Balancing Agility and Open Source Security for DevOps

Lots of DevOps news this week, including why automation is critical for securing code, as well as balancing agility with security needs.  Learn how to manage security in GitHub projects with CoPilot from Black Duck Software. Pre-GDPR, Carphone warehouse gets hit £400k fine over a 2015 hack.  And why you should think like your attackers when developing your cybersecurity portfolio.  Read on for this week’s cybersecurity and open source security news in Open Source Insight!  Sidestepping the Security Traps of Open Source  via CA Technologies: According to security company Black Duck Software, now part of Synopsys, open components are used in 96 percent of all proprietary applications. On average, a total of 147 different open components are used in an application. Most perceptive from a safety standpoint is that 67 percent of all applications use components that have known vulnerabilities.   Manage Security Risk in GitHub Open Source Projects with CoPilot  via Black Duck blog (Lisa Bryngelson): CoPilot is a publicly-facing free application that allows owners of open source projects on GithHub to monitor security risk associated with used components as part of their Git Flow development process. Automation Critical to Securing Code in an Agile, DevOps World  via GovTech Works: Performing a manual, detailed security analysis of each open-source software component takes hours to ensure it is safe and free of vulnerabilities. Tools from Sonatype, Black Duck of Burlington, Mass., and others can automate most of that work.  Open source software security challenges persist, but the risk can be managed  via CSO: In the average application, over a third of the code base is open source," says Mike Pittenger, Black Duck security strategist at Synopsys, Inc. "To replace that third of the code base, you're going to have to increase either your development team or development time by 50 percent -- and I don't think those are viable options in today's world."  Carphone Warehouse slapped with maximum £400k fine by ICO over 2015 hack  via V3:  Carphone Warehouse used 'out-of date software and failed to carry out routine security testing', says ICO.  Black Duck by Synopsys: Being Part of Our Kind of Company  via Black Duck blog (Phil Odence): The Black Duck audit business is built on trust, doing great work, and, critically, responsiveness. We pride ourselves on “moving at the speed of transactions.” As part of a large public company, can we remain as amazingly responsive as we have been to client needs? Yes!     Does DevOps Plus Open Source Equal Security?  via Forbes: The pressure on development teams to become agile and work at DevOps speeds has led to an increase in the use of open-source software. However, a hidden danger in increasing reliance on software you haven’t developed is that it typically carries with it performance and security risks, which must be properly identified and fixed before an application goes into production.  . Synopsys Forms Technical Advisory Board for Software Integrity Group  via Synopsys: Five-member board of experienced security executives to guide technical innovations of Synopsys security products and services.  Why Thinking Like Your Enemy Is A Valuable Strategy For Your Cybersecurity Portfolio  via Forbes: When you have third-parties that are providing services to you, that’s a much different threat model, because then you have to ask what if someone actually attacks the third-party provider and we’re using their software in our architecture? What if someone taints the supply chain and actually puts rogue code into our code base?

Lots of DevOps news this week, including why automation is critical for securing code, as well as balancing agility with security needs.  Learn how to manage security in GitHub projects with CoPilot from Black Duck Software. Pre-GDPR, Carphone Warehouse gets hit with £400k fine over a 2015 hack.  And why you should think like your attackers when developing your cybersecurity portfolio.

Read on for this week’s cybersecurity and open source security news in Open Source Insight! 

Sidestepping the Security Traps of Open Source

via CA Technologies: According to security company Black Duck Software, now part of Synopsys, open components are used in 96 percent of all proprietary applications. On average, a total of 147 different open components are used in an application. Most important from a safety standpoint is that 67 percent of all applications use components that have known vulnerabilities. 

2017 Open Source Security and Risk Analysis Report

Manage Security Risk in GitHub Open Source Projects with CoPilot

via Black Duck blog (Lisa Bryngelson): CoPilot is a publicly-facing free application that allows owners of open source projects on GithHub to monitor security risk associated with used components as part of their Git Flow development process.

Automation Critical to Securing Code in an Agile, DevOps World

via GovTech Works: Performing a manual, detailed security analysis of each open-source software component takes hours to ensure it is safe and free of vulnerabilities. Tools from Sonatype, Black Duck of Burlington, Mass., and others can automate most of that work.

Open Source Software Security Challenges Persist, but the Risk Can Be Managed

via CSO: In the average application, over a third of the code base is open source," says Mike Pittenger, Black Duck security strategist at Synopsys, Inc. "To replace that third of the code base, you're going to have to increase either your development team or development time by 50 percent -- and I don't think those are viable options in today's world."

Carphone Warehouse Slapped With Maximum £400k Fine by ICO Over 2015 Hack

via V3:  Carphone Warehouse used 'out-of date software and failed to carry out routine security testing', says ICO.

Black Duck by Synopsys: Being Part of Our Kind of Company

via Black Duck blog (Phil Odence): The Black Duck audit business is built on trust, doing great work, and, critically, responsiveness. We pride ourselves on “moving at the speed of transactions.” As part of a large public company, can we remain as amazingly responsive as we have been to client needs? Yes! 

Does DevOps Plus Open Source Equal Security? 

via Forbes: The pressure on development teams to become agile and work at DevOps speeds has led to an increase in the use of open-source software. However, a hidden danger in increasing reliance on software you haven’t developed is that it typically carries with it performance and security risks, which must be properly identified and fixed before an application goes into production. 

Synopsys Forms Technical Advisory Board for Software Integrity Group

via Synopsys: Five-member board of experienced security executives to guide technical innovations of Synopsys security products and services.

Why Thinking Like Your Enemy Is A Valuable Strategy For Your Cybersecurity Portfolio

via Forbes: When you have third-parties that are providing services to you, that’s a much different threat model, because then you have to ask what if someone actually attacks the third-party provider and we’re using their software in our architecture? What if someone taints the supply chain and actually puts rogue code into our code base?

Subscribe to the Black Duck Blog

0 Comments
Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.
0 Comments

MORE BY THIS AUTHOR

Meltdown, Spectre Security Flaws “Impact Everything”

| Jan 5, 2018

Welcome to 2018, with two major security flaws revealed that makes any computer device that has chips from Intel, AMD and ARM at risk. One security flaw, dubbed Meltdown, impacts Intel semiconductors, enabling enabling bad guys to steal passwords. The other security flaw, Spectre, impacts chips

| MORE >

2017 Top 10 IT Security Stories, Breaches, and Predictions for 2018

| Dec 22, 2017

We’re winding up 2017 with the leading security stories of the year, as well as what 2018 might bring in terms of open source and cybersecurity. Several Black Duck and Synopsys’ bloggers weigh in with articles ranging from the need of SCA (software composition analysis), through how developers can

| MORE >