For the first full week of February, the NVD reports 363 vulnerability entries. Speaking of vulnerabilities, Risk Based Security announced this week that 2016 broke the previous all-time record for the highest number of reported vulnerabilities. The 15,000 vulnerabilities cataloged during 2016 by Risk Based Security eclipsed the total covered by the CVE and National Vulnerability Database (NVD) by more than 6,500. You can learn more from their 2016 Year End VulnDB QuickView report.
In other cybersecurity and open source news: Black Duck’s Senior Technologist publishes a thought-provoking and controversial claim that the container community is failing to recognize lessons from the past when it comes to security. Agree? Disagree? You have the opportunity to continue the conversation with Tim about container security at Container World 2017 at his panel, “Container Security: Countering the Container Challenges” on February 23rd.
IBM is embarking on a new era of open source accessibility by releasing tooling, samples and design patterns to help streamline the development of inclusive web and mobile applications. Paul Krill, Cybersecurity strategist at Red Hat focuses on vetting and open source as part of the supply chain. Security vendors take baby steps toward working together for the greater good. And Black Duck Software Architect, Damon Weinstein, blogs on how you can avoid a Podesta-style XSS email hack.
The Biggest Risk with Container Security Is Not Containers
Tim Mackey, Technology Evangelist from Black Duck Software discusses why datacenter attacks are threatening to containers in Cloud + Enterprise Technology (UK):
“The biggest risk I see with container security is that attacks are mounted on applications far more often than on perimeter defenses. Increasing container security should start with increasing the security of the applications deployed in containers. Only then will we have an effective defense in-depth model. Yes, we also need more secure container frameworks, but when those frameworks know nothing about the applications they encapsulate, they can’t possibly prevent well-crafted application attacks.”
Inclusive Development Gets Open Source Tools from IBM
According to Black Duck Software’s Future of Open Source Survey 2016, “78 percent of companies run on open source and 88 percent say that they plan to contribute more to open source over the next few years.” As open source tooling and contributions continue to grow, IBM Accessibility Research is making accessibility more available, easier to deploy, and an integral part of the ecosystem of open technologies.
Open Source Users: It’s Time for Extreme Vetting
Josh Bressers, cybersecurity strategist at Red Hat, emphasized that users also must be wary of issues the code can present and implement proper vetting during a recent talk with InfoWorld Editor at Large Paul Krill. “Open source won. It won because it's used everywhere now. But now we have a supply chain problem we need to start thinking about and that is, where did you get it and how is it being taken care of, because software doesn't age well. This is something that you have to take care of and you have to pay attention to. You can't just pull software into your project and you're done.”
Vulnerabilities Hit High Water Mark in 2016
Via Dark Reading: It's the same story, but a different year for application security as a new report today shows that for the fifth year running the number of reported software vulnerabilities broke an all-time record. According to the report from Risk Based Security, which counted vulnerabilities catalogued on the firm's VulnDB intelligence platform, 2016 tallied 15,000 new vulnerabilities disclosed. Compared to 2011, this represents an increase of more than 85% in vulnerabilities disclosed annually.
Friends or Enemies? Security Vendors Tiptoe Towards Collaboration
Via CSO: IT security has become one of the most complex elements of a modern IT environment, requiring layers of protection, along with advanced analytics to block attacks, halt intruders and secure data. Nonetheless, the current layers of security fail at times, often due to a single vendor approach to creating those layers of security. Naturally, vendors are not all to blame, except for the fact that a lack of collaboration and technology transfer among those security vendors effectively creates silos of protection, regardless of the number of layers installed. Simply put, the threats of today are larger than any one vendor, meaning that the isolation of security technology must become a thing of the past.
How to Avoid a Podesta-style XSS Email Hack