You Can’t Beat Hackers and the Pentagon Moves into Open Source

You Can’t Beat the Hackers, Pentagon Moves into Open Source, Autonomous Cars and IoT

We take a deep dive into security researchers Charlie Miller and Chris Valasek’s keynote at last week’s FLIGHT 2017 conference. What is “Hidden Cobra” and is it targeting US aerospace, telecommunications and finance industries? Both banks and the Pentagon are making big moves into open source. And why it’s smart to assume that every application is an on-premise application.

The best of November’s application security and open security news (so far) follows in this week’s edition of Open Source Insight. 

IoT Security Pros: You Can’t Beat the Hackers You Can Only Contain Them

via MSSP Alert: Internet of Things (IoT) security bulls might not like this one: You can’t count on beating the hackers — there’s too many unsecured devices to bolt down — but you may be able to contain them. How so? By concentrating on the big stuff, according to security experts Charlie Miller and Chris Valasek, in remarks delivered at the Black Duck Software’s Flight 2017 conference in Boston.

It Wasn’t an Equifax Toaster That Stole 145M People’s Personal Data

via Black Duck blog (Fred Bals): The good news? Bad guy hackers are lazy, and will move on to easier pickings when confronted with good security. The bad news?  Good security is often expensive, and not necessarily a cost businesses are enthusiastic about adding to product prices and passing on to customers. Those were key takeaways from security researchers Charlie Miller and Chris Valasek’s keynote at last week’s FLIGHT 2017 conference. 

Equifax & Apache Struts Vulnerability CVE-2017-5638: A Five year Timeline From Bug To Breach

U.S. Government Issues Alerts About Malware and Ip Addresses Linked to North Korean Cyber Attacks

via TechCrunch: US-CERT, the Department of Homeland Security team responsible for analyzing cybersecurity threats, has posted a warning about cyber-attacks by the North Korean government, which it collectively refers to as “Hidden Cobra.” The technical alert from the FBI and Department of Homeland Security says a remote administration tool (RAT) called FALLCHILL has been deployed by Hidden Cobra since 2016 to target the aerospace, telecommunications and finance industries.

Known Security Vulnerabilities Are a Hacker's Guide to an IoT Breach

via IoT Journal: More than 90 percent of the software written these days integrates open-source code. Such code is used in IoT firmware, operating systems, network platforms and applications. This trend will only continue to grow because, by leveraging open-source, developers can lower assembly costs and quickly add innovations, thereby saving months or years of originally required development time. Whether software code is proprietary or open-source, it harbors security vulnerabilities. 

The Pentagon Is Set to Make a Big Push Toward Open Source Software Next Year

via the Verge: Besides cost, there are other compelling explanations for why the military might want to go open source. One is that technology outside the Pentagon simply advances faster than technology within it, and by availing itself to open-source tools, the Pentagon can adopt those advances almost as soon as the new code hits the web, without going through the extra steps of a procurement process.

Banks Are Increasingly Turning to Open Source Projects. Here's Why.

via American Banker: The weakest points of most software programs are the flaws or bugs that can be exploited by hackers and cybercriminals. Recent case in point: the —$300 million worth of Ether locked in Parity digital wallets because a coder was able to poke around in Parity’s digital wallet and kill a smart contract, thus freezing all wallets that smart contract governed. The Equifax breach is another example: a weakness in an open source software package called Apache Struts allowed hackers to steal millions of sets of consumer data. (A patch was available for the Apache software, but Equifax didn’t apply it.)

It’s Time to Enlist Security Champions to Fuel Agile Development

via Synopsys blog (Brendan Sheairs): A traditional software security group (SSG) isn’t equipped to apply security activities to Agile development environments effectively. Applying security to agile processes requires the injection of security-related people, processes, and testing activities at a sprint tempo… So how can we inject security into Agile development?

Virgin Hyperloop One Joins GENIVI Alliance

via Business Insider: The GENIVI Alliance, a collaborative community of automakers and their suppliers developing open software for in-vehicle infotainment (IVI) and the connected car, today announced that Virgin Hyperloop One, the only company in the world that has built and successfully tested a full-scale hyperloop system, has joined the Alliance to work with the strong GENIVI ecosystem and leverage its proven history of open source software collaboration. 

Assume Every Application is an On-Premises Application

via Black Duck blog (David Znidarsic): if prevention or knowledge of an application’s required client-side installations is important to you, you need to do a technical analysis of what is and what is not installed; don’t rely on marketing materials and naïve categorizations. In the absence of such an analysis, assume every application you use requires some type of client-side installation.

From Consumers to Contributors: The Evolution of Open Source in the Enterprise

via Computer Weekly: The 11th edition of Black Duck Software’s annual report into enterprise open source usage revealing that 66% of the 819 respondents regularly contribute to open source projects. Also, just under half (48%) said the number of individual contributors within their organisation was set to rise. 

Watch the Open Source 360 Results Webinar

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Who Owns Linux? TRITON Attack, App Security Testing, Future of GDPR

| Mar 16, 2018

We look at the three reasons you must attend the FLIGHT Amsterdam conference; how to build outstanding projects in the open source community; and why isn’t every app being security tested? Plus, in-depth into the TRITON attack; why 2018 is the year of open source; how open source is driving both

| MORE >

SCA for DevOps, DHS Security, Securing Open Source for GDPR, CVE Gap

| Mar 9, 2018

It’s an acronym-filled issue of Open Source Insight, as we look at the question of SCA (software composition analysis) and how it fits into the DevOps environment. The DHS (Department of Homeland Security) has concerning security gaps, according to its OIG (Office of Inspector General). Can the

| MORE >

AppSec for DevOps, Open Source vs Proprietary, Malicious AIs & GDPR

| Mar 2, 2018

Welcome to the March 2nd edition of Open Source Insight from Black Duck by Synopsys! We look at places you’d never expect to find GDPR data, as well as answers to your most-frequently-asked GDPR questions. Synopsys Principal Scientist Sammy Migues explores why enterprises must have a software

| MORE >