2016 Breaks Vuln Record and Avoiding a Podesta-Style Email Hack

2016 Breaks Vuln Record and Avoiding a Podesta-Style Email Hack

For the first full week of February, the NVD reports 363 vulnerability entries. Speaking of vulnerabilities, Risk Based Security announced this week that 2016 broke the previous all-time record for the highest number of reported vulnerabilities. The 15,000 vulnerabilities cataloged during 2016 by Risk Based Security eclipsed the total covered by the CVE and National Vulnerability Database (NVD) by more than 6,500. You can learn more from their 2016 Year End VulnDB QuickView report.

In other cybersecurity and open source news: Black Duck’s Senior Technologist publishes a thought-provoking and controversial claim that the container community is failing to recognize lessons from the past when it comes to security. Agree? Disagree? You have the opportunity to continue the conversation with Tim about container security at Container World 2017 at his panel, “Container Security: Countering the Container Challenges” on February 23rd. 

IBM is embarking on a new era of open source accessibility by releasing tooling, samples and design patterns to help streamline the development of inclusive web and mobile applications. Paul Krill, Cybersecurity strategist at Red Hat focuses on vetting and open source as part of the supply chain. Security vendors take baby steps toward working together for the greater good. And Black Duck Software Architect, Damon Weinstein, blogs on how you can avoid a Podesta-style XSS email hack.

The Biggest Risk with Container Security Is Not Containers

Tim Mackey, Technology Evangelist from Black Duck Software discusses why datacenter attacks are threatening to containers in Cloud + Enterprise Technology (UK)

“The biggest risk I see with container security is that attacks are mounted on applications far more often than on perimeter defenses. Increasing container security should start with increasing the security of the applications deployed in containers. Only then will we have an effective defense in-depth model. Yes, we also need more secure container frameworks, but when those frameworks know nothing about the applications they encapsulate, they can’t possibly prevent well-crafted application attacks.” 

Inclusive Development Gets Open Source Tools from IBM

According to Black Duck Software’s Future of Open Source Survey 2016, “78 percent of companies run on open source and 88 percent say that they plan to contribute more to open source over the next few years.” As open source tooling and contributions continue to grow, IBM Accessibility Research is making accessibility more available, easier to deploy, and an integral part of the ecosystem of open technologies.

Open Source Users: It’s Time for Extreme Vetting 

Josh Bressers, cybersecurity strategist at Red Hat, emphasized that users also must be wary of issues the code can present and implement proper vetting during a recent talk with InfoWorld Editor at Large Paul Krill. “Open source won. It won because it's used everywhere now. But now we have a supply chain problem we need to start thinking about and that is, where did you get it and how is it being taken care of, because software doesn't age well. This is something that you have to take care of and you have to pay attention to. You can't just pull software into your project and you're done.” 

Vulnerabilities Hit High Water Mark in 2016

Via Dark Reading: It's the same story, but a different year for application security as a new report today shows that for the fifth year running the number of reported software vulnerabilities broke an all-time record. According to the report from Risk Based Security, which counted vulnerabilities catalogued on the firm's VulnDB intelligence platform, 2016 tallied 15,000 new vulnerabilities disclosed. Compared to 2011, this represents an increase of more than 85% in vulnerabilities disclosed annually.   

Friends or Enemies? Security Vendors Tiptoe Towards Collaboration

Via CSO: IT security has become one of the most complex elements of a modern IT environment, requiring layers of protection, along with advanced analytics to block attacks, halt intruders and secure data. Nonetheless, the current layers of security fail at times, often due to a single vendor approach to creating those layers of security. Naturally, vendors are not all to blame, except for the fact that a lack of collaboration and technology transfer among those security vendors effectively creates silos of protection, regardless of the number of layers installed. Simply put, the threats of today are larger than any one vendor, meaning that the isolation of security technology must become a thing of the past.

How to Avoid a Podesta-style XSS Email Hack

“We learned how hackers exploit a cross-site scripting (XSS) vulnerability, a vulnerability caused by a web application displaying one user's input to other users (such as comments at the bottom of a page) without first encoding it,” blogs Black Duck Software Architect, Damon Weinstein. “This type of vulnerability allows arbitrary code (JavaScript) to be executed in the browser. We then used a program called BeEF to hook the browser and display a fraudulent gmail login page, exactly as was done to Podesta.”

9 Questions To Ask Before You Select an AppSec Solution

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Equifax, Apache Struts, & CVE-2017-5638 Vulnerability

| Sep 15, 2017

It’s an all Equifax breach/Apache Struts/ CVE-2017-5638 issue of Open Source Insight this week as we examine how an unpatched open source flaw and an apparent lack of diligence exposed sensitive data for over 140 million US consumers. We look at what happened, how you can see if you’ve been

| MORE >

CVE–2017-9805, Equifax Breach & Wacky Open Source Licenses

| Sep 8, 2017

Our vulnerability of the week is CVE-2017-9805, which resides in Apache Struts’ REST plugin, a must-have in almost all Struts enterprise deployments. Attackers can exploit the bug via HTTP requests or via any other socket connection, with a public exploit published on Thursday. Happily, on Monday

| MORE >

Securing Software Stacks, Election Security, FDA Pacemaker Recall

| Sep 1, 2017

News is slight as the US prepares to bore into the Labor Day weekend and the unofficial end of Summer 2017. Yet our crack staff of editors has scoured the Webbernets to produce the best in cybersecurity and open source security news for your reading pleasure. Enjoy, and if you celebrate Labor Day,

| MORE >