Drupageddon, Heartbleed Problems & Open Source 360 Survey Results

Drupageddon, Heartbleed Problems - Open Source 360 Survey Results

CVE-2014-3704, aka “Drupageddon” and CVE-2014-0160, the everlasting Heartbleed, are our co-pick CVEs of the week. Even though both vulnerabilities were discovered over three years ago, both demonstrated how a lack of insight into open source vulnerabilities can lead to anything from a 6.7 million record leak to a £100,000 fine. The ICO/Gloucester City Council story is particularly interesting — or frightening — as it seems a clear wake-up call to organizations who will need to observe the GDPR about what to expect when the regulations go into effect in 2018.

Read on for the open source security stories you need to know this week.

Data Protection Fine Shows Security Risks from Using Open Source Software Cannot Be Ignored, Says Expert

via Out-Law.com: The UK's Information Commissioner's Office (ICO) imposed a £100,000 fine on Gloucester City Council over its failure to fix a weakness in the security of its website. [It] failed to ensure software it was using was updated to fix a vulnerability in coding known as the 'Heartbleed' bug, which was identified in April 2014 as existing in some versions of encryption software developed by via the open source 'OpenSSL Project.'

Open Source Security Challenges in Cars

via Information Age: Both auto OEMS and their suppliers should adopt management practices that inventories open source software; that maps software against known vulnerabilities as well as alerting to new security threats; that identifies potential licensing and code quality risks; and that can maximise the benefits of open source while effectively managing risks

Georgia Special Election Disruption Concerns Rise After 6.7M Records Leaked

via SC Media: Several security vulnerabilities in systems used to manage Georgia's election technology, exposing the records of 6.7 million voters months before the nation most expensive House race slated for June 20, has raised the fears that the election could be disrupted…  the site was also using an outdated version of Drupal containing a critical vulnerability dubbed “Drupageddon.” 

Black Duck Center for Open Source Research & Innovation Releases 2017 Open Source 360 Degree Survey 

via TechBuzz Ireland: Even as their organisations are embracing open source to accelerate application development and increase development agility, respondents expressed concern about license risk/loss of intellectual property (66%); exposure to internal applications to exploitation from open source vulnerabilities (64%); exposure of external applications to exploitation because of open source vulnerabilities (71%); unknown quality of components (74%); and failure of development teams to adhere to internal policies (61%).

Open-source Software Management Fails to Meet Security Concerns 

via ZDnet: Released on Thursday, the survey, made up of 819 US and EMEA software developers, IT professionals, security experts, and systems architects, says that in the last year there has been a significant uptake in the use of open-source software with almost 60 percent of respondents saying their organizations make use of open-source community-based development.

Watch the Open Source 360 Results Webinar

Is the Open Source You Use a Security Risk?

viaCodeGuru: If you are using open source software or considering it, then it is important to understand the potential risks. On June 20th, at 1:00 p.m. ET (10:00 a.m. PT), join Lenny Liebmann and Mike Pittenger in a webinar where they discuss open source security and management best practices that you can use to reduce security risks. For more on this event or to register, you can go to eWeek’s eSeminar registration page here

6 Recommendations for Healthcare Cybersecurity

via Black Duck blog (Mike Pittenger): Early last year, in response to the Cybersecurity Act of 2015, the US Department of Health and Human Services (HHS) established The Health Care Industry Cybersecurity Task Force. This month the task force published its recommendations to improve healthcare cybersecurity.

While non-binding (today), the recommendations should be considered a heads up to health care organizations, “covered entities” (in the words of HIPAA), and device manufacturers. Let’s take a look at some of the challenges and advice from the task force for improving healthcare cybersecurity.


Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Paraskevidekatriaphobia, Web APIs, Jeep Hacking, More Equifax Woes

| Oct 13, 2017

On this Friday the 13th, the paraskevidekatriaphobia edition of Open Source Insight delves into scary software exploits like jeep hacking and data breaches. October is Cybersecurity Awareness Month, but how aware and cybersecure are the businesses holding our personal data? Black Duck joins forces

| MORE >

GDPR Best Practices, Struts RCE Vulns, SAST, DAST & Equifax

| Oct 6, 2017

COSRI research director Chris Fearon makes the case that Equifax was either unaware of or slow to respond to reports of known critical vulnerabilities in their system, and as a result had not upgraded to safer versions. That opinion was later proven out by Congressional hearings into the breach,

| MORE >

Did SAST and DAST Fail Equifax?

| Oct 4, 2017

On March 8, 2017, the U.S. Department of Homeland Security, Computer Emergency Readiness Team (“U.S. CERT”) sent Equifax and many others a notice of the need to patch a particular vulnerability in certain versions of software…. Equifax used that software, which is called “Apache Struts,” in its

| MORE >