OWASP Top 10, Red Hat OpenShift News, & Gmail Phishing Scam

OWASP Top 10, Red Hat OpenShift News, & Gmail Phishing Scam

On Wednesday, a worm started spreading around Gmail that suggested to users a friend or colleague was trying to share a Google Doc. Google has already disabled the offending accounts (only 0.1 percent were affected), and that it was able to stop the worm within an hour. We should take this as a wake-up that we're all potentially vulnerable to attack.  

This week’s open source and open source security news includes stories on the eternal “open source good / bad” debate; 5 reasons why enterprises should be using open source; news from Red Hat Summit; and what CISOs need to known about cybersecurity. 

CVE Numbers from the NVD: 1590 entries for April 2017; 50 entries currently for the month of May; a total of 5,238 reports to date for 2017.

If You Fell for the Gmail Phishing Scam, Here’s What to Do Next

It was a classic phishing scam wherein an attacker tries to gain your information by tricking you into opening something. If you opened the document, you were asked to give permission for it to access your account. Then it sent itself out to everyone in your address book. 

Here's what to do to keep yourself safe and how to access Google's Security Checkup.

Five Reasons for Enterprise Use of Open Source

If there is anyplace in the enterprise where the use of open source software is still a hard sell, it's going to be with management, says ITPro Windows. Here's a brief list for managers — or anyone else who needs it  explaining some of the benefits the use of open source brings to the enterprise. It's an incomplete list  there are many more reasons than these  but it's a start.

Read the 2017 Open Source and Risk Analysis Report

Black Duck CEO Lou Shipley is a Semifinalist for EY Entrepreneur of the Year® 2017 New England Award

EY has announced that Black Duck CEO Lou Shipley is a semifinalist for the Entrepreneur Of The Year® 2017 Award in the New England region. The awards program, which is celebrating its 31st year, recognizes entrepreneurs who are excelling in areas such as innovation, financial performance and personal commitment to their businesses and communities. Shipley was selected as a semifinalist by a panel of independent judges. Award winners will be announced at a special gala event on June 27, 2017, at the Marriott Copley Place in Boston.

The Great Open-Source Software Debate: Does This Model Have a Future?

via SiliconAngle: It sounds like a good idea in concept: Outsource costly software development and testing operations to a community of skilled developers who work for free.

Then take the fruits of their labors and package it up with other add-ons and extensions  also created by other people for free  and sell it to enterprises that can’t be bothered with all the hassle of configuration, installation and support. Undercut your competition’s prices by 90 percent and still make money because your development costs are near zero. Rinse and repeat in other product categories.

Black Duck Hub Open Source Security and Management Solution Integrated with Red Hat OpenShift Container Platform

Black Duck announced at this week’s Red Hat Summit the integration of its Hub solution with Red Hat OpenShift Container Platform, the industry’s most comprehensive enterprise Kubernetes platform for traditional and cloud-native applications.

The Hub integration allows Red Hat OpenShift Container Platform users to automatically inventory all the open source components in a container image, identify known open source vulnerabilities and license-compliance obligations, and continuously monitor the inventory for new open source vulnerability disclosures.

“Innovative container technology is a breakthrough for development speed and agility, but persistent concerns about security have been barriers to container adoption in the enterprise,” said Black Duck CEO Lou Shipley.

Why the Red Hat-Amazon Partnership is a Big Deal in the Cloud

Here are the key details: Red Hat announced native access to Amazon Web Services products in its Red Hat OpenShift product. OpenShift is the company’s platform as a service (PaaS) application development software, and it’s also the company’s main tool for helping enterprises deploy application containers, including those from Docker. More at Network World.

Future Hosting Warns of the Dangers of Unmaintained Open Source Software

Future Hosting, a VPS hosting and dedicated server hosting provider, has warned developers of the security risks of using unmaintained open source projects in web sites and applications. The warning follows a report from Black Duck Software, which showed how common it is for vulnerabilities to be introduced to applications via unmaintained open source projects (as reported in eWeek on April 21, 2017). 

Open Source Security Audit 'Should Be a Wake-Up Call'

For at least nine years, ADTmag has been reporting open source security issues, and two studies within the past couple weeks demonstrate the problems are persisting. Black Duck Software Inc. recently revealed the results of security audits it undertook that show "widespread weakness in addressing open source security vulnerability risks." 

The company's Center for Open Source Research & Innovation (COSRI) last year conducted 1,071 source code audits — mostly associated with mergers and acquisitions — and discovered that more than 60 percent of the applications it examined contained open source security vulnerabilities. 

What CISOs Need to Know About the State of Cybersecurity

via Forbes: Enterprises are under an endless stream of cyberattacks. The sophistication of these attacks is evolving, and the number is not expected to decrease. Any emerging technology  be it mobile devices and related BYOD policies, artificial intelligence and machine learning, or IoT not only brings new opportunities but also widens the field of possible attack.

Since successful cyberattacks on applications can lead to lost revenue and loss of reputation, enterprises’ application landscape is business critical. Companies are more and more concerned about the security of their applications.

According to the Crowd Research Partners report, the apps available on the internet are viewed as presenting the highest security risk by half of the respondents, followed by mobile apps (41%), desktop apps (34%) and business software such as ERP (29%).

As for protection from attacks on applications, Forbes recommends using training for your developers, specifically the OWASP Top 10 (the latest version was published just a few weeks ago). In addition, static and dynamic code analysis tools and WAF solutions are recommended. Gartner MQ's recent update of the top vendors in application security is a great source of information.

Open Web Application Security Project Updated Top 10

Late last month, the Open Web Application Security Project (OWASP) published a release candidate for the new OWASP Top 10 (T10).  Black Duck VP of Security Strategy, Mike Pittenger, takes a look at what has remained and what has changed since the last version.

65% of Companies Increased Their Open Source Use in 2016.  Did Yours?

Where does open source fit within your business strategy? Does your company contribute to open source projects? What elements do you think are most important to the success of open source within your organization?

If you’re passionate about open source, and if you’re the kind of person who cares about contributing to the open source community, we invite you to collaborate with us on the 2017 Open Source 360° Survey, a research initiative conducted through Black Duck’s Center for Open Source Research & Innovation (COSRI). COSRI leverages Black Duck’s comprehensive open source data-gathering expertise to conduct cutting-edge open source research.

Take the Open Source 360 Survey Today

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & WannaCry News

| May 19, 2017

This week’s news is dominated by fall-out and reaction from last week’s WannaCrypt/WannaCry attacks, of course, but other open source and cybersecurity stories you won’t want to miss include: An important open source ruling that confirms the enforceability of dual licensing. What New York’s new

| MORE >

Protecting Against Ransomware Like WannaCry Means Timely Patching

| May 16, 2017

According to the FBI, ransomware was the fastest-growing malware across all industries in 2016, and is on track to be an $1 billion crime in 2017. The “WannaCry ransomware” (aka “Wana Decrypt0r” “WCrypt” and “WannaCrypt” among ITS various other aliases) has affected an estimated 200,000 computers

| MORE >

Struts in VMware, Law Firm Cybersecurity, Hospital Data Breaches

| May 12, 2017

The need for cybersecurity vigilance is the overarching theme of this week’s news, as Google OSS-Fuzz finds more than 1,000 bugs, with 264 of them flagged as potential security bugs. The vuln that just keeps on strutting has impacted VMware products. Thousands of patient records are leaked in a

| MORE >