CVE-2017-2636 Vuln of the Week & UK National Cyber Security Strategy

CVE-2017-2636 Vuln of the Week & UK National Cyber Security Strategy

Seldom a month goes by where the NVD entries don’t break 1,000, and March 2017 is no exception. The vulnerability of the week is CVE-2017-2636, a serious security flaw in Linux kernel that appears to have been around since 2009. More on that story below.

Other open source security and cybersecurity stories include:  Expecting to be the buyer/seller in an M&A transaction at some point in your business? Learn how an open source audit works, and why it’s an important part of diligence.  Last year the UK Government announced £1.9bn of public investment in cyber-security, its ‘National Cyber Security Strategy 2016 to 2021’ outlines how the UK will use automated defenses to safeguard citizens and businesses against growing cyber threats. Does machine learning have a place in cyber security?  Plus, three steps for vulnerability management and triage.

How an Open Source Software Audit Works

Most of our readers understand that an open source software audit involves expert consultants analyzing a proprietary code base using Black Duck tools, writes Black Duck VP & General Manager, Phil Odence. The deliverable is a report that identifies open source in the code as well as associated risks. If you’d like to understand our process — what comes before, during and after, read on.

Linux Security Flaw Patched After Years Unspotted

Security researchers have discovered a serious security flaw in the Linux kernel that appears to have existed since 2009. The vulnerability, CVE-2017-2636, is rated ‘high’ on the National Vulnerability Database (NVD) because it could allow local users to gain privileges or cause a denial of service. According to The Hacker News, it affects a large number of Linux distributors, including Red Hat, Debian, Fedora, OpenSUSE, and Ubuntu. Users are advised to install the latest security updates right away. The discovery was made by Alex Popov of Positive Technologies. Patrick Carey, a director at Black Duck Software comments. 

Open Source: The New Normal in Enterprise Software

via CIODive: Open source is "no longer about people in t-shirts and sandals railing against the corporate machine and trying to do something different."

"Still, just as with closed source software, security is never 'fixed' and is an ongoing cost and risk. And in some cases, faith in open source software can be a blind spot. A 2016 survey, sponsored by Black Duck, a software development company, and investment firm North Bridge, found that not all end users of open source software are taking adequate security measures. One-third of respondents said they lacked a system for 'identifying, tracking or remediating known open source vulnerabilities.'"

The UK's £1.9bn Cyber-Security Spend — Getting the Priorities Right

via Computer Fraud & Security. The increased focus on cyber-security and the level of investment has been broadly welcomed in the industry. And the ‘National Cyber Security Strategy 2016-2021’ is not lacking ambition. But how do the Government's efforts really shape up? Are they addressing the right issues, and are they enough? Black Duck vice president of security strategy, Mike Pittenger comments in the article, “Forrester Research recently reported that one out of every 16 open source download requests is for a component with a known vulnerability. With open source making up as much as 50% of an application, it’s vital to know what open source is used, where it is in the codebase, and to secure it against known vulnerabilities. Firms should target an equivalent amount of effort and resources at this primary weakness in their cyber-security.”

Does Machine Learning Have a Future Role in Cyber Security?

According to Google Trends, machine learning has shown a steady (almost threefold) increase in interest since 2015, blogs Paul O’Neill, Black Duck Data Analyst. Coursera and Udacity machine learning courses are both in the top ten related topics. It appears that many people want to learn more about it.

If you have ever used Google, Netflix, Amazon, Gmail, then you have interacted with machine learning (ML). It has become an important component in online retail, recommendation systems, fraud detection and others. Open source machine learning and data science tools such as Python’s Scikit-learn package are freely available, very powerful and often used to build these tools.

Vulnerability Management and Triage in 3 Steps

Security testing tools can help organizations build better software by identifying vulnerabilities early in the SDLC. For security professionals and developers, however, the hard work begins when the testing is complete. Once you have a list of vulnerabilities across multiple applications, what's your next step in vulnerability management and triage? And how do you ensure that you maximize your remediation efforts?

Leading Linux distros dawdle as kernel flaw persists

A race condition flaw has been fixed in the mainline Linux kernel, but some Red Hat, Canonical, and Debian distributions don't yet have patches, notes InfoWorld. The vulnerability would affect Linux servers and workstations, as well as virtual machines, but not most containers. "Due to the ioctl settings on Docker, this shouldn't be executable from within a container," said Patrick Carey of open source security company Black Duck Software. "Obviously if you have access to the container host, all bets are off."

Request a Live Demo

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & WannaCry News

| May 19, 2017

This week’s news is dominated by fall-out and reaction from last week’s WannaCrypt/WannaCry attacks, of course, but other open source and cybersecurity stories you won’t want to miss include: An important open source ruling that confirms the enforceability of dual licensing. What New York’s new

| MORE >

Protecting Against Ransomware Like WannaCry Means Timely Patching

| May 16, 2017

According to the FBI, ransomware was the fastest-growing malware across all industries in 2016, and is on track to be an $1 billion crime in 2017. The “WannaCry ransomware” (aka “Wana Decrypt0r” “WCrypt” and “WannaCrypt” among ITS various other aliases) has affected an estimated 200,000 computers

| MORE >

Struts in VMware, Law Firm Cybersecurity, Hospital Data Breaches

| May 12, 2017

The need for cybersecurity vigilance is the overarching theme of this week’s news, as Google OSS-Fuzz finds more than 1,000 bugs, with 264 of them flagged as potential security bugs. The vuln that just keeps on strutting has impacted VMware products. Thousands of patient records are leaked in a

| MORE >