Code snippets copied from copyleft-licensed open source projects represented the biggest risk in software 15 years ago. The Heartbleed vulnerability, discovered in April 2014, brought to the fore concerns about the security of open source components, and license risk took a bit of a back seat. But the problem never went away. Now, the advent of Generative AI as a tool for writing software is shining a new light on the issue.

IoT devices are ubiquitous in our daily lives—whether it’s at home with connected home automation devices, or at work with connected factories, hospitals, and even connected cars. According to data-gathering and visualization firm Statista, there was an estimated 15.9 billion IoT devices in use in 2023, and that number is expected to climb to more than 32.1 billion in 2030.

Software applications are becoming more sophisticated every day. As a result, organizations often struggle to manage the complexity and operational costs of securing them.

In early March 2024, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) released its final Secure Software Development Attestation Form instructions, sparking a renewed urgency around understanding and complying with 31 of the 42 tasks in NIST SP 800-218 Secure Software Development Framework (SSDF) version 1.1.

Generative AI has emerged as the next big thing that will transform the way we build software. Its impact will be as significant as open source, mobile devices, cloud computing—indeed, the internet itself. We’re seeing Generative AI’s impacts already, and according to the recent Gartner Hype Cycle for Artificial Intelligence, AI may ultimately be able to automate as much as 30% of the work done by developers.

The Synopsys Cybersecurity Research Center (CyRC) has exposed prompt injection vulnerabilities in the EmailGPT service. EmailGPT is an API service and Google Chrome extension that assists users in writing emails inside Gmail using OpenAI's GPT models. The service uses an API service that allows a malicious user to inject a direct prompt and take over the service logic. Attackers can exploit the issue by forcing the AI service to leak the standard hard-coded system prompts and/or execute unwanted prompts.

The Synopsys Cybersecurity Research Center (CyRC) has exposed a data poisoning vulnerability in the EmbedAI application. EmbedAI allows users to interact with documents by utilizing the capabilities of large language models (LLMs). This vulnerability could result in an application becoming compromised, leading to unauthorized entries or data poisoning attacks.

Released by the Ponemon Institute and sponsored by Synopsys, the 2024 “The State of Software Supply Chain Security Risks” report surveys over 1,200 global IT and security practitioners on challenges their organizations face in securing the software supply chain. Here are six key findings from the report every cybersecurity professional should know.

We're excited to announce the availability of Polaris Assist, our AI-powered application security assistant that combines decades of real-world insights with a powerful large language model (LLM). Polaris Assist gives security and development teams easy-to-understand summaries of detected vulnerabilities and code fix recommendations to help them build secure software faster.

A necessary step in securing an application is evaluating the supply chain of each component used to create the application—no matter how many hands were involved in its development. If any links in the supply chain are obscured, it can be difficult to confidently assess the amount of risk that an application is susceptible to.