Heartbleed Vuln, Risk Ranking, OS Rookies and Exec Guide to Containers

Heartbleed Vuln, Risk Ranking, OS Rookies and Exec Guide to Containers

As the last full week of the first month of the year draws to a close, 715 CVE entries are now listed for January 2017 in the National Vulnerability Database.

Sometimes cybersecurity feels like a Sisyphean task. It's been more than three years since the discovery of the critical OpenSSL Heartbleed vulnerability, but the flaw is apparently still alive and well in almost 200,000 systems. How can that be?

In this week’s open source and cybersecurity news:  SD Times takes a look at the perils of open source security. What should you consider when risk ranking your applications? A look back at some of the companies named as Black Duck Open Source Rookies over the years. Both cyberattacks and cyberdefenses are on the rise. And as earlier noted, that Heartbleed problem may be more pervasive than you think.

Here’s the top open source and cybersecurity news for the week of January 27th.

Guest View: The perils of open-source software security

It’s misleading to spend time distinguishing between open-source and proprietary software, because modern applications include third-party software components. Many of those components are open source, and very few companies have a solid understanding of the security vulnerabilities that come with the code.

3 Things to Consider When Risk Ranking Your Applications

Whether it’s people to conduct threat modeling, manual code reviews, or simply someone who can scrub the false positives from the blizzard of information they receive each day, everyone seems to be in need of an extra hand. While more people can certainly help, most of us operate in organizations that have finite budgets. The trick in that environment is to make the most of your limited resources. That means applying them to the applications and vulnerabilities that matter most.

Black Duck's 'Open Source Rookies' is best at predicting open source success

A look back at Black Duck's impressive history of identifying the most successful open source projects. This will be the 9th year Black Duck has run the Open Source Rookies initiative, and in that time open source projects have gone from strength to strength. Many previous winners are now some of the biggest names in open source, so ahead of the class of 2016 announcement, we thought we should look back at who has tread the winners path before.

Over 199,500 Websites Are Still Vulnerable to Heartbleed OpenSSL Bug

It was one of the biggest flaws in the Internet's history that affected the core security of as many as two-thirds of the world's servers (i.e. half a million servers) at the time of its discovery in April 2014.

However, the critical bug still affects more than 199,500 systems even after 2 years and 9 months have passed, according to a report published on Shodan, a search engine that scans for vulnerable devices. Black Duck’s vice president of security strategy Mike Pittenger says it’s likely most of those machines have been remediated, but it doesn’t address the countless other applications – commercial and proprietary - Black Duck didn’t audit. “It is significant, to be sure," he says. “However, I would not extrapolate that to say 11% of all commercial applications were vulnerable to Heartbleed at that time.”

Attack and defence of cyber crime on the rise in Northern Ireland

With cyber-crime costing the region's economy an estimated £100 million a year, firms focusing on online protection from fraudsters have increased in response, leading to a huge investment and bringing with it scores of jobs. Last year Belfast was the top destination in Europe for US foreign direct investment in cyber security, with international companies including Black Duck Software establishing operations around the city.

An executive's guide to containers

Via OpenSource: Containers are the future, but you need to make the right choices when moving toward them. Open source technologies play a key role in container technology. The open source Docker project has made containers with a layering format that is easy to build and use. The Open Container Initiative (OCI) has become an open source standard for containers supported by all major technology vendors.

Open source technology providers like Red Hat make container-ready, secure operating systems available. For example, Red Hat Enterprise Linux 7.x, including Red Hat Enterprise Linux Atomic Host, are optimized to run containers natively and also provide tools to monitor and manage containers. Other open source projects such as CoreOS from Tectonic are also coming into the market. Indeed, containers are ready for adoption by enterprises. 

eBook: How Mature is Your Open Source Risk Maturity Model?

0 Comments
Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.
0 Comments

MORE BY THIS AUTHOR

Open Source Risks & Rewards, GPL Declines, & NPR Visits Black Duck

| Feb 18, 2017

The NVD CVE report has nearly doubled for February with 650 vulnerability entries. Black Duck experts are in the news talking about the risks of not knowing what open source is in your code, and what practices you can take to manage and secure open source. Why are businesses still concerned about

| MORE >

2016 Breaks Vuln Record and Avoiding a Podesta-Style Email Hack

| Feb 10, 2017

For the first full week of February, the NVD reports 363 vulnerability entries. Speaking of vulnerabilities, Risk Based Security announced this week that 2016 broke the previous all-time record for the highest number of reported vulnerabilities. The 15,000 vulnerabilities cataloged during 2016 by

| MORE >

Open Source Benefits and Risks Dominate This Week’s News

| Feb 3, 2017

We’ve broken the 1,000 mark as we enter February, with 1141 entries now listed in the National Vulnerability Database. What makes up an NVD “Common Vulnerability and Exposures” entry? Let’s look at CVE-2016-10105, originally released on 1/3/17: it’s a critical (9.8) vulnerability in Piwigo, open

| MORE >