Interviews | July 13, 2022

Outdated Open-Source Code a Pervasive Risk at Many Organizations

KnowBe4 | Netscout | Synopsys

Perry Carpenter
Chief Evangelist & Strategy Officer


Q1. What’s your biggest concern regarding the use of AI/ML and deepfakes in social engineering attacks in the years ahead? What’s it going to take to address the challenge?

Our challenges with deepfakes are simple to understand but difficult to address. AI and ML are doing three things which compound the deepfake problem.

First, advances in AI and ML are—obviously—helping deepfakes become extremely convincing. They ability to not only convincingly clone someone’s face but also their voice, vocal cadences, and mannerisms means that even the most well-trained, technically savvy, and skeptical of audiences won’t always be able to trust their eyes or ears.

Second, even freely available consumer grade applications show surprising realism. Constantly improving computing power in consumer grade devices combined with more efficient processing algorithms and/or the ability to offload processing to highly powerful cloud-based systems means that common members of the general public will soon have access to weapons-grade disinformation generation apps in their pockets.

And thirdly, AI and ML can help analyze social media feeds, dumps from data breaches, newspaper entries, public records, and more to identify targets of opportunity or to do deep reconnaissance on high-profile targets. If identifying large number of opportunistic targets, then attacks can be launched at scale. With higher-level targets that have been selected by humans, then the time to research and find viable pretexts can be drastically reduced. Additionally, AI and ML assisted applications can be persistent – constantly shifting and retrying until successful.

This will be a difficult problem to address. And, ironically, we’ll also need to turn to AI and ML to help. These technologies will help with analysis of audio & video. AI and ML will be used to proactively identify and takedown known sources of information. And people will use AI and ML to help train themselves to be more resilient. And, of course, we’ll have to couple all of that with traditional training, good ole’ skepticism, and networks of trusted resources to help us make judgment calls.

Q2. So much of enterprise security these days is dependent on users not making mistakes or behaving in a negligent or malicious way. Do you see the industry ever getting to a point where security will be a lot less dependent on user behavior or the actions they take?

End users will always be part of the equation. I can’t tell you how many security vendor pitches I’ve heard over the years where a well-intentioned vendor has claimed that their product—or their product roadmap—will make user error or the effects of user error a thing of the past. Let’s face it, that hasn’t happened yet. And, even the best advances we’ve seen still have ways of being bypassed or broken either intentionally or through negligence.

Even some of the best technologies we have today that can reduce the impact of phishing [such as] MFA can be bypassed, or the user can be tricked into giving away a one-time passcode or can be lulled into clicking an authorization push notification.

One of the clearest examples of our need to put more attention on the human side of things is seen when we look at spending levels versus the amount of data breaches each year. Security spending has steadily increased each, and yet the number of data breaches continues to rise at a rate that outpaces spending. And, when we look at the root cause for data breaches, we find that 82% are caused by social engineering or human error (2022 Version DBIR). So, our spending on security isn’t helping us keep up. But, when we do a deep dive into the spending habits, we find that less than 5% of security spending is focused on the human. That – I believe – implies that we need to focus way more time, effort, and investment on training, behavior science, and security culture.

Q3. What are KnowBe4’s plans at Black Hat USA 2022? What kind of questions do you expect customers will have for your company at the event?

KnowBe4 will have live presentations and demo stations for attendees to learn more about:

  • KnowBe4's Security Awareness Training and Simulated Phishing Platform
  • Compliance Plus, a new add-on library for employee compliance training
  • PhishER, to identify and respond to user-reported email threats faster
  • KCM GRC for compliance and risk management
  • The Annual 2022 Phishing by Industry Benchmarking Report
  • And more

Stop by the KnowBe4 booth #2032 to check out our demo on simulated phishing and security awareness training to receive a free hat!

Paul Barrett
Chief Technology Officer


Q1. How has the increase in multi-vector DDoS attacks complicated DDoS mitigation processes/mechanisms for organizations?

Our data shows that it's common to have up to 15 different attack vectors in a single DDoS attack. Vectors generally fall into three main categories: Volumetric attacks – designed to saturate internet-facing circuits; State exhaustion attacks – designed to take down stateful devices such as firewalls, VPN gateways, and load balancers and: application-layer attacks – designed to slowly exhaust resources in servers running applications such as DNS or HTTP. Because attackers routinely launch many combinations of multi-vector attacks, best practices in DDoS defense recommend an intelligently automated combination of cloud-based and on-premises-based DDoS mitigation solutions.

Q2. Many organizations have lost visibility and control of their assets across today's hybrid networks. What are the requirements for effectively closing the visibility gap and regaining control of those assets?

We believe that consistent and comprehensive network visibility across an organization's entire network infrastructure—legacy network, private or public clouds, etc.—is required to maintain control over the ever-changing number of new network devices and movement of confidential data.

Q3. Netscout has a broad portfolio of technologies and services. What do you plan on showcasing for customers at Black Hat USA 2022? What can they expect from Netscout at the event?

At Black Hat '22 we plan on showcasing two major cybersecurity solutions. The first is our industry-leading Arbor DDoS protection solutions consisting of Arbor Edge Defense and Arbor Cloud. The second is our Omnis Security, an award-winning, advanced network detection and response solution based upon our patented and scalable deep packet inspection technology. You can expect detailed demonstrations of these solutions and in-depth discussions with NETSCOUT technical and executive management personnel.

Jason Schmitt
General Manager


Q1. What drove Synopsys’ decision to acquire WhiteHat Security? How does it build-on/broaden your company’s existing capabilities?

The recent acquisition of WhiteHat Security adds significant new SaaS capabilities and a technology leading dynamic application security testing (DAST) product to what is considered one of the industry’s broadest application security testing (AST) portfolio. WhiteHat and Synopsys are strategically aligned, with a shared vision for delivering SaaS-based security testing services and building security into the software development lifecycle.

As a long-time technology leader in the application security testing market segment, WhiteHat has a large base of long-term customers with little overlap with the Synopsys customer base. Additionally, WhiteHat’s strong competency in DAST complements Synopsys’ strengths in Static Analysis (SAST), Software Composition Analysis (SCA), Interactive Analysis (IAST), and orchestration and correlation (ASOC). The acquisition adds well-known and respected SaaS capabilities to the Synopsys portfolio, broadening our offering to existing and new customers.

Software Integrity is a key part of the Synopsys strategy, with an expanded customer base, large total addressable market beyond its traditional EDA and IP business, and high growth potential. The addition of WhiteHat is an important move to help us scale this business to its next level of impact. Synopsys currently offers multiple SaaS-based solutions and will be moving other solutions to SaaS over time. The WhiteHat acquisition will accelerate our SaaS-based solution for dynamic analysis with a proven, market segment leading solution.

Q2. What are the key takeaways for organizations from the Synopsys 2022 Open Source Security and Risk Analysis report? What did it reveal about the current state of SCA and open source within enterprises?

The 2022 Open Source Security & Risk Analysis (OSSRA) report is Synopsys’ annual in-depth look at the current state of open source security, compliance, licensing, and code quality risks in commercial software. The report, produced by the Synopsys Cybersecurity Research Center (CyRC), examines the results of commercial and proprietary codebases from merger and acquisition transactions, performed by the Black Duck® Audit Services team. The report highlights trends in open-source usage within commercial and proprietary applications and provides insights to help developers better understand the interconnected software ecosystem. It also details the pervasive risks posed by unmanaged open source, including security vulnerabilities, outdated or abandoned components, and license compliance issues.

In 2021, our researchers examined anonymized findings from over 2,400 commercial codebases across 17 industries. 2,097 of those audits included security and operational risk assessments. The growth in the number of codebases audited by Synopsys in 2021—64% larger than last year’s—reflects the significant increase in mergers and acquisitions throughout 2021. The growth in audits can also be attributed to a recognition that software is often a key element of a company’s IP. More acquirers in M&A deals want to understand what risk may be associated with the software they’re acquiring—specifically risk around licensing, security, and the quality of the open source used in that software.

The 2022 OSSRA report findings underscore the fact that open source is used everywhere, in every industry, and is the foundation of every application built today. The results reflect that outdated open source remains the norm—including presence of vulnerable Log4j versions. From an operational risk/maintenance perspective, 85% of the 2,097 codebases contained open source that was more than four years out-of-date. 88% utilized components that were not the latest available version. 5% contained a vulnerable version of Log4j.

Q3. What can customers at Black Hat USA 2022 expect from Synopsys this time around?

We’re very much looking forward to having conversations with attendees around how digital transformation continues to reshape the way organizations operate. Even those that may not have thought of themselves as software-dependent in the past have digitized to optimize business processes and gain a competitive advantage.

All businesses at this point are software businesses: They either build software as part of their product and service offerings or buy software and depend on it to operate the business. In either case, the ability to innovate and deliver value to customers is powered by secure, reliable software. This also means every business is vulnerable to security risk from software attacks.

Securing the software supply chain is the first step to addressing this foundational risk. The software supply chain comprises all the open-source, proprietary and third-party software businesses develop and rely on to operate, as well as the collective processes through which they assemble this software. But securing the software supply chain involves more than just building a Software Bill of Materials (SBOM). Although knowing what’s in a software supply chain is a good first step and helps organizations move with speed and accuracy in the event of a breach, building a culture of security is the best protection against allowing a breach in the first place.

And this is where Synopsys can help. With the most comprehensive suite of industry-leading solutions on the market, we want to continue helping organizations build trust in the software that powers their business. Visit us at booth #1560 to learn more!

Sustaining Partners