CVE-2014-3704, aka “Drupageddon” and CVE-2014-0160, the everlasting Heartbleed, are our co-pick CVEs of the week. Even though both vulnerabilities were discovered over three years ago, both demonstrated how a lack of insight into open source vulnerabilities can lead to anything from a 6.7 million record leak to a £100,000 fine. The ICO/Gloucester City Council story is particularly interesting — or frightening — as it seems a clear wake-up call to organizations who will need to observe the GDPR about what to expect when the regulations go into effect in 2018.
Read on for the open source security stories you need to know this week.
Data Protection Fine Shows Security Risks from Using Open Source Software Cannot Be Ignored, Says Expert
via Out-Law.com: The UK's Information Commissioner's Office (ICO) imposed a £100,000 fine on Gloucester City Council over its failure to fix a weakness in the security of its website. [It] failed to ensure software it was using was updated to fix a vulnerability in coding known as the 'Heartbleed' bug, which was identified in April 2014 as existing in some versions of encryption software developed by via the open source 'OpenSSL Project.'
via Information Age: Both auto OEMS and their suppliers should adopt management practices that inventories open source software; that maps software against known vulnerabilities as well as alerting to new security threats; that identifies potential licensing and code quality risks; and that can maximise the benefits of open source while effectively managing risks
via SC Media: Several security vulnerabilities in systems used to manage Georgia's election technology, exposing the records of 6.7 million voters months before the nation most expensive House race slated for June 20, has raised the fears that the election could be disrupted… the site was also using an outdated version of Drupal containing a critical vulnerability dubbed “Drupageddon.”
via TechBuzz Ireland: Even as their organisations are embracing open source to accelerate application development and increase development agility, respondents expressed concern about license risk/loss of intellectual property (66%); exposure to internal applications to exploitation from open source vulnerabilities (64%); exposure of external applications to exploitation because of open source vulnerabilities (71%); unknown quality of components (74%); and failure of development teams to adhere to internal policies (61%).
via ZDnet: Released on Thursday, the survey, made up of 819 US and EMEA software developers, IT professionals, security experts, and systems architects, says that in the last year there has been a significant uptake in the use of open-source software with almost 60 percent of respondents saying their organizations make use of open-source community-based development.
viaCodeGuru: If you are using open source software or considering it, then it is important to understand the potential risks. On June 20th, at 1:00 p.m. ET (10:00 a.m. PT), join Lenny Liebmann and Mike Pittenger in a webinar where they discuss open source security and management best practices that you can use to reduce security risks. For more on this event or to register, you can go to eWeek’s eSeminar registration page here!
via Black Duck blog (Mike Pittenger): Early last year, in response to the Cybersecurity Act of 2015, the US Department of Health and Human Services (HHS) established The Health Care Industry Cybersecurity Task Force. This month the task force published its recommendations to improve healthcare cybersecurity.
While non-binding (today), the recommendations should be considered a heads up to health care organizations, “covered entities” (in the words of HIPAA), and device manufacturers. Let’s take a look at some of the challenges and advice from the task force for improving healthcare cybersecurity.