Struts in VMware, Law Firm Cybersecurity, Hospital Data Breaches

Struts and VMware, Law Firms & Cybersecurity, Hospital Data Breach Exposes Thousands

The need for cybersecurity vigilance is the overarching theme of this week’s news, as Google OSS-Fuzz finds more than 1,000 bugs, with 264 of them flagged as potential security bugs. The vuln that just keeps on strutting has impacted VMware products. Thousands of patient records are leaked in a New York Hospital data breach. More hospital data breaches may be imminent in the NHS Ransomware attacks announced today.

In other news, Allianz Germany is working with the local car manufacturing industry to highlight the vulnerabilities in the electronics systems of vehicles that can be exploited by criminals. What a website can tell you about a law firm’s cybersecurity awareness. The Top 10 open source audit management tools. How the Black Duck and Atlassian collaboration helps DevOps Teams build fast and secure. .NET component vulnerability analysis in-depth. And 6 things you didn’t know about commercial application security.

CVE Numbers from the NVD: 244 entries currently for the month of May including CVE-2017-5638, the open source vulnerability impacting some VMware products as reported below. Apache patched the Apache Struts 2 vulnerability on March 6, and VMware responded with its own fixes about a week later.

How Google’s OSS-Fuzz is Securing Open Source

“OSS-Fuzz has found numerous security vulnerabilities in several critical open source projects: 10 in FreeType2, 17 in FFmpeg, 33 in LibreOffice, eight in SQLite 3, 10 in GnuTLS, 25 in PCRE2, nine in gRPC, and seven in Wireshark, etc. We’ve also had at least one bug collision with another independent security researcher (CVE-2017-2801),” a team of software security engineers at Google wrote in a post.

Open Source Vulnerabilities Hit VMware

A remote code execution vulnerability in Apache Struts 2 affected four VMware products, reports TechTarget. Keeping a VMware environment secure goes beyond basic features and tools.

Because of [open source] benefits, many applications use open source. Black Duck Software Inc., a security software vendor based in Burlington, Mass., conducts hundreds of open source code audits annually and found that 96% of the 1,071 applications it analyzed in 2016 contained open source code.

Allianz Researchers Working with Car Makers on Cybersecurity

via Computer Weekly: Researchers were able to build an inexpensive electronic device to connect to the car to “sniff” internal commands using the open source Wireshark packet analyzer software. Once commands have been captured, they can be replayed to issue commands to the car’s various systems.

What A Law Firm’s Website Says About Its Cybersecurity Practices

Take a look at the law firm’s website because it’s a fairly accurate proxy for a firm’s technology and security savvy. Websites like these broadcast that these firms haven’t kept pace with technology and don’t recognize its value. As such, these attorneys aren’t likely to be well-schooled in, or familiar with even basic security practices needed to protect clients in the digital age.

I realize that using a website as a litmus test for security seems shallow —  but as these two incidents bear out, a law firm’s commitment to cyber-security is too important to ignore. 

Top 10 Open Source Audit Management Software 2017

via Small Business Software Reviews: Open source software presents a huge opportunity for organizations globally to access advanced software capability. Adopting open source solutions allows code assets to be shared and re-used; freeing organizations from massively expensive, inflexible “lock-in” solutions. To ensure that this potential is realized, it is imperative that organizations adopt a process for managing potential risk. 

Black Duck’s Atlassian Integrations Help DevOps Teams Build Fast and Secure with Open Source

Black Duck, announced on Tuesday a collaboration with Atlassian Corporation Plc), a leading provider of team collaboration and productivity software, to manage open source security, compliance, and quality risks, while ensuring DevOps teams maintain speed and agility.

The organizations’ goal is to provide development teams with solution integrations that enhance their ability to maintain velocity and security as they build software using open source components.

Black Duck has already released two Atlassian integrations to automate the management and security of open source and both are available through the Atlassian Marketplace.

Atlassian Bamboo & JIRA Plugins Help Teams Build Fast and Secure

via the Black Duck blog: Atlassian is one of the most impressive success stories in the DevOps landscape today. With tools such as Bamboo CI to help developers manage continuous delivery pipelines and JIRA to automate developer workflow processes, Atlassian plays an integral role within development and DevOps teams. 

 Truly, it’s hard to think of many teams that have adopted agile development and DevOps who aren’t using an Atlassian solution. Likewise, Black Duck has long been focused on enabling software development teams to gain automated visibility, intelligence, and control for their use of open source. Working with Atlassian is an obvious choice, and we are excited to announce our newest plugins: the Black Duck Hub Plugin for JIRA and the Black Duck Hub Plugin for Bamboo.

Open Source Security & Risk

.NET Component Vulnerability Analysis in Production

At Black Duck, we’ve been excited to participate in the flurry of growth in the .NET ecosystem, blogs Senior Software Engineer Yev Bronshteyn. Our Visual Studio Extension helps developers detect open source risks early, when it is easiest and most cost-effective to eliminate them.

However, in some cases, a Visual Studio project or any build file or other composition metadata may not be available. Perhaps an application's source code (and the component data that comes with it) has been lost. Perhaps the application was provided by a vendor who has never made the source code available in the first place. Or perhaps, in addition to scanning application dependencies, we want to include the actual production runtime in our scan. Is such component analysis possible? 

Commercial Application Security: 6 Facts You Didn't Know

Many people know Black Duck from our security and software license compliance business. However, we also have a very strong On-Demand business. Our On-Demand business performs one-time audits of software, typically as part of due diligence in an M&A transaction. In these engagements, the entities acquiring a software company will “Black Duck” the codebase of the target company to confirm that the code is not hampered by restrictive licenses or unacceptable security risk.

In 2016, we audited over 1,000 codebases, and anonymized and analyzed the results in this year’s Open Source Software Risk Assessment report. You can read the whole report here, but Black Duck VP of Security Strategy, Mike Pittenger, wants to share the top 6 takeaways from a security standpoint on open source management in commercial applications.

Thousands of Patient Records Leaked in New York Hospital Data Breach

Medical records of at least 7,000 people compromised in a data breach involving Bronx Lebanon Hospital Center in New York disclosed patients' mental health and medical diagnoses, HIV statuses and sexual assault and domestic violence reports, according to records reviewed by NBC News.

Other information in the compromised records, which online security experts said spanned 2014 to 2017, included names, home addresses, addiction histories and religious affiliations.

NHS Cyber-Attack: GPs and Hospitals Hit by Ransomware

According to the BBC: "NHS services across England and Scotland have been hit by a large-scale cyber-attack, which is being treated as a major incident.

The prime minister said the incident was part of a wider attack affecting organisations around the world."

We'll continue to follow this story; speculation today is that it appears to be exploiting a vulnerability in Windows through an NSA exploit leaked by The Shadow Brokers last month.

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & WannaCry News

| May 19, 2017

This week’s news is dominated by fall-out and reaction from last week’s WannaCrypt/WannaCry attacks, of course, but other open source and cybersecurity stories you won’t want to miss include: An important open source ruling that confirms the enforceability of dual licensing. What New York’s new

| MORE >

Protecting Against Ransomware Like WannaCry Means Timely Patching

| May 16, 2017

According to the FBI, ransomware was the fastest-growing malware across all industries in 2016, and is on track to be an $1 billion crime in 2017. The “WannaCry ransomware” (aka “Wana Decrypt0r” “WCrypt” and “WannaCrypt” among ITS various other aliases) has affected an estimated 200,000 computers

| MORE >