GDPR Best Practices, Struts RCE Vulns, SAST, DAST & Equifax

Open Source and GDPR Best Practices, Struts RCE Vulnerabilities, SAST, DAST & Equifax

COSRI research director Chris Fearon makes the case that Equifax was either unaware of or slow to respond to reports of known critical vulnerabilities in their system, and as a result had not upgraded to safer versions. That opinion was later proven out by Congressional hearings into the breach, as Fred Bals relates in his blog on whether SAST and DAST fell down on the job for Equifax. Black Duck VP and General Counsel, Matt Jacobs partners with Irwin Mitchell’s Dan Headley to review what GDPR will mean for open source code. Is open source more dangerous than Windows? And Larry Ellison claims Oracle could have saved Equifax from much heartache in this week’s open source security and cybersecurity news wrap.

How Do We Reconcile the Open Source Security Risk With GDPR Best Practice? 

via SC MediaGDPR is a top-to-bottom reform of European data privacy law and deals with a much wider range of topics than information security.  Nevertheless, security is a key element of GDPR's overall policy objective of promoting transparency, accountability and trust in organisations which deal with people's data, and its security provisions are a critical part of achieving that objective...

Examining Apache SCE Vulns

via Black Duck blog (Christopher Fearon): The timeline of related events makes it clear that fixed versions of Struts were available at or before the security advisories were published, and that known exploits were not available in the wild beforehand. The timeline also bears witness to Apache's assertions of consistent good practise and tells us that the attack was likely to be a product of poor security practises on the part of Equifax. 

Threat Check for Struts

The Next Step in Modernization 

via IBM Systems Magazine: Modernization has evolved from a buzzword to an imperative for any business that wishes to stay competitive. New computer hardware and enhanced internet interconnectivity don’t simply offer greater power and faster speeds, they allow for new possibilities. It’s in this environment — which includes the Internet of Things (IoT) — where open-source databases (OSDBs) are increasingly relied upon.

The Attack of the Car Wash System and Other Menacing Stories of the Internet of Things  

via Industry of Things (Germany): Safe software is a short-lived concept. What is considered safe today can change overnight when new vulnerabilities are discovered and disclosed. The older the code, the higher the probability that vulnerabilities will be revealed.

Step Aside, Windows! Open Source and Linux Are IT’s New Security Headache

via ComputerWorld: The Equifax breach is the latest example of attackers targeting open-source software in the enterprise.

Did SAST and DAST Fail Equifax?

via Black Duck blog (Fred Bals): [Equifax] hasn’t elaborated so far on what was used to “scan” the Equifax systems, but given its failure to identify a known open source vulnerability, one could assume that it wasn’t a dedicated open source vulnerability management solution (or if it was, Equifax should seriously consider asking for its money back). It’s more likely that Equifax was using some combination of traditional SAST and DAST tools to protect itself.

Ellison Claims Oracle Software Could Have Prevented Equifax Hack  

via Market Watch: The massive data breach at Equifax Inc. could have been prevented with Oracle Corp.’s automated databases, Larry Ellison claimed Tuesday, using the credit-reporting company’s woes as a selling point for Oracle’s new product.

BigchainDB Brings Scalable Database Technology to Blockchains

via Black Duck blog (Masha McConaghy | Founder & CMO of BigchainDB): For nine years, the Black Duck Open Source Rookies of the Year awards have recognized some of the most innovative and influential open source projects launched during the previous year. We sat down with Founder and CMO Masha McConaghy to hear the exciting story of one of this year's rookies: BigchainDB.

Russian Intelligence Reportedly Breached the NSA in 2015, Stealing Cybersecurity Strategy

via Techcrunch: The NSA suffered a serious breach in 2015, exposing the agency’s cyberwarfare strategy, including its own defenses and methods of attacking foreign networks, reports The Wall Street Journal today. Russian intelligence is said to be behind the attack, and software from Russia-based Kaspersky labs is suggested to have been their vector.

FICO-Like Cybersecurity Scores Are Imminent: What Do They Mean For Your Business?

via Forbes: what if we started using a unified rating system for evaluating cybersecurity like we do in all other aspects of business? That system is already underway.

Exception Based Review Process – Less Is More!

via Black Duck blog (Hal Hearst): In my previous post I wrote about how the changing situation around open source management has pushed the need for an exception based review process for open source. In my opinion, it's the only process that really works. And by “works,” I mean scales across a large enterprise in which the use of open source is common. Exception based is a key element in the “fast & simple” approach.

Register for FLIGHT 2017 today.

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Container Tech, Data Centre Security & 2018's Biggest Security Threat

| Dec 8, 2017

Black Duck senior technology evangelist Tim Mackey talks containers this week at DevSecCon and elaborates on his presentation, “When Good Containers Go Bad,” with IT Pro, Cloud Pro and Data Centre News.  Black Duck VP of Security Strategy Mike Pittenger shares his thoughts on the biggest security

| MORE >

Record Vulns in 2017 and Predictions for Open Source in 2018

| Dec 1, 2017

We enter the last month of 2017 with two reports that should give pause: The National Vulnerability Database, has documented more than 13,400 vulnerabilities so far this year, more than double the database logged in all of 2016. Plus, as unbelievable as it sounds, more than 90 percent of firms

| MORE >

You Can’t Beat Hackers and the Pentagon Moves into Open Source

| Nov 17, 2017

We take a deep dive into security researchers Charlie Miller and Chris Valasek’s keynote at last week’s FLIGHT 2017 conference. What is “Hidden Cobra” and is it targeting US aerospace, telecommunications and finance industries? Both banks and the Pentagon are making big moves into open source. And

| MORE >