We’ve broken the 1,000 mark as we enter February, with 1141 entries now listed in the National Vulnerability Database. What makes up an NVD “Common Vulnerability and Exposures” entry? Let’s look at CVE-2016-10105, originally released on 1/3/17: it’s a critical (9.8) vulnerability in Piwigo, open source photo gallery software for the web. According to the entry, “admin/plugin.php in Piwigo through 2.8.3 doesn't validate the sections variable while using it to include files. This can cause information disclosure and code execution if it contains a .. sequence.” More information on this particular CVE and patch info can be found at the NVD.
Let’s turn to open source and cybersecurity news for the week of February 3rd: OpenSSL continues to patch as Heartbleed persists in hanging around. Zero-day vulnerabilities remain a problem. What happens when codes are released under an open source license? Why the “is open source more or less secure?” debate is a red herring that fuels many a message board flame war but misses the crux of the matter. Data breaches take a significant bite out of revenue. Why open source benefits far outweigh any risks. A look at six iconic open source brands. And why open source could pose issues for software IP.
OpenSSL Issues New Patches as Heartbleed Still Lurks
The OpenSSL Project has addressed some moderate-severity security flaws, and administrators should be particularly diligent about applying the patches since there are still 200,000 systems vulnerable to the Heartbleed flaw. "If there are servers that are vulnerable, then it's because people aren't aware they have them," said Mike Pittenger, vice president of strategy for Black Duck Software.
New Trends in Zero-day Vulnerabilities
Via CSO: Zero-day vulnerabilities continue to haunt security practitioners. One root of the zero-day problem that isn't going away is the ever-growing widespread use of open source code. That's why many folks want to know what is trending with zero-day vulnerabilities, and what are the best practices for mitigating risks in open source code. Mike Cotton, vice president of research and development at Digital Defense, said, “Widespread use of open source code can be problematic from a security standpoint. More enterprise products continue to embrace open source as a means of shrinking marketing cycle and getting product to market."
Enforcement of Open Source Licenses?
What happens when codes are released under an open source license? Has the developer in effect written off his right to the code? Can a developer of open source software enforce his rights, or has he released his code to the world free of charge? Although only 3 % of all the world's companies do not use open source software, according to a recent study by Black Duck, more than half of the survey’s respondent companies do not have a formal policy or procedure for use of open source software.
We All Share Responsibility to Secure Code
“It's indisputable that open source software is an essential element in application development worldwide,” blogs Mike Pittenger VP of Security Strategy at Black Duck. “There is, however, an ongoing - and often very heated - debate about whether open source is more or less secure than commercial software. In my view there is no convincing argument that open source is any less secure, or any more secure than commercial software. Unfortunately, after some recent comments I made about open source security were published in adtmag.com, TechRepublic columnist Matt Asay took exception with them in an article headlined ‘Why it's time to stop blaming open source for ransomware attacks.’
I would assign no such blame, and in fact I suspect that Matt and I are in full agreement on this subject.”
Data Breach Costs Exceed 20% of Revenue
Via Computer Weekly (UK): The cost of data breaches amounted to more than 20% of revenue, on top of substantial loss of customers and opportunities, for more than a third of organisations breached in 2016, a report has revealed. It found that more than a fifth of breached organisations lost customers, with 40% losing more than 20% of their customer base; some 29% lost revenue, with 38% losing more than 20% of revenue; and 23% lost business opportunities, with 42% losing more than 20% in revenue.
Open Source Software Benefits Far Outweigh Risks
While the proliferation of open source over the years has resulted in more secure, stable software, skepticism around its overall security still remains. There are risks involved in using any software, open source or commercial. With open source, not only are there ways to mitigate risk, but the extensive benefits of using OSS greatly outweigh any uncertainty.
A Look at 6 Iconic Open Source Brands
Via Opensource.com: Open source software competes with paid software, and so must define itself as a viable, realistic alternative. It must also be memorable and make an impact. If an open source software project represents itself with a poorly designed logo, a bad tagline, and inconsistent messaging, it will be hard to get noticed, be remembered, and be taken seriously. The six companies recognized here for their brand memorability and success are Linux, Mozilla, Firefox, GIMP, PostgreSQL, and VLC media player.
Understanding the Risks of Open Source to IP
Open source software code is more prevalent than people realize and its use should be carefully monitored and managed, Black Duck’s Matthew H. Jacobs and Phil Odence note in Intellectual Property magazine (free 7-day subscription available). Open source security and management practices have not kept pace with the growth in open source adoption. Many organizations are woefully misinformed about their use of open source and lack effective processes to monitor their open source license and security compliance. Even those companies that have made open source management a priority find that, given the incredible volumes of open source entering the enterprise from a variety of sources, traditional methods of tracking open source use are inadequate.