NotPetya Strikes, Patching Is Vital for Risk Management

Blog-June 30.jpg

News about NotPetya is rebounding around the world this week as malware experts quickly determined that the resemblence to Petya is superficial. The consensus is now that NotPetya is a wiper, designed to inflict permanent damage, not ransomware as initially reported. Following closely on the heels of WannaCry incidents, NotPetya hit 64 countries by June 28, but with no kill switch available this time. Global cyberattacks such as these highlight the importance of cybersecurity everywhere, staying up to date on patches and ensuring that backups are up-to-date.

In other cybersecurity and open source news: open source is pervasive in the automotive industry, a hackathon in Leeds looks at how to deploy NHSUbuntu in place of Microsoft, open source oversight key to GDPR, and security code reviews by Russian agencies are under discussion.

Safety, Security & Open Source in the Automotive Industry

via Black Duck blog (Fred Bals): Open source use is pervasive across every industry vertical, including the automotive industry. When it comes to software, every auto manufacturer wants to spend less time on what are becoming commodities — such as the core operating system and components connecting the various pieces together — and focus on features that will differentiate their brand. The open source model supports that objective by expediting every aspect of agile product development.

Managing and Securing Open Source in the Automotive Industry

Petya Cyber Attack That Spread Around the World Was Intent on Destruction, Not on Making Money

via The Independent: Experts say that initial suggestions that the software was being used to make money may have been a distraction. The software might instead be part of a plan simply to cripple as many systems, companies and countries as possible, they said.

Ubuntu 'Weaponised' to Cure NHS of its Addiction to Microsoft Windows

via The Register: A gathering of software developers whose mission was to find a way to deploy NHSbuntu, a flavour of the open-source Linux distro Ubuntu built for the NHS, on 750,000 smartcards used to verify clinicians accessing 80 per cent of applications – excluding those for clinical use – on millions of health service PCs.

Oversight of Use of Open Source Code Crucial As GDPR Approaches, Says Industry Expert

via Mike Pittenger, vice president of security strategy at Black Duck Software, told that many businesses either remain unaware that they are running popular open source components within their software at all or that security vulnerabilities exist in the versions of that software they are operating. This is despite the profile of open source software security risk being raised by media coverage in recent times, he said.

Customer Questions: What Is Docker Anyway?

via Black Duck blog (Megan McIntyre): We've been thinking about how Docker containers can help us deliver our software effectively for quite a while now. Recently Hal Hearst shared excellent information about how and why we're releasing Hub as a Dockerized container.

Open Source Vulnerabilities & Application Security

via IT SecCity (Germany): Der Appetit der Welt auf Open-Source-Software ist unersättlich. Unternehmen weltweit haben im vergangenen Jahr den Einsatz von Open Source deutlich erhöht; doch obwohl diese bereitwillig die mit Open Source verbundenen Bedenken bezüglich der sicherheitsrelevanten und operationellen Risiken zur Kenntnis nehmen, hält das effektive Management von Open Source nicht mit der zunehmenden Nutzung mit.

A Methodology for Quantifying Risks from Web Services

via Black Duck blog (Baljeet Malhotra): Every API comes with a set of obligations, which are typically documented in various (legally binding) agreements (for example, Terms of Service, Developer Agreement, Privacy Statement) that govern the usage of API and its underlying data and functionalities. According to our research there are essentially four key factors that affect the governance of API usage.

Security Code Reviews by Russian Agencies Cause Concern

via TechTarget SearchSecurity: Before allowing cybersecurity products into Russia, U.S. tech companies are reportedly being required to submit source code for review, and many are worried of the privacy and security impacts of this testing. Rising tensions between the U.S. and Russia over apparent election interference appear to be to blame for both Russia's insistence on security code reviews and U.S. experts' wariness of the practice.

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Red Hat Summit, World IP Day, New OWASP Top 10

| Apr 28, 2017

This week we have news on the upcoming Red Hat Summit, an updated OWASP Top 10, technical due diligence, World IP Day and more. We also continue to see a lot of coverage coming out of our 2017 Open Source Security and Risk Analysis (OSSRA) outlining risks related to not maintaining open source

| MORE >

Join Black Duck at the Red Hat Summit 2017

| Apr 27, 2017

Next week, more than 5,000 members of the open source community arrive in Boston for Red Hat Summit 2017. Developers and executives from across the world are gathering for hundreds of sessions, hands-on experience and to interact face-to-face with product experts. Make sure you review the 

| MORE >