Editor’s brief: If you are a sysadmin or cybersecurity practitioner, one of the acronyms that must trigger your daily alerts is CVE, which stands for Common Vulnerabilities and Exposures, which are publicly disclosed cybersecurity flaws. The authoritive list is the CVE® List, which also lists all the parties that can number new CVEs, known as a CVE Numbering Authority (CNA), which to-date has 161 organizations worldwide. Synopsys, the global leader in software integrity, has been included in the latest CVE® List as a CNA. Unlike some CNAs which identify vulnerabilities and give them CVE IDs for their own product issues, Synopsys can give CVE IDs for their own products, as well as vulnerabilities in third-party software discovered by the Synopsys SIG (Software Integrity Group) that are not already in another CNA’s scope. The vendor’s release is below.
Synopsys Authorised as a CVE Numbering Authority (CNA)
CNA designation issued by the CVE Program streamlines Synopsys’ ability to publish open source software vulnerabilities, underscoring its commitment to bolstering the security of the software ecosystem.
SINGAPORE, @mcgallen #microwireinfo, March 31, 2021 – Synopsys, Inc. (Nasdaq: SNPS) today announced the company’s designation as a CVE Numbering Authority (CNA) by the CVE Program. As a CNA, the Synopsys Software Integrity Group is now authorised to assign CVE identification numbers to newly discovered vulnerabilities and publish information about the vulnerabilities in the associated CVE records.
Since the inception of its Cybersecurity Research Center (CyRC), Synopsys has strived to improve the security posture of the open source community through testing tools like Coverity Scan, by providing enriched CVE data to customers through Black Duck Security Advisories, and by responsibly disclosing vulnerabilities it discovers through the CVE Program and other CNAs. As a newly designated CNA, Synopsys can streamline the process of publishing accurate and timely vulnerability information it uncovers to the public.
“We’re excited to take this next step in our progression as a good steward of the broader software ecosystem,” said Jason Schmitt, general manager of the Synopsys Software Integrity Group. “As a leader in application security, vulnerability research is part of our DNA. As a CNA, we can more effectively and efficiently disseminate the results of our research to our customers and the software community in general — for both newly discovered vulnerabilities and existing CVE records that may be inaccurate or incomplete.”
The CVE® Program is an international, community-based program whose mission is to identify, define, and catalogue publicly disclosed cybersecurity vulnerabilities. CVE IDs are assigned by CNAs, which are operated on a voluntary basis by participating organisations. Synopsys joins authorised commercial entities such as Linux, Red Hat, Google, and Microsoft as a CNA.
“The identification and availability of accurate and timely vulnerability information is essential when protecting the software supply chain,” said Christopher Fearon, Director of Research Engineering for the Synopsys Software Integrity Group.“As we expand our vulnerability research and development efforts within Synopsys CyRC, the direct nature of disclosing vulnerabilities as a CNA adds an increased level of transparency and speed to our research capabilities.”
To disclose a vulnerability through Synopsys or to learn about our responsible disclosure process, visit our Responsible Disclosure Policy.
About the Synopsys Software Integrity Group
Synopsys Software Integrity Group helps development teams build secure, high-quality software, minimising risks while maximising speed and productivity. Synopsys, a recognised leader in application security, provides static analysis, software composition analysis, and dynamic analysis solutions that enable teams to quickly find and fix vulnerabilities and defects in proprietary code, open source components, and application behaviour. With a combination of industry-leading tools, services, and expertise, only Synopsys helps organisations optimise security and quality in DevSecOps and throughout the software development life cycle. Learn more at www.synopsys.com/software.
Synopsys, Inc. (Nasdaq: SNPS) is the Silicon to Software™ partner for innovative companies developing the electronic products and software applications we rely on every day. As an S&P 500 company, Synopsys has a long history of being a global leader in electronic design automation (EDA) and semiconductor IP and offers the industry’s broadest portfolio of application security testing tools and services. Whether you’re a system-on-chip (SoC) designer creating advanced semiconductors, or a software developer writing more secure, high-quality code, Synopsys has the solutions needed to deliver innovative products. Learn more at www.synopsys.com.