2016 Breaks Vuln Record and Avoiding a Podesta-Style Email Hack

2016 Breaks Vuln Record and Avoiding a Podesta-Style Email Hack

For the first full week of February, the NVD reports 363 vulnerability entries. Speaking of vulnerabilities, Risk Based Security announced this week that 2016 broke the previous all-time record for the highest number of reported vulnerabilities. The 15,000 vulnerabilities cataloged during 2016 by Risk Based Security eclipsed the total covered by the CVE and National Vulnerability Database (NVD) by more than 6,500. You can learn more from their 2016 Year End VulnDB QuickView report.

In other cybersecurity and open source news: Black Duck’s Senior Technologist publishes a thought-provoking and controversial claim that the container community is failing to recognize lessons from the past when it comes to security. Agree? Disagree? You have the opportunity to continue the conversation with Tim about container security at Container World 2017 at his panel, “Container Security: Countering the Container Challenges” on February 23rd. 

IBM is embarking on a new era of open source accessibility by releasing tooling, samples and design patterns to help streamline the development of inclusive web and mobile applications. Paul Krill, Cybersecurity strategist at Red Hat focuses on vetting and open source as part of the supply chain. Security vendors take baby steps toward working together for the greater good. And Black Duck Software Architect, Damon Weinstein, blogs on how you can avoid a Podesta-style XSS email hack.

The Biggest Risk with Container Security Is Not Containers

Tim Mackey, Technology Evangelist from Black Duck Software discusses why datacenter attacks are threatening to containers in Cloud + Enterprise Technology (UK)

“The biggest risk I see with container security is that attacks are mounted on applications far more often than on perimeter defenses. Increasing container security should start with increasing the security of the applications deployed in containers. Only then will we have an effective defense in-depth model. Yes, we also need more secure container frameworks, but when those frameworks know nothing about the applications they encapsulate, they can’t possibly prevent well-crafted application attacks.” 

Inclusive Development Gets Open Source Tools from IBM

According to Black Duck Software’s Future of Open Source Survey 2016, “78 percent of companies run on open source and 88 percent say that they plan to contribute more to open source over the next few years.” As open source tooling and contributions continue to grow, IBM Accessibility Research is making accessibility more available, easier to deploy, and an integral part of the ecosystem of open technologies.

Open Source Users: It’s Time for Extreme Vetting 

Josh Bressers, cybersecurity strategist at Red Hat, emphasized that users also must be wary of issues the code can present and implement proper vetting during a recent talk with InfoWorld Editor at Large Paul Krill. “Open source won. It won because it's used everywhere now. But now we have a supply chain problem we need to start thinking about and that is, where did you get it and how is it being taken care of, because software doesn't age well. This is something that you have to take care of and you have to pay attention to. You can't just pull software into your project and you're done.” 

Vulnerabilities Hit High Water Mark in 2016

Via Dark Reading: It's the same story, but a different year for application security as a new report today shows that for the fifth year running the number of reported software vulnerabilities broke an all-time record. According to the report from Risk Based Security, which counted vulnerabilities catalogued on the firm's VulnDB intelligence platform, 2016 tallied 15,000 new vulnerabilities disclosed. Compared to 2011, this represents an increase of more than 85% in vulnerabilities disclosed annually.   

Friends or Enemies? Security Vendors Tiptoe Towards Collaboration

Via CSO: IT security has become one of the most complex elements of a modern IT environment, requiring layers of protection, along with advanced analytics to block attacks, halt intruders and secure data. Nonetheless, the current layers of security fail at times, often due to a single vendor approach to creating those layers of security. Naturally, vendors are not all to blame, except for the fact that a lack of collaboration and technology transfer among those security vendors effectively creates silos of protection, regardless of the number of layers installed. Simply put, the threats of today are larger than any one vendor, meaning that the isolation of security technology must become a thing of the past.

How to Avoid a Podesta-style XSS Email Hack

“We learned how hackers exploit a cross-site scripting (XSS) vulnerability, a vulnerability caused by a web application displaying one user's input to other users (such as comments at the bottom of a page) without first encoding it,” blogs Black Duck Software Architect, Damon Weinstein. “This type of vulnerability allows arbitrary code (JavaScript) to be executed in the browser. We then used a program called BeEF to hook the browser and display a fraudulent gmail login page, exactly as was done to Podesta.”

9 Questions To Ask Before You Select an AppSec Solution

0 Comments
Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.
0 Comments

MORE BY THIS AUTHOR

CVE-2017-2636 Vuln of the Week & UK National Cyber Security Strategy

| Mar 24, 2017

Seldom a month goes by where the NVD entries don’t break 1,000, and March 2017 is no exception. The vulnerability of the week is CVE-2017-2636, a serious security flaw in Linux kernel that appears to have been around since 2009. More on that story below. Other open source security and

| MORE >

Struts Buster Hits Canada, Zero Days, the Best Vuln Info Sources

| Mar 17, 2017

CVE-2017-5638 – the Struts Buster – still leads the news cycle with the Canadian Revenue Agency taken offline to deal with the vulnerability, and Statistics Canada hacked. If you haven’t patched for CVE-2017-5638, go get that update.  The hits keep on coming at the NVD with 657 entries now listed

| MORE >

CVE-2017-5638 Apache Struts 2 Vulnerability & More Security News

| Mar 10, 2017

If you’re running an Apache Struts 2 server and haven’t patched for CVE-2017-5638, stop reading right now and do so. Researchers are reporting that exploits of the vulnerability are trivial to carry out, highly reliable and require no authentication. While NIST has only had a placeholder for the

| MORE >