Heartbleed Vuln, Risk Ranking, OS Rookies and Exec Guide to Containers

Heartbleed Vuln, Risk Ranking, OS Rookies and Exec Guide to Containers

As the last full week of the first month of the year draws to a close, 715 CVE entries are now listed for January 2017 in the National Vulnerability Database.

Sometimes cybersecurity feels like a Sisyphean task. It's been more than three years since the discovery of the critical OpenSSL Heartbleed vulnerability, but the flaw is apparently still alive and well in almost 200,000 systems. How can that be?

In this week’s open source and cybersecurity news:  SD Times takes a look at the perils of open source security. What should you consider when risk ranking your applications? A look back at some of the companies named as Black Duck Open Source Rookies over the years. Both cyberattacks and cyberdefenses are on the rise. And as earlier noted, that Heartbleed problem may be more pervasive than you think.

Here’s the top open source and cybersecurity news for the week of January 27th.

Guest View: The perils of open-source software security

It’s misleading to spend time distinguishing between open-source and proprietary software, because modern applications include third-party software components. Many of those components are open source, and very few companies have a solid understanding of the security vulnerabilities that come with the code.

3 Things to Consider When Risk Ranking Your Applications

Whether it’s people to conduct threat modeling, manual code reviews, or simply someone who can scrub the false positives from the blizzard of information they receive each day, everyone seems to be in need of an extra hand. While more people can certainly help, most of us operate in organizations that have finite budgets. The trick in that environment is to make the most of your limited resources. That means applying them to the applications and vulnerabilities that matter most.

Black Duck's 'Open Source Rookies' is best at predicting open source success

A look back at Black Duck's impressive history of identifying the most successful open source projects. This will be the 9th year Black Duck has run the Open Source Rookies initiative, and in that time open source projects have gone from strength to strength. Many previous winners are now some of the biggest names in open source, so ahead of the class of 2016 announcement, we thought we should look back at who has tread the winners path before.

Over 199,500 Websites Are Still Vulnerable to Heartbleed OpenSSL Bug

It was one of the biggest flaws in the Internet's history that affected the core security of as many as two-thirds of the world's servers (i.e. half a million servers) at the time of its discovery in April 2014.

However, the critical bug still affects more than 199,500 systems even after 2 years and 9 months have passed, according to a report published on Shodan, a search engine that scans for vulnerable devices. Black Duck’s vice president of security strategy Mike Pittenger says it’s likely most of those machines have been remediated, but it doesn’t address the countless other applications – commercial and proprietary - Black Duck didn’t audit. “It is significant, to be sure," he says. “However, I would not extrapolate that to say 11% of all commercial applications were vulnerable to Heartbleed at that time.”

Attack and defence of cyber crime on the rise in Northern Ireland

With cyber-crime costing the region's economy an estimated £100 million a year, firms focusing on online protection from fraudsters have increased in response, leading to a huge investment and bringing with it scores of jobs. Last year Belfast was the top destination in Europe for US foreign direct investment in cyber security, with international companies including Black Duck Software establishing operations around the city.

An executive's guide to containers

Via OpenSource: Containers are the future, but you need to make the right choices when moving toward them. Open source technologies play a key role in container technology. The open source Docker project has made containers with a layering format that is easy to build and use. The Open Container Initiative (OCI) has become an open source standard for containers supported by all major technology vendors.

Open source technology providers like Red Hat make container-ready, secure operating systems available. For example, Red Hat Enterprise Linux 7.x, including Red Hat Enterprise Linux Atomic Host, are optimized to run containers natively and also provide tools to monitor and manage containers. Other open source projects such as CoreOS from Tectonic are also coming into the market. Indeed, containers are ready for adoption by enterprises. 

eBook: How Mature is Your Open Source Risk Maturity Model?

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


GDPR Deadline: Does “Appropriate Security” Include Open Source Risk?

| May 25, 2017

It’s May 25th, 2017, and the GDPR is bearing down on us like an express train. Personal data privacy is the impetus behind the EU General Data Protection Regulation (GDPR), which goes into effect in exactly one year — on May 25th, 2018. Will your business be impacted by the GDPR? Any organization

| MORE >

Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & WannaCry News

| May 19, 2017

This week’s news is dominated by fall-out and reaction from last week’s WannaCrypt/WannaCry attacks, of course, but other open source and cybersecurity stories you won’t want to miss include: An important open source ruling that confirms the enforceability of dual licensing. What New York’s new

| MORE >

Protecting Against Ransomware Like WannaCry Means Timely Patching

| May 16, 2017

According to the FBI, ransomware was the fastest-growing malware across all industries in 2016, and is on track to be an $1 billion crime in 2017. The “WannaCry ransomware” (aka “Wana Decrypt0r” “WCrypt” and “WannaCrypt” among ITS various other aliases) has affected an estimated 200,000 computers

| MORE >