Apache Struts Exploits, Cloudera IPO Risks & the Next Cybercon Valley

Apache Struts Exploits, Cloudera IPO Risks & the Next Cybercon Valley

Seven days into the cruelest month and the redesigned NVD already has 255 CVEs listed, including a slew of discovered vulnerabilities in various Huawei devices as the screencap below reflects.

Latest Scored Vulnerabilities in NVD

It was a relatively slow week in open source security and cybersecurity news. Highlights: The German publication Sysbus has a “security” theme for the month of April, and kicks off with interviews with various security experts, including Black Duck. Open source proto-unicorn Cloudera files for an IPO, listing various open source security risks it faces in its S-1. Black Duck at BlackHat Asia 2017. Seven cities that could become the world’s cybersecurity capital. The CORD Project is driving network solutions with open source. Plus, the anatomy of the Apache Struts vulnerability.

Sysbus’ Trend Theme for April is "Security" Part 1

via Sysbus (Germany): "Open source software is the largest application security risk for organizations," said Mike Pittenger, vice president of security strategy at Black Duck." Studies show that organizations are consistently underestimating how many open source components they run, and later reveal vulnerabilities that have existed for several years. The use of open source will continue to grow because it creates considerable economic opportunities. In order to protect themselves in the future, companies must secure and manage their open source components. "

Cloudera Is the Next Enterprise Tech IPO Based on Open-Source Software

Cloudera plans to raise money to keep scaling its enterprise big data offerings, reports INC. The company dropped its S-1 on Friday, registering its intent to raise $200 million in an IPO. The company's private valuation, based on various reports, is upwards of $4 billion, and it's raised more than $500 million in venture capital. Cloudera plans to trade on the New York Stock Exchange under the ticker symbol CLDR. The S-1 reveals that revenue was $261 million in the fiscal year that ended in January, while losses were $187.3 million in the preceding year. Cloudera is built around the open-source Hadoop software library, meaning it will be 2017's second enterprise tech IPO based on open-source software, following Mulesoft.

This Open-Source Tech Company’s IPO Filing Reads Like an Argument against Building a Business on Open Source

In Quartz, AI reporter Dave Gerhgorn lists a dozen reasons why investing in an open-source based company is risky, according to such a company.

“By the terms of certain open source licenses, we could be required to release the source code of our proprietary software, and to make our proprietary software available under open source licenses, if we combine our proprietary software with open source software in a certain manner.”

Cloudera IPO: Risk for Cyberattacks, Lawsuits & Loss of IP?

Black Duck’s Fred Bals takes an in-depth look at the Quartz Cloudera article and examines whether Cloudera is a risky business because it’s value is dependent on open source.

“Again, while it is indeed true that some open source license terms could require proprietary code be released as open source itself, the fact that Cloudera acknowledges the issue indicates that it has processes in place to ensure that doomsday scenario doesn’t happen. A much scarier scenario would be the company that doesn’t realize the requirement to comply with the licenses of the open source they use – or worse, doesn’t even realize that they have the open source in their proprietary code. Most open source components are governed by one of about 2,500 known open source licenses, and the license obligations can be tracked and managed only if the open source components themselves are identified.”

From BlackHat Asia: Black Duck Open Source Security

via DailySecu (Korea) Development using open source for such things as mobile and IOT apps is growing at a tremendous pace. This is a global phenomenon, not limited to Korea. Open source security vulnerabilities and license management are becoming a security concern for enterprises. DailySecu interviewed Eno Chen, Black Duck APAC general manager, to learn more about open source security management.

7 Cities That Could Become the World’s Cybersecurity Capital

via Fortune: The film industry has Hollywood, the banks have Wall Street, and tech has Silicon Valley. But so far the fast-growing cybersecurity industry—slated to pull in more than $100 billion a year by 2020—has no obvious place to call home.

If you believe in the theory of economic clusters, popularized in a 1998 HBR article by professor Michael Porter, the cyber business is exactly the sort of industry that could give rise to a regional hub or cluster—a "Cybercon Valley" if you will.

CORD Project: Driving Network Solutions with Open Source

CORD® (Central Office Re-architected as a Datacenter) is a platform leveraging leading edge SDN, NFV and Cloud technologies to build nimble in-line datacenters at the edge of operator networks, blogs Larry Peterson, CTO at ON.Lab and ONF, and Chief Architect at CORD Project. CORD integrates a curated collection of dozens of leading open source projects, thus making a fully-integrated platform for building innovative solutions available for network operators. Designed to leverage the best of modern DevOps application development methodologies, CORD delivers an open, programmable, agile platform for service creation.

Anatomy of the Apache Struts Vulnerability

Stephen Mort, vulnerability analyst at Black Duck, takes a deep dive into the make-up of CVE-2017-5638, a severe vulnerability in the Struts MVC framework and how the Apache Struts exploits work.

“Because of its extensive functionality, Struts is a widely used open source component in web applications. However, these same benefits and Struts’ integration with other frameworks can make upgrades and patches challenging. My goal is to help readers understand how an attacker might exploit this Apache Struts vulnerability.

Struts is vulnerable to remote command injection attacks through incorrectly parsing an attacker’s invalid Content-Type HTTP header. The Struts vulnerability allows these commands to be executed under the privileges of the Web server. This is full remote command execution and has been actively exploited in the wild from the initial disclosure.”

Open Source Security & Risk Analysis Report

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


GDPR Deadline: Does “Appropriate Security” Include Open Source Risk?

| May 25, 2017

It’s May 25th, 2017, and the GDPR is bearing down on us like an express train. Personal data privacy is the impetus behind the EU General Data Protection Regulation (GDPR), which goes into effect in exactly one year — on May 25th, 2018. Will your business be impacted by the GDPR? Any organization

| MORE >

Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & WannaCry News

| May 19, 2017

This week’s news is dominated by fall-out and reaction from last week’s WannaCrypt/WannaCry attacks, of course, but other open source and cybersecurity stories you won’t want to miss include: An important open source ruling that confirms the enforceability of dual licensing. What New York’s new

| MORE >

Protecting Against Ransomware Like WannaCry Means Timely Patching

| May 16, 2017

According to the FBI, ransomware was the fastest-growing malware across all industries in 2016, and is on track to be an $1 billion crime in 2017. The “WannaCry ransomware” (aka “Wana Decrypt0r” “WCrypt” and “WannaCrypt” among ITS various other aliases) has affected an estimated 200,000 computers

| MORE >