GDPR Best Practices, Struts RCE Vulns, SAST, DAST & Equifax

Open Source and GDPR Best Practices, Struts RCE Vulnerabilities, SAST, DAST & Equifax

COSRI research director Chris Fearon makes the case that Equifax was either unaware of or slow to respond to reports of known critical vulnerabilities in their system, and as a result had not upgraded to safer versions. That opinion was later proven out by Congressional hearings into the breach, as Fred Bals relates in his blog on whether SAST and DAST fell down on the job for Equifax. Black Duck VP and General Counsel, Matt Jacobs partners with Irwin Mitchell’s Dan Headley to review what GDPR will mean for open source code. Is open source more dangerous than Windows? And Larry Ellison claims Oracle could have saved Equifax from much heartache in this week’s open source security and cybersecurity news wrap.

How Do We Reconcile the Open Source Security Risk With GDPR Best Practice? 

via SC MediaGDPR is a top-to-bottom reform of European data privacy law and deals with a much wider range of topics than information security.  Nevertheless, security is a key element of GDPR's overall policy objective of promoting transparency, accountability and trust in organisations which deal with people's data, and its security provisions are a critical part of achieving that objective...

Examining Apache SCE Vulns

via Black Duck blog (Christopher Fearon): The timeline of related events makes it clear that fixed versions of Struts were available at or before the security advisories were published, and that known exploits were not available in the wild beforehand. The timeline also bears witness to Apache's assertions of consistent good practise and tells us that the attack was likely to be a product of poor security practises on the part of Equifax. 

8 Takeaways from NIST’s Application Container Security Guide

The Next Step in Modernization 

via IBM Systems Magazine: Modernization has evolved from a buzzword to an imperative for any business that wishes to stay competitive. New computer hardware and enhanced internet interconnectivity don’t simply offer greater power and faster speeds, they allow for new possibilities. It’s in this environment — which includes the Internet of Things (IoT) — where open-source databases (OSDBs) are increasingly relied upon.

The Attack of the Car Wash System and Other Menacing Stories of the Internet of Things  

via Industry of Things (Germany): Safe software is a short-lived concept. What is considered safe today can change overnight when new vulnerabilities are discovered and disclosed. The older the code, the higher the probability that vulnerabilities will be revealed.

Step Aside, Windows! Open Source and Linux Are IT’s New Security Headache

via ComputerWorld: The Equifax breach is the latest example of attackers targeting open-source software in the enterprise.

Did SAST and DAST Fail Equifax?

via Black Duck blog (Fred Bals): [Equifax] hasn’t elaborated so far on what was used to “scan” the Equifax systems, but given its failure to identify a known open source vulnerability, one could assume that it wasn’t a dedicated open source vulnerability management solution (or if it was, Equifax should seriously consider asking for its money back). It’s more likely that Equifax was using some combination of traditional SAST and DAST tools to protect itself.

Ellison Claims Oracle Software Could Have Prevented Equifax Hack  

via Market Watch: The massive data breach at Equifax Inc. could have been prevented with Oracle Corp.’s automated databases, Larry Ellison claimed Tuesday, using the credit-reporting company’s woes as a selling point for Oracle’s new product.

BigchainDB Brings Scalable Database Technology to Blockchains

via Black Duck blog (Masha McConaghy | Founder & CMO of BigchainDB): For nine years, the Black Duck Open Source Rookies of the Year awards have recognized some of the most innovative and influential open source projects launched during the previous year. We sat down with Founder and CMO Masha McConaghy to hear the exciting story of one of this year's rookies: BigchainDB.

Russian Intelligence Reportedly Breached the NSA in 2015, Stealing Cybersecurity Strategy

via Techcrunch: The NSA suffered a serious breach in 2015, exposing the agency’s cyberwarfare strategy, including its own defenses and methods of attacking foreign networks, reports The Wall Street Journal today. Russian intelligence is said to be behind the attack, and software from Russia-based Kaspersky labs is suggested to have been their vector.

FICO-Like Cybersecurity Scores Are Imminent: What Do They Mean For Your Business?

via Forbes: what if we started using a unified rating system for evaluating cybersecurity like we do in all other aspects of business? That system is already underway.

Exception Based Review Process – Less Is More!

via Black Duck blog (Hal Hearst): In my previous post I wrote about how the changing situation around open source management has pushed the need for an exception based review process for open source. In my opinion, it's the only process that really works. And by “works,” I mean scales across a large enterprise in which the use of open source is common. Exception based is a key element in the “fast & simple” approach.

Check out slides from FLIGHT 2017 today.

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Who Owns Linux? TRITON Attack, App Security Testing, Future of GDPR

| Mar 16, 2018

We look at the three reasons you must attend the FLIGHT Amsterdam conference; how to build outstanding projects in the open source community; and why isn’t every app being security tested? Plus, in-depth into the TRITON attack; why 2018 is the year of open source; how open source is driving both

| MORE >

SCA for DevOps, DHS Security, Securing Open Source for GDPR, CVE Gap

| Mar 9, 2018

It’s an acronym-filled issue of Open Source Insight, as we look at the question of SCA (software composition analysis) and how it fits into the DevOps environment. The DHS (Department of Homeland Security) has concerning security gaps, according to its OIG (Office of Inspector General). Can the

| MORE >

AppSec for DevOps, Open Source vs Proprietary, Malicious AIs & GDPR

| Mar 2, 2018

Welcome to the March 2nd edition of Open Source Insight from Black Duck by Synopsys! We look at places you’d never expect to find GDPR data, as well as answers to your most-frequently-asked GDPR questions. Synopsys Principal Scientist Sammy Migues explores why enterprises must have a software

| MORE >