February wound down with 1075 CVEs entries total in the National Vulnerability database. Before we get into this week’s news, some interesting numbers around software composition analysis (SCA) and open source security via the recently released reports: The Forrester Wave™: Software Composition Analysis, Q1 2017 and Gartner’s Magic Quadrant for Application Security Testing.
“In their haste to create applications, developers use open source components as their foundation, creating applications using only 10% to 20% new code. Unfortunately, many of these components come with liabilities in their license agreements, and one out of every 16 open source download requests is for a component with a known vulnerability.” ~ Forrester
“SCA is becoming a critical or a mandatory feature of AST (application security testing) solutions, as open-source and third-party components are proliferating in applications that enterprises build.” "By 2019, 80% of application security testing vendors will include software composition analysis in their offerings, up from 40% today." ~ Gartner
Read on for the latest open source and cybersecurity news in this week’s edition of Open Source Insight from Black Duck Software.
Cracking the Code: Open Source Software Meets the M&A World
Black Duck’s Phil Odence, in an in-depth interview with Lawyer Monthly, discusses what firms and their legal counsel need to know when it comes to open source, license and security compliance and IP during a merger or acquisition transaction. “… lawyers want to ensure that intellectual property rights are clear and the software isn’t burdened with license infringements or full of cybersecurity vulnerabilities.”
New Technology, Same Bugs: the Rise and Fall of the Robot Revolution
A plethora of vulnerabilities across multiple models and brands of robots is leaving cyber-security experts scratching their heads, writes SC Magazine UK. Are we making the same old mistakes again?
The paper detailing the vulnerabilities 'Hacking Robots Before Skynet' [PDF] was the result of six months intensive testing of mobile applications, robot operating systems, firmware images and miscellaneous software by IOActive researchers Cesar and Lucas.
So just how 'real world' is the robot hacking threat according to other security industry experts? Mike Pittenger, vice president of security strategy at Black Duck Software, is in no doubt that we will have already seen the consequences.
"Drones (unmanned aerial vehicles) are a form of robot," he explains, "and an attractive target for our adversaries. Taking control of a drone would certainly disrupt a military mission, and could possibly turn a military's weapons on itself."
Indeed, Iran claims to have already done the former. "It's not unreasonable to think the same could be done to robots having arms and legs instead of wings," Pittenger warns.
Recognizing Innovation through Open Source Rookies
For nine years, the Black Duck Open Source Rookies of the Year awards have recognized some of the most innovative and influential open source projects launched during the previous year. This recognition is a tribute to the success and momentum of these projects, and affirmation of their prospects moving forward. This year, we saw organizations stretching for broader influence across use cases and to evolve the standards for performance and ability.
Our selected Rookies have impressive reach, creating solutions that offer distinct implications for the technology they’ve developed. As exemplary open source projects, they engaged the community for contributions, feedback, inspiration and support. Driven by passionate teams, these projects overcame notable challenges.
The Top 8 New Open Source Projects
Via InfoWorld: The past year saw a surge of activity in several areas. One of the most interesting was in blockchain technologies, which continue to stake out their positions in the immutable data ecosystem, going beyond cryptocurrency exchange. Machine learning — including deep learning and neural networks— also came up big, as intelligence is added to everything from financial services to design and manufacturing.
Big data, software-defined networking (SDN), container management, and security were also hot areas. Congratulations to the winners! We hope this selection offers insight into the direction of technology development across the industry.
GitHub Shows How to Get Started with Open Source
via Application Development Trends: With open source software "eating the world," many developers might be hungering to get a seat at the dinner table, so GitHub Inc. has published guides to do just that. The giant open source code repository published Open Source Guides earlier this month that provide resources explaining how to get involved.
The IoT Era: A Connected World Where Even Teddy Bears Pose a Threat
2.2 million voice recordings of children and parents have allegedly been exposed in a CloudPets toys data breach, reports Computer Business Review. The CloudPets saga serves to highlight two important areas – manufacturers and security. CloudPets has also brought open source databases back into the headlines, with MongoDB only getting a couple weeks respite following ransomware attacks in January. Troy Hunt revealed on his blog that the breached CloudPets data had been leaked from a MongoDB database, a database that wasn’t password-protected or behind a firewall.