2016 Breaks Vuln Record and Avoiding a Podesta-Style Email Hack

2016 Breaks Vuln Record and Avoiding a Podesta-Style Email Hack

For the first full week of February, the NVD reports 363 vulnerability entries. Speaking of vulnerabilities, Risk Based Security announced this week that 2016 broke the previous all-time record for the highest number of reported vulnerabilities. The 15,000 vulnerabilities cataloged during 2016 by Risk Based Security eclipsed the total covered by the CVE and National Vulnerability Database (NVD) by more than 6,500. You can learn more from their 2016 Year End VulnDB QuickView report.

In other cybersecurity and open source news: Black Duck’s Senior Technologist publishes a thought-provoking and controversial claim that the container community is failing to recognize lessons from the past when it comes to security. Agree? Disagree? You have the opportunity to continue the conversation with Tim about container security at Container World 2017 at his panel, “Container Security: Countering the Container Challenges” on February 23rd. 

IBM is embarking on a new era of open source accessibility by releasing tooling, samples and design patterns to help streamline the development of inclusive web and mobile applications. Paul Krill, Cybersecurity strategist at Red Hat focuses on vetting and open source as part of the supply chain. Security vendors take baby steps toward working together for the greater good. And Black Duck Software Architect, Damon Weinstein, blogs on how you can avoid a Podesta-style XSS email hack.

The Biggest Risk with Container Security Is Not Containers

Tim Mackey, Technology Evangelist from Black Duck Software discusses why datacenter attacks are threatening to containers in Cloud + Enterprise Technology (UK)

“The biggest risk I see with container security is that attacks are mounted on applications far more often than on perimeter defenses. Increasing container security should start with increasing the security of the applications deployed in containers. Only then will we have an effective defense in-depth model. Yes, we also need more secure container frameworks, but when those frameworks know nothing about the applications they encapsulate, they can’t possibly prevent well-crafted application attacks.” 

Inclusive Development Gets Open Source Tools from IBM

According to Black Duck Software’s Future of Open Source Survey 2016, “78 percent of companies run on open source and 88 percent say that they plan to contribute more to open source over the next few years.” As open source tooling and contributions continue to grow, IBM Accessibility Research is making accessibility more available, easier to deploy, and an integral part of the ecosystem of open technologies.

Open Source Users: It’s Time for Extreme Vetting 

Josh Bressers, cybersecurity strategist at Red Hat, emphasized that users also must be wary of issues the code can present and implement proper vetting during a recent talk with InfoWorld Editor at Large Paul Krill. “Open source won. It won because it's used everywhere now. But now we have a supply chain problem we need to start thinking about and that is, where did you get it and how is it being taken care of, because software doesn't age well. This is something that you have to take care of and you have to pay attention to. You can't just pull software into your project and you're done.” 

Vulnerabilities Hit High Water Mark in 2016

Via Dark Reading: It's the same story, but a different year for application security as a new report today shows that for the fifth year running the number of reported software vulnerabilities broke an all-time record. According to the report from Risk Based Security, which counted vulnerabilities catalogued on the firm's VulnDB intelligence platform, 2016 tallied 15,000 new vulnerabilities disclosed. Compared to 2011, this represents an increase of more than 85% in vulnerabilities disclosed annually.   

Friends or Enemies? Security Vendors Tiptoe Towards Collaboration

Via CSO: IT security has become one of the most complex elements of a modern IT environment, requiring layers of protection, along with advanced analytics to block attacks, halt intruders and secure data. Nonetheless, the current layers of security fail at times, often due to a single vendor approach to creating those layers of security. Naturally, vendors are not all to blame, except for the fact that a lack of collaboration and technology transfer among those security vendors effectively creates silos of protection, regardless of the number of layers installed. Simply put, the threats of today are larger than any one vendor, meaning that the isolation of security technology must become a thing of the past.

How to Avoid a Podesta-style XSS Email Hack

“We learned how hackers exploit a cross-site scripting (XSS) vulnerability, a vulnerability caused by a web application displaying one user's input to other users (such as comments at the bottom of a page) without first encoding it,” blogs Black Duck Software Architect, Damon Weinstein. “This type of vulnerability allows arbitrary code (JavaScript) to be executed in the browser. We then used a program called BeEF to hook the browser and display a fraudulent gmail login page, exactly as was done to Podesta.”

9 Questions To Ask Before You Select an AppSec Solution

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Samba Vulnerability, Connected Car Risks, and Are You Ready for GDPR?

| May 26, 2017

Threat of the week is the newly discovered remote code execution vulnerability CVE-2017-7494. Chris Fearon, Research Director at Black Duck, advises: Samba is an open source SMB/CIFS implementation that allows interoperability between Linux and Windows hosts via file and print sharing. A remote

| MORE >

GDPR Deadline: Does “Appropriate Security” Include Open Source Risk?

| May 25, 2017

It’s May 25th, 2017, and the GDPR is bearing down on us like an express train. Personal data privacy is the impetus behind the EU General Data Protection Regulation (GDPR), which goes into effect in exactly one year — on May 25th, 2018. Will your business be impacted by the GDPR? Any organization

| MORE >

Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & WannaCry News

| May 19, 2017

This week’s news is dominated by fall-out and reaction from last week’s WannaCrypt/WannaCry attacks, of course, but other open source and cybersecurity stories you won’t want to miss include: An important open source ruling that confirms the enforceability of dual licensing. What New York’s new

| MORE >