Opinions differ on exactly when, but open source turned twenty this year. Most security breaches in 2017 were preventable (you hear that, Equifax?), and it’s time to take a look back to prevent similar breaches in 2018. iPhone source code gets leaked (for a short time). And keeping medical devices, voting machines, automobiles, and critical infrastructure safe in a world of increasing application risk.
Read on for open source security and cybersecurity in Open Source Insight for February 9th, 2018.
via Linux Insider: "Corporate leaders grew up in an enterprise environment where someplace within was a procurement officer who established relationships with the sales force at a software company," noted Tim Mackey, senior technical evangelist at Black Duck by Synopsys. That relationship grew around the support structure for using that commercial software.
via SD Times: The phrase was coined by Christine Peterson, the cofounder and past president of the nontech public interest group Foresight Institute. After 20 years, Peterson is revealing more insight into how the use of the term open-source software began.
via Black Duck blog: From breaches making headlines to exciting new technologies, 2017 was abuzz with conversation around securing applications and the implications of access to personal data. We saw what can happen when sensitive data is not properly secured, providing a sharp reminder of why application security is so important. Looking ahead, we need to reflect on emerging threats, technologies, and practices in application security in 2017, so organizations can prepare for 2018.
via Synopsys Software Integrity blog: According to the Cyber Incident & Breach Trends Report from the Online Trust Alliance (OTA), the number of breaches almost doubled from 2016. The Identity Theft Resource Center (ITRC) and CyberScout’s 2017 Annual Data Breach Year-End Review put the increase at nearly 45%.
via Motherboard: Someone just posted what experts say is the source code for a core component of the iPhone’s operating system on GitHub, which could pave the way for hackers and security researchers to find vulnerabilities in iOS and make iPhone jailbreaks easier to achieve. The GitHub code is labeled “iBoot,” which is the part of iOS that is responsible for ensuring a trusted boot of the operating system.
via The Verge: A portion of iOS’s source code was leaked online yesterday and quickly removed after Apple filed a takedown notice with GitHub, where the code was posted. The leak, which was first reported by Motherboard, was for an iOS process named “iBoot” that starts up the system when you first turn on your iPhone and ensures the code being run is valid and originates from Apple. It was posted to GitHub at this link, which is now down.
via Medical Plastic News: Testing for security vulnerabilities in medical devices rarely happens, according to a 2017 report by the Ponemon Institute, sponsored by software security firm Synopsys. The report found that over half of healthcare delivery organisations do not test for security issues or are unsure whether testing occurs. 36% of device makers do not test already-released medical devices to find new or previously unidentified vulnerabilities.
via SD Times: Black Duck collaborated with Atlassian to help companies build software agilely and securely by integrating Black Duck Hub with the processes and tools software development teams already use at every step of the DevOps pipeline. Continuous delivery and open source are changing the face of software development. Teams are building and releasing at a faster pace and are relying on open source to build applications smarter.
via Linux Insider: Framing open source software as secure understandably confuses people, but a close look reveals why that is true. When source code is published online (the defining convention of open source software), it could allow an attacker to locate weaknesses. However, in practice it allows many more observers to identify and disclose bugs to the developers for patching. On the whole, most people who find vulnerabilities want to get them fixed, and presenting the code for anyone to view allows many more security professionals to participate in the process, making the final product that much better.
via Semiconductor Engineering: When a supplier or auto OEM is not aware of all the open source in use in its product’s software, it can’t defend against attacks targeting vulnerabilities in those open source components. Any organization leveraging connected car technology will need to examine the software ecosystem it is using to deliver those features, and account for open source identification and management in its security program.
via Dark Reading: But the response to the new hacking tool, now readily available to the masses of script kiddies, has been a mix of outrage, fear, some applause, and more than a few shrugs.
via Security Week: It is time to take the security of our critical infrastructure seriously. The software that controls our infrastructure is vulnerable to attack, and the potential results are far more destructive and pervasive than even science fiction would have us believe.
via AdWeek: Next May, GDPR, or the EU General Data Protection Regulation will be in effect, and as a programmatic marketer and someone who embraces the data-driven side of media targeting, it scares me.
via InfoSecurity: A database containing the voter records of over 19.5 million Californians was exposed to the public internet before being locked down and held for ransom by cyber-criminals, just months after a similar incident, according to reports.