A big jump in CVEs from last week, with 547 entries now listed in the NVD and a multitude of cross-site scripting (XSS) vulnerabilities leading the pack as usual. One of the more interesting of those vulnerabilities is a supersized password protection problem for McDonalds.com due to a cross-site scripting (XSS) vulnerability and a cryptographic storage vulnerability.
More in this week’s open source and cybersecurity news: Black Duck’s vice president of security strategy tells CSO.com why he expects attacks based on open source vulnerabilities will increase by 20% in 2017. A global survey finds that 58% of respondents fear a future data breach. Application vulnerabilities are the #1 cyberattack target, but what the right tools to secure applications?
After the recent MongoDB debacle, security specialists are saying to expect more of the same. A researcher is paid a $40K bounty after reporting an open source security flaw to Facebook. Connected car researchers are calling all white hats to find the flaws in their open source automotive software. And a new study by Red Hat highlights open source software's growing acceptance, but reservations around security still remain.
Read on for the news that made the open source and cybersecurity headlines this week.
Report: Attacks Based on Open Source Vulnerabilities Will Rise 20 Percent This Year
In an interview with CSO.com, said Mike Pittenger, vice president of security strategy at Black Duck Software, predicts that as open source code becomes more prevalent in both commercial and home-grown applications, the number of attacks based on its vulnerabilities will increase by 20 percent this year.
Survey Says 66% Of Consumers Won't Work With Breached Companies
A global survey finds that despite being aware of online security risks, customers continue to take chances but expect protection from businesses that handle their data - despite only 29% believing that companies will protect their data seriously and 58% fearing a future data breach. You can download (form entry required) the full report here.
Do You Have the Right Tools in Your Application Security Toolkit?
“It’s a trick question,” writes Black Duck’s Patrick Carey. “No single tool or approach will fully cover the range of vulnerabilities present in most applications. To do the job right you are going to need to assemble a multi-tool toolkit tailored to the needs of your applications and development processes. To help you get started we’ve put together an Application Security Buyers Guide. In it you will find descriptions of the various appsec testing approaches as well as strengths and limitations of each.”
On the Law and Your Open Source License
Via Gigaom: It is more important than ever to know your way around the world of laws and licenses that pertain to open source software. Did you know that there is an official, free journal dedicated to open source law? It's the International Free and Open Source Software Law Review, and it's worth looking into.
After MongoDB Debacle, Expect More Ransomware, Open Source Vuln Attacks in 2017
Via Application Development Trends: Although these much-publicized attacks concerned only a few types of databases, they serve as a sobering reminder of the vulnerabilities in open source software, where it's often incumbent upon users to secure the open source components they use in projects.
Failure to Patch Known ImageMagick Flaw Costs Facebook $40k
It's not common for a security-conscious internet company to leave a well-known vulnerability unpatched for months, writes CSO.com. Facebook paid a US$40,000 reward to a researcher after he warned the company that its servers were vulnerable to an exploit called ImageTragick.
White Hat Hackers Called to Poke Holes in Open Source Connected Car Security Platform
SC Media reports that the New York University Tandon School of Engineering, University of Michigan Transportation Research Institute and the Southwest Research Institute have developed a cybersecurity framework called Uptane for the automotive industry to protect wireless software updates in connected vehicles. The developers are offering Uptane for free and as an open source platform because they want researchers to scrutinize the design to ensure the safety of everyone.
Security Concerns Remain as Open Source Usage Surges
The use of open source software in the Asia-Pacific region is on its way up, reports ARN, with more than half of those surveyed in a new study by Red Hat already implementing or embracing the technology. At the same time, however, the research suggests that concerns around the security of open source software remains, despite its rising popularity among enterprises, with 56 percent of respondents viewing open source security as a potential risk if not a major concern.
Unhappy Meal: McDonald's Website Doesn't Securely Protect Passwords, Researcher Finds
Registered users of McDonald's website may be susceptible to credential theft due to the combination of a cross-site scripting (XSS) vulnerability and a cryptographic storage vulnerability, claims an article in SC Media. By abusing these two flaws, “It is possible to steal and decrypt the password from a McDonald's user,” wrote Netherlands researcher Tijme Gommers earlier this month in a blog post on his website. “Besides that, other personal details like the user's name, address and contact details can be stolen too.”