Heartbleed Vuln, Risk Ranking, OS Rookies and Exec Guide to Containers

Heartbleed Vuln, Risk Ranking, OS Rookies and Exec Guide to Containers

As the last full week of the first month of the year draws to a close, 715 CVE entries are now listed for January 2017 in the National Vulnerability Database.

Sometimes cybersecurity feels like a Sisyphean task. It's been more than three years since the discovery of the critical OpenSSL Heartbleed vulnerability, but the flaw is apparently still alive and well in almost 200,000 systems. How can that be?

In this week’s open source and cybersecurity news:  SD Times takes a look at the perils of open source security. What should you consider when risk ranking your applications? A look back at some of the companies named as Black Duck Open Source Rookies over the years. Both cyberattacks and cyberdefenses are on the rise. And as earlier noted, that Heartbleed problem may be more pervasive than you think.

Here’s the top open source and cybersecurity news for the week of January 27th.

Guest View: The perils of open-source software security

It’s misleading to spend time distinguishing between open-source and proprietary software, because modern applications include third-party software components. Many of those components are open source, and very few companies have a solid understanding of the security vulnerabilities that come with the code.

3 Things to Consider When Risk Ranking Your Applications

Whether it’s people to conduct threat modeling, manual code reviews, or simply someone who can scrub the false positives from the blizzard of information they receive each day, everyone seems to be in need of an extra hand. While more people can certainly help, most of us operate in organizations that have finite budgets. The trick in that environment is to make the most of your limited resources. That means applying them to the applications and vulnerabilities that matter most.

Black Duck's 'Open Source Rookies' is best at predicting open source success

A look back at Black Duck's impressive history of identifying the most successful open source projects. This will be the 9th year Black Duck has run the Open Source Rookies initiative, and in that time open source projects have gone from strength to strength. Many previous winners are now some of the biggest names in open source, so ahead of the class of 2016 announcement, we thought we should look back at who has tread the winners path before.

Over 199,500 Websites Are Still Vulnerable to Heartbleed OpenSSL Bug

It was one of the biggest flaws in the Internet's history that affected the core security of as many as two-thirds of the world's servers (i.e. half a million servers) at the time of its discovery in April 2014.

However, the critical bug still affects more than 199,500 systems even after 2 years and 9 months have passed, according to a report published on Shodan, a search engine that scans for vulnerable devices. Black Duck’s vice president of security strategy Mike Pittenger says it’s likely most of those machines have been remediated, but it doesn’t address the countless other applications – commercial and proprietary - Black Duck didn’t audit. “It is significant, to be sure," he says. “However, I would not extrapolate that to say 11% of all commercial applications were vulnerable to Heartbleed at that time.”

Attack and defence of cyber crime on the rise in Northern Ireland

With cyber-crime costing the region's economy an estimated £100 million a year, firms focusing on online protection from fraudsters have increased in response, leading to a huge investment and bringing with it scores of jobs. Last year Belfast was the top destination in Europe for US foreign direct investment in cyber security, with international companies including Black Duck Software establishing operations around the city.

An executive's guide to containers

Via OpenSource: Containers are the future, but you need to make the right choices when moving toward them. Open source technologies play a key role in container technology. The open source Docker project has made containers with a layering format that is easy to build and use. The Open Container Initiative (OCI) has become an open source standard for containers supported by all major technology vendors.

Open source technology providers like Red Hat make container-ready, secure operating systems available. For example, Red Hat Enterprise Linux 7.x, including Red Hat Enterprise Linux Atomic Host, are optimized to run containers natively and also provide tools to monitor and manage containers. Other open source projects such as CoreOS from Tectonic are also coming into the market. Indeed, containers are ready for adoption by enterprises. 

eBook: How Mature is Your Open Source Risk Maturity Model?

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Global Response to COSRI 2017 Open Source Security and Risk Analysis

| Apr 21, 2017

Many Black Duck-related news stories in this week’s edition of Open Source Insight, thanks to the release of our 2017 Open Source Security and Risk Analysis detailing significant cross-industry risks related to open source vulnerabilities and license compliance challenges. Black Duck conducts

| MORE >

Open Source 360 Survey, DockerCon 2017, & More on the Cloudera IPO

| Apr 14, 2017

Near the halfway point for April 2017, and the NVD CVE listing for the month stands at 573 entries. Hot this week is CVE-2017-7605, a medium-high vulnerability affecting the HE-AAC+ v2 library (aka libaacplus).   In open source security and cybersecurity news: Take the opportunity to join the Open

| MORE >

Apache Struts Exploits, Cloudera IPO Risks & the Next Cybercon Valley

| Apr 7, 2017

Seven days into the cruelest month and the redesigned NVD already has 255 CVEs listed, including a slew of discovered vulnerabilities in various Huawei devices as the screencap below reflects. It was a relatively slow week in open source security and cybersecurity news. Highlights: The German

| MORE >