing Controls and Responsibilities – During development, no single individual should have total access or the ability to unilaterally change data. Incorporating cross-checks, distributing controls and responsibilities and sharing the responsibility for application security makes it more difficult for a single person or entity to intentionally introduce malicious files or vulnerabilities.

4. Incorporating Tamper-Evident Safeguards - When software will undergo several phases of development and pass through the hands of multiple entities before reaching the end user, incorporating safeguards that provide evidence of tampering can both prevent and provide a means for quickly identifying and reversing attempts to insert code and files with malicious intent.

5. Apply Compliance Standards and Regulations – Universal compliance standards are necessary for ensuring the security of the modern software supply chain. Enterprises must set clear expectations and requirements of vendors—including the vendors serving direct suppliers. When enterprises and vendors work collaboratively to bring applications to the market, mutually agreed-upon compliance regulations, combined with cross-checking and distributed responsibility serves to keep partners on the same page with the shared goal of bringing safe and effective applications to the software market.

6. Third-Party Application Testing – Regardless of the safeguards incorporated throughout the supply chain, third-party application testing and code verification, such as vendor application security testing (VAST) is an essential final step in the process. Third-party application testing solutions detect vulnerabilities otherwise overlooked, and offer recommendations for eradicating risks before applications are delivered and installed.

Securing the software supply chain, especially globally, requires a significant commitment and investment from the software development community, as well as the enterprises they serve and the vendors which serve them. Software supply chain security is a collaborative effort that neither begins nor ends with a single entity. While great strides have been made in creating a solid framework for software security, the risks remain. Without adequate safeguards and stringent testing, modern enterprises are open to a variety of vulnerabilities introduced either intentionally or unintentionally throughout the product lifecycle.

Fergal Glynn is the Director of Product Marketing at Veracode, an award-winning application security company specializing in secure software supply chain and other security breaches with effective risk assessment tools like secure software supply chain toolkit.

Apple signed an agreement with Warner Music

Apple signed an agreement with Warner Music. Yes, After Universal, Apple has reached a new agreement with, Warner Music a major music industrial giant, and still negotiating with Sony. A competing service Pandora could be launched as early as WWDC. Apple's launch of a new online music listening on the occasion of its largest annual conference, WWDC, seems to be confirmed. According to sources CNet.com, the company has concluded an agreement with another major, Warner Music.

In April, they have entered an agreement with Universal Music, the first label in the world; Apple would have reached an agreement allowing him to use the catalog of titles in the Major for his new service called iRadio unofficially as inspired Pandora. As for Sony, the last one is still negotiating with Apple. According sources, the music giant would be more financially advantageous than that made with Pandora. Yet at the beginning of negotiations, Apple would have had a much lower price, since, would have been reassessed. And to encourage the Majors to sign, Apple has promised two sources of income: the amount of each distribution ("stream") and a percentage of advertising revenues collected by Apple via its listening service attached to iTunes and thought to use of mobile terminals.

Windows 8.1 named Windows Blue!

Under the code name Blue Microsoft is working on a future release of Windows 8 we have all the important information about the new operating system for you compiled. Compared to its predecessors, Microsoft Windows 8 makes for much else. With a new operating concept (Metro interface) appears to be the operating system of the software giant as an all-rounder. But some users react negatively at first contact. Some enhancements have not been thought through. At Microsoft, therefore already they are working on a successor who will make things a lot better.

How the Windows Tami Reller confirms while talking to Mary Jo Foley, the internal code name Blue is a major update of Windows 8; Blue also represents a new publishing Microsoft strategy: Instead of bringing out a new operating system as before, every three years, to the current Windows in future receive a generous annual revision cycle. As Microsoft officially confirmed, comes with Windows 8.1, the first update yet launched in 2013. According to Microsoft there are some new features of Windows 8.1 will be officially awarded? Accordingly, the update brings back the missing of many users start button. By clicking through to the start screen, the start menu of the predecessor obviously does not find its way into Windows 8 Can also request the desktop wallpaper use for the start screen. So far, it has not been possible to start the Windows 8 computer immediately in the desktop mode. Also the changes with Windows 8.1 can be only available for users of Windows 8 Pro. Microsoft plans to integrate its own search engine, Bing. There are also improvements to the photo and mail service, as well as SkyDrive and camera. Internet Explorer 11 is part of Windows 8.1, at the end of June it is expected to be available for all Windows 8 users.

At the end of March has come to the Internet an early version of Windows 8.1. We guess. The example for this is the Windows Phone 8. It contains the tile surface makeover: Similar to the new Windows Phone 8 can be zoomed in and out tiles. You can also select and move several tiles at the same time. And instead of 20 colors define users with Windows blue of a spacious background and buttons. In Windows 8, there were only 20 color combinations for the new Start Center. It is colorful with Blue: Now you can create hundreds of color combinations for the background of the buttons from Windows to a smooth color control. The good old familiar Windows 8 background patterns are still present.

The diverse speculations, when Microsoft released an official version of the new Windows, Julie Larson-Green has put an end to. In early May, announced the developer's head of Windows that for 26 July 2013 a public beta version of Windows 8.1 is planned for all Windows 8 users. Microsoft will release version within the build-house developer’s conference 2013, which of 25 to 28 June runs in San Francisco. Then the update will be distributed through the Windows Store for Windows 8 and The final version should released. Microsoft's traditional strategy of the release of a new version of Windows every three years is not sustainable in today's highly mobile world. The company had no choice but to change. Microsoft now competitive with Apple that will eventually bring out a new version of Windows in cyclic and for this the first step is Instead of Windows service packs it should now pull in new functions. On the contrary, Microsoft shifted step by step functions of the traditional surface into the new tile surface. On the desktop itself, there are (so far) no significant changes. To see more, You have to wait till June end.

AMD wants to add Jaguar in servers!

AMD seems to stake everything on their new Jaguar architecture. They have been planted already in the heart of the PlayStation 4 and Xbox One after the other; it will be soon land in our laptops, and tablet PCs via hybrid SoC Kabini and Temash. Today, the company announced a further step ahead, as it is now the servers that are specified with the X1150 and X2150 Opteron. Jaguar continues to make its little way and landed in the servers via the Kyoto generation chips, known as references Opteron X1150 and X2150. Yes, when AMD wants, it is able to make simple and effective name, far from what is imposed on us in the consumer market. Thus, the main difference between these two chips is the presence or absence of a graphical part (X2150 only) and the minimum TDP is 9 watts or 11 watts. Maximum, this value will increase to 17 or 22 watts. This discrepancy is explained by the possibility left to the user to set the frequency in the BIOS to adjust its need heating term that is Flexible TDP.

It is of course the architecture GCN (Graphics Core Next) Radeon HD 7000 is going to be used through 128 processing units, but under the name HD 8000. The functionality of video compression and decompression hardware be also present. If Intel starts pushing his QSV solution and the Media SDK on servers, the Texan also seems to be the big competitor of the pie. Each model will have four cores at its CPU, with a maximum frequency of 1.9 GHz (X2150) or 2 GHz (X1150). At the GPU side it will vary this value from 266 MHz to 600 MHz depending on the case. For the rest, everything is the same: a maximum of 32GB of DDR3 is supported and eight PCIe 2.0 lanes, eight USB 2.0 ports, two USB 3.0 ports and two GB / s Serial ATA ports 6 are found. Everything is in a BGA type packaging 24.5 x 24.5 mm.

AMD still has some clear advantages to play, as this segment of the general public. But in both cases, the quality of image could actually help to convince the customer. We'll see what it is in practice, the inertia in terms of changing attitudes is even more important in the world of servers.

Talk With Your Chrome 27 Browser!

The new version of Google's browser is here. Yes the Google Chrome; Chrome 27 shines with faster load times and a full screen mode for Android Smartphones. On Android Smartphones Chrome displays 27 sites in full-screen mode. Adding up the loading time of websites is very fast, save all Chrome users together 510 years of their weekly life time, as in Google announcement. Chrome 27 is of fast browser, the manufacturer promises to be an average of five percent faster load times. For this, the developers have optimized the processes. However, the daily surfing these improvements are comparably small. The advantages of faster loading times should be noticed only when accessing complex pages with a variety of different elements. Google's surprise announcement that set instead of the proven WebKit technology in future on its own "browser engine" to come in the current version but not yet to be in force and only going to utilize with Google's new Chrome 28 browser-base indicator in appearance.

As usual, Google has in the new Chrome version again closed some security holes. For the discovery of the vulnerabilities of the Internet giant let go this time almost 15,000 U.S. dollars. With over $ 3,000 received from the Finnish University of Oulu, the highest premium for the detection of memory errors in the audio playback. Security researchers found a total of 14 classified as risky vulnerabilities from Chrome and those have been removed from Chrome 27. In addition, the new browser receives an improved version of the Flash Player. With Chrome 27 Chrome users get the opportunity to use the framework presented in the developer conference intelligent voice search from Google. Interestingly, Google Voice Search understands but not as an exclusive new feature of Chrome 27: In the announcement, the function appeared not once on. Go to the Google search with the latest browser version, a microphone icon appears in the input line. Have appropriate audio hardware installed or connected to your PC, ask and you dictate from then blithely go.

The version for Android devices has received an update. On Smartphones you can now surf with Chrome 27 in full-screen mode. To do this, simply scroll down to leave the address bar disappear. But on tablets that function is not yet available. Use the Omnibox to the web search, this keeps your searches from Chrome 27, instead of the current display the Google address. At the same time there is more space for your search results. For website developers; Chrome offers 27 thanks to support new HTML5 features, the easy way to integrate form elements. How to do this demonstrates in the demo page. Furthermore, the Chrome team has the developer tools optimized in some places, to facilitate the work of the web developer. Also on board is a new audio interface. Which allows feed the browser with a live stream. These benefits include the new standard for real-time communication, which Google introduced Chrome 21. In addition, the makers of Chrome have built a sync file system interface to access data from Google Drive on the Chrome apps. In addition to these changes, the new Google browser comes with a number of other minor improvements.


In Chrome 27, Google continues the trend of its predecessor. The most interesting changes for end users can be found in the Android version. While also gets the big brother profound innovations donated, but play mainly under the hood. With intelligent Voice Search you have the communication with the PC hands free for other things. In terms of speed, Google's browser leaves the competition far behind as usual.