Drupageddon, Heartbleed Problems & Open Source 360 Survey Results

Drupageddon, Heartbleed Problems - Open Source 360 Survey Results

CVE-2014-3704, aka “Drupageddon” and CVE-2014-0160, the everlasting Heartbleed, are our co-pick CVEs of the week. Even though both vulnerabilities were discovered over three years ago, both demonstrated how a lack of insight into open source vulnerabilities can lead to anything from a 6.7 million record leak to a £100,000 fine. The ICO/Gloucester City Council story is particularly interesting — or frightening — as it seems a clear wake-up call to organizations who will need to observe the GDPR about what to expect when the regulations go into effect in 2018.

Read on for the open source security stories you need to know this week.

Data Protection Fine Shows Security Risks from Using Open Source Software Cannot Be Ignored, Says Expert

via Out-Law.com: The UK's Information Commissioner's Office (ICO) imposed a £100,000 fine on Gloucester City Council over its failure to fix a weakness in the security of its website. [It] failed to ensure software it was using was updated to fix a vulnerability in coding known as the 'Heartbleed' bug, which was identified in April 2014 as existing in some versions of encryption software developed by via the open source 'OpenSSL Project.'

Open Source Security Challenges in Cars

via Information Age: Both auto OEMS and their suppliers should adopt management practices that inventories open source software; that maps software against known vulnerabilities as well as alerting to new security threats; that identifies potential licensing and code quality risks; and that can maximise the benefits of open source while effectively managing risks

Georgia Special Election Disruption Concerns Rise After 6.7M Records Leaked

via SC Media: Several security vulnerabilities in systems used to manage Georgia's election technology, exposing the records of 6.7 million voters months before the nation most expensive House race slated for June 20, has raised the fears that the election could be disrupted…  the site was also using an outdated version of Drupal containing a critical vulnerability dubbed “Drupageddon.” 

Black Duck Center for Open Source Research & Innovation Releases 2017 Open Source 360 Degree Survey 

via TechBuzz Ireland: Even as their organisations are embracing open source to accelerate application development and increase development agility, respondents expressed concern about license risk/loss of intellectual property (66%); exposure to internal applications to exploitation from open source vulnerabilities (64%); exposure of external applications to exploitation because of open source vulnerabilities (71%); unknown quality of components (74%); and failure of development teams to adhere to internal policies (61%).

Open-source Software Management Fails to Meet Security Concerns 

via ZDnet: Released on Thursday, the survey, made up of 819 US and EMEA software developers, IT professionals, security experts, and systems architects, says that in the last year there has been a significant uptake in the use of open-source software with almost 60 percent of respondents saying their organizations make use of open-source community-based development.

Watch the Open Source 360 Results Webinar

Is the Open Source You Use a Security Risk?

viaCodeGuru: If you are using open source software or considering it, then it is important to understand the potential risks. On June 20th, at 1:00 p.m. ET (10:00 a.m. PT), join Lenny Liebmann and Mike Pittenger in a webinar where they discuss open source security and management best practices that you can use to reduce security risks. For more on this event or to register, you can go to eWeek’s eSeminar registration page here

6 Recommendations for Healthcare Cybersecurity

via Black Duck blog (Mike Pittenger): Early last year, in response to the Cybersecurity Act of 2015, the US Department of Health and Human Services (HHS) established The Health Care Industry Cybersecurity Task Force. This month the task force published its recommendations to improve healthcare cybersecurity.

While non-binding (today), the recommendations should be considered a heads up to health care organizations, “covered entities” (in the words of HIPAA), and device manufacturers. Let’s take a look at some of the challenges and advice from the task force for improving healthcare cybersecurity.


Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Hub Detect & DevOps, OSS for Cars & 1.8 M Voter Info Leaked

| Aug 18, 2017

Black Duck releases Hub Detect, a new feature which allows Black Duck Hub to run seamlessly within any DevOps toolchain regardless of the tools used, and shares its growth plans in an exclusive interview with Xconomy. Black Duck vice president and general manager Phil Odence shares his thoughts on

| MORE >

Open Source & Secure Voting, GDPR & Compliancy, & #NUGATE

| Aug 11, 2017

  Our vulnerability of the week is over five years old. But CVE-2011-4109, a high-severity vulnerability in OpenSSL, was back in the news again, as a hacker used the vulnerability to crack a voting machine at DEF CON 25.  Is open source the magic bullet to secure voting?  You’ll find contrasting

| MORE >

Can Open Source Software Secure Voting?

| Aug 10, 2017

“If you’re wondering about my opinion, I think we should stick to paper ballots.” ~ DEFCON 25 “Voting Village” hacker Voting machine software security needs to be improved dramatically, and as soon as possible. U.S. voting machines are frighteningly easy targets for hackers. At this year’s DEF CON

| MORE >