Welcome to the March 2nd edition of Open Source Insight from Black Duck by Synopsys! We look at places you’d never expect to find GDPR data, as well as answers to your most-frequently-asked GDPR questions. Synopsys Principal Scientist Sammy Migues explores why enterprises must have a software security program while Black Duck Technology Evangelist, Tim Mackey, takes a look at building application security into the heart of DevOps. Plus, a report that may give you nightmares on the malicious possibilities of AI. All the cybersecurity and open source security news fit to print lies ahead for your reading pleasure…
via Black Duck blog: Application development thrives on the use of open source components, writes Black Duck Technology Evangelist, Tim Mackey. Why? Quite simply, there are many benefits to using open source components, including the ability to leverage skill sets and expertise of the open source community, take advantage of the efforts of larger development teams, and reduce costs. To use open source components safely and responsibly, organizations need visibility into which open source components they’re using, where those components originate, and understand the associated security risk of each component.
via TechRepublic: One of the advantages of open source - transparent, customizable code which is accessible by anyone - can be turned into a disadvantage. If the code contains vulnerabilities which can be exploited, malicious individuals may be able to capitalize upon this. Without a proprietary vendor on the hook for releasing updates, fixes may be slower to arrive (though to be fair a strong developer community can develop solutions more readily as well).
via InfoSecurity Magazine: The security problems associated with open source components are nothing new. A study from Synopsys last year revealed that half of the third-party components used in software applications are outdated and possible insecure. Yet another report, this time from Black Duck’s Center for Open Source Research and Innovation last year, claimed that over 60% of all apps using open source components contain known software vulnerabilities.
via InfoSecurity Magazine: In today’s complex, technology-dependent enterprises, the answer to “Why?” is straightforward, writes Sammy Migues, Principal Scientist at Synopsys. Enterprises cannot expect a collection of independent activities—a pen test here, an hour of training there, some free tools that may not work as advertised to consistently result in secure software.
via University of Oxford: This report surveys the landscape of potential security threats from malicious uses of artificial intelligence technologies, and proposes ways to better forecast, prevent, and mitigate these threats..
via UKTN: The Northern Irish capital is emerging as a growing cyber hub, as evidenced by a number of leading companies establishing a presence there in the last few years. In 2016 alone, three major US software firms – Black Duck, Rapid 7 and Alert Logic – came to the city, bringing with them more than 200 jobs.
via Black Duck blog: In technology deals, one of the biggest areas of focus for PE firms before final acquisition is tech due diligence to help acquirers understand the intellectual property they’re buying. Savvy buyers will also put processes in place to maintain the value of the assets acquired and to ensure there are no issues with those assets when it’s time to divest.
via Bloomberg Technology: Cars must use Automotive Grade Linux, an open-source platform being developed by Toyota Motor Corp. and other auto manufacturers and suppliers to underpin all software running in the vehicle. The only cars currently on the system are Toyota’s new Camry and Sienna and the Japanese version of the plug-in Prius, though the carmaker plans to expand that list. AGL has been growing too, reaching 114 members currently, up from around 90 a year earlier. Amazon signed on last month.
via Synopsys Software Integrity blog: GDPR will become fully enforceable throughout the EU on May 25, 2018.
via CMSWire: GDPR is months away and yet even well-prepared companies are finding last minute surprises as they race to the finish line. Part of the problem is that the regulation itself is so complex; another part is the surprising range of data that fall under the regulation.