This issue of Open Source Insight looks at how data leaks on Amazon servers may have exposed the personal information of 198 million American voters and 14 million Verizon customers. Is the federal cybersecurity infrastructure keeping up with threats? Why do some many companies have problems keeping their software up to date? Are vulnerability tools up to snuff? All this and more open source security and cybersecurity news…
via SC Media: A recent study by SkyHigh Networks found seven percent of all Amazon S3 servers are exposed which may explain a recent surge of data leaks in the last few months including the information on 198 million American voters.
via GCN: With open-source a significant part of the nation’s digital infrastructure, the risks associated with this type of software are enough to pique the interest of department official, writes Black Duck VP of Product Management, Patrick Carey.
via The Hill: If it’s not obvious yet that cybersecurity is a major issue, you’re not paying attention. Accordingly, cybersecurity must be a priority for all levels of government, not to mention the private sector. Yet much of the federal government’s networks remain vulnerable simply because of outdated and obsolete technology. This must change.
via Autobody News: Automakers are adopting open source software for core technologies like the infotainment operating system. This allows them to focus more resources towards the industry-wide race to develop new technologies, mobility services, and autonomous vehicles.
via Black Duck blog (Rob Hawkins): It's certainly been an interesting month thus far for the mobility industry. The House of Representatives passed the SELF DRIVE Act, which proposes to grant 25,000 autonomous light vehicle testing exemptions (ratcheting up to 100,000 within a few years), exemptions that supersede existing state laws for pre-market approval processes. The Department of Transportation (DOT) followed suit, trimming and softening prior guidelines. Now it’s up to the Senate, where similar legislation includes autonomous trucking. This is an area of considerable investment that, according to some, is accompanied by concerns surrounding artificial intelligence and jobs.
via Business Standard: Equifax, like most Fortune 100 firms, was using an open-source software platform called Apache Struts to run parts of its website. Every major piece of software has vulnerabilities, almost inevitably. When they’re found, typically the company or organization that writes the software creates a fix and shares it with the world, along with notifications that users should update to the latest version.
via Investor’s Business Daily: Equifax CEO and Chairman Richard Smith retired, effective immediately, in the wake of a massive hack recently disclosed that may have exposed up to 143 million Americans.
via The Stack: Many security professionals struggle hugely to communicate on a daily basis with the fast-moving needs of developers and operations staff who now need to get an application or service from the test development environment to live faster than ever before. Security teams are not experts in what typical Open Source libraries are needed for the safe and secure running of a specific web server or application stack.
via Third Certainty: While open source is no less secure than commercial code, most companies lack the visibility into and control over the open-source code they use, according to Mike Pittenger, vice president of security strategy at Black Duck. “Last year, Black Duck’s Center for Open Source Research & Innovation (COSRI) analyzed more than 1,000 applications that were audited as part of Merger & Acquisition transactions. The COSRI audit analysis found that while 96 percent of the applications contained open-source software, more than 60 percent of those applications contained known open-source security vulnerabilities,” he says.
via Black Duck blog (Mike Pittenger): The Equifax breach has brought Remote Code Execution (RCE) vulnerabilities in Struts into the spotlight. Nobody wants to be the “next Equifax,” much less the company leadership “retiring” or answering questions from Congress.
via Black Duck blog (David Znidarsic, Founder & President of Stairstep Consulting): The General Data Protection Regulation (GDPR) will be enforced starting on May 25, 2018. One of the requirements of the GDPR is that many companies who handle personal data of EU citizens will need to appoint either an employee or contractor to be their Data Protection Officer.