COSRI research director Chris Fearon makes the case that Equifax was either unaware of or slow to respond to reports of known critical vulnerabilities in their system, and as a result had not upgraded to safer versions. That opinion was later proven out by Congressional hearings into the breach, as Fred Bals relates in his blog on whether SAST and DAST fell down on the job for Equifax. Black Duck VP and General Counsel, Matt Jacobs partners with Irwin Mitchell’s Dan Headley to review what GDPR will mean for open source code. Is open source more dangerous than Windows? And Larry Ellison claims Oracle could have saved Equifax from much heartache in this week’s open source security and cybersecurity news wrap.
via SC Media: GDPR is a top-to-bottom reform of European data privacy law and deals with a much wider range of topics than information security. Nevertheless, security is a key element of GDPR's overall policy objective of promoting transparency, accountability and trust in organisations which deal with people's data, and its security provisions are a critical part of achieving that objective...
via Black Duck blog (Christopher Fearon): The timeline of related events makes it clear that fixed versions of Struts were available at or before the security advisories were published, and that known exploits were not available in the wild beforehand. The timeline also bears witness to Apache's assertions of consistent good practise and tells us that the attack was likely to be a product of poor security practises on the part of Equifax.
via IBM Systems Magazine: Modernization has evolved from a buzzword to an imperative for any business that wishes to stay competitive. New computer hardware and enhanced internet interconnectivity don’t simply offer greater power and faster speeds, they allow for new possibilities. It’s in this environment — which includes the Internet of Things (IoT) — where open-source databases (OSDBs) are increasingly relied upon.
via Industry of Things (Germany): Safe software is a short-lived concept. What is considered safe today can change overnight when new vulnerabilities are discovered and disclosed. The older the code, the higher the probability that vulnerabilities will be revealed.
via ComputerWorld: The Equifax breach is the latest example of attackers targeting open-source software in the enterprise.
via Black Duck blog (Fred Bals): [Equifax] hasn’t elaborated so far on what was used to “scan” the Equifax systems, but given its failure to identify a known open source vulnerability, one could assume that it wasn’t a dedicated open source vulnerability management solution (or if it was, Equifax should seriously consider asking for its money back). It’s more likely that Equifax was using some combination of traditional SAST and DAST tools to protect itself.
via Market Watch: The massive data breach at Equifax Inc. could have been prevented with Oracle Corp.’s automated databases, Larry Ellison claimed Tuesday, using the credit-reporting company’s woes as a selling point for Oracle’s new product.
via Black Duck blog (Masha McConaghy | Founder & CMO of BigchainDB): For nine years, the Black Duck Open Source Rookies of the Year awards have recognized some of the most innovative and influential open source projects launched during the previous year. We sat down with Founder and CMO Masha McConaghy to hear the exciting story of one of this year's rookies: BigchainDB.
via Techcrunch: The NSA suffered a serious breach in 2015, exposing the agency’s cyberwarfare strategy, including its own defenses and methods of attacking foreign networks, reports The Wall Street Journal today. Russian intelligence is said to be behind the attack, and software from Russia-based Kaspersky labs is suggested to have been their vector.
via Forbes: what if we started using a unified rating system for evaluating cybersecurity like we do in all other aspects of business? That system is already underway.
via Black Duck blog (Hal Hearst): In my previous post I wrote about how the changing situation around open source management has pushed the need for an exception based review process for open source. In my opinion, it's the only process that really works. And by “works,” I mean scales across a large enterprise in which the use of open source is common. Exception based is a key element in the “fast & simple” approach.