Amazon Servers Exposed and How Not to be the Next Equifax

Amazon Servers Exposed, Open Source & the Public Sector, How Not to be the Next Equifax

This issue of Open Source Insight looks at how data leaks on Amazon servers may have exposed the personal information of 198 million American voters and 14 million Verizon customers. Is the federal cybersecurity infrastructure keeping up with threats? Why do some many companies have problems keeping their software up to date? Are vulnerability tools up to snuff?  All this and more open source security and cybersecurity news…

Researchers Find 7 Percent of All Amazon S3 Servers Exposed

via SC Media: A recent study by SkyHigh Networks found seven percent of all Amazon S3 servers are exposed which may explain a recent surge of data leaks in the last few months including the information on 198 million American voters.

Open Source and the Public Sector

via GCN: With open-source a significant part of the nation’s digital infrastructure, the risks associated with this type of software are enough to pique the interest of department official, writes Black Duck VP of Product Management, Patrick Carey.

Cybersecurity Threats Demand Modernizing Federal Technology

via The Hill: If it’s not obvious yet that cybersecurity is a major issue, you’re not paying attention. Accordingly, cybersecurity must be a priority for all levels of government, not to mention the private sector. Yet much of the federal government’s networks remain vulnerable simply because of outdated and obsolete technology. This must change.

How Open Source is Transforming the Automotive Industry

via Autobody News: Automakers are adopting open source software for core technologies like the infotainment operating system. This allows them to focus more resources towards the industry-wide race to develop new technologies, mobility services, and autonomous vehicles.

3 Keys to the Road Ahead with Autonomous Vehicles

via Black Duck blog (Rob Hawkins): It's certainly been an interesting month thus far for the mobility industry. The House of Representatives passed the SELF DRIVE Act, which proposes to grant 25,000 autonomous light vehicle testing exemptions (ratcheting up to 100,000 within a few years), exemptions that supersede existing state laws for pre-market approval processes. The Department of Transportation (DOT) followed suit, trimming and softening prior guidelines. Now it’s up to the Senate, where similar legislation includes autonomous trucking. This is an area of considerable investment that, according to some, is accompanied by concerns surrounding artificial intelligence and jobs. 

Why Don't Big Companies Keep Their Computer Systems Up-to-date?

via Business Standard: Equifax, like most Fortune 100 firms, was using an open-source software platform called Apache Struts to run parts of its website. Every major piece of software has vulnerabilities, almost inevitably. When they’re found, typically the company or organization that writes the software creates a fix and shares it with the world, along with notifications that users should update to the latest version.

Equifax CEO Richard Smith Retires After Mass Hack

via Investor’s Business Daily: Equifax CEO and Chairman Richard Smith retired, effective immediately, in the wake of a massive hack recently disclosed that may have exposed up to 143 million Americans.

Threat Check for Struts

The Equifax Example: Bridging the Gap Between Security and DevOps

via The Stack: Many security professionals struggle hugely to communicate on a daily basis with the fast-moving needs of developers and operations staff who now need to get an application or service from the test development environment to live faster than ever before. Security teams are not experts in what typical Open Source libraries are needed for the safe and secure running of a specific web server or application stack.

Flaws in Open-source Software Pose Big Risks to Companies That Use It

via Third Certainty: While open source is no less secure than commercial code, most companies lack the visibility into and control over the open-source code they use, according to Mike Pittenger, vice president of security strategy at Black Duck. “Last year, Black Duck’s Center for Open Source Research & Innovation (COSRI) analyzed more than 1,000 applications that were audited as part of Merger & Acquisition transactions. The COSRI audit analysis found that while 96 percent of the applications contained open-source software, more than 60 percent of those applications contained known open-source security vulnerabilities,” he says.

Nessus, Qualys, Metasploit for Struts Vulnerabilities?

via Black Duck blog (Mike Pittenger): The Equifax breach has brought Remote Code Execution (RCE) vulnerabilities in Struts into the spotlight. Nobody wants to be the “next Equifax,” much less the company leadership “retiring” or answering questions from Congress.

So, You Want to Be a Data Protection Officer

via Black Duck blog (David Znidarsic, Founder & President of Stairstep Consulting): The General Data Protection Regulation (GDPR) will be enforced starting on May 25, 2018. One of the requirements of the GDPR is that many companies who handle personal data of EU citizens will need to appoint either an employee or contractor to be their Data Protection Officer.

Register Now - Webinar: GDPR and Open Source: Best Practices for Security and Data Protection

0 Comments
Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.
0 Comments

MORE BY THIS AUTHOR

Paraskevidekatriaphobia, Web APIs, Jeep Hacking, More Equifax Woes

| Oct 13, 2017

On this Friday the 13th, the paraskevidekatriaphobia edition of Open Source Insight delves into scary software exploits like jeep hacking and data breaches. October is Cybersecurity Awareness Month, but how aware and cybersecure are the businesses holding our personal data? Black Duck joins forces

| MORE >

GDPR Best Practices, Struts RCE Vulns, SAST, DAST & Equifax

| Oct 6, 2017

COSRI research director Chris Fearon makes the case that Equifax was either unaware of or slow to respond to reports of known critical vulnerabilities in their system, and as a result had not upgraded to safer versions. That opinion was later proven out by Congressional hearings into the breach,

| MORE >

Did SAST and DAST Fail Equifax?

| Oct 4, 2017

On March 8, 2017, the U.S. Department of Homeland Security, Computer Emergency Readiness Team (“U.S. CERT”) sent Equifax and many others a notice of the need to patch a particular vulnerability in certain versions of software…. Equifax used that software, which is called “Apache Struts,” in its

| MORE >