Supersized Problem for & Open Source Vuln Attacks Rise

Supersized Problem for, Open Source Vuln Attacks on Rise, Consumers Fear Breaches

A big jump in CVEs from last week, with 547 entries now listed in the NVD and a multitude of cross-site scripting (XSS) vulnerabilities leading the pack as usual. One of the more interesting of those vulnerabilities is a supersized password protection problem for due to a cross-site scripting (XSS) vulnerability and a cryptographic storage vulnerability.

More in this week’s open source and cybersecurity news: Black Duck’s vice president of security strategy tells why he expects attacks based on open source vulnerabilities will increase by 20% in 2017. A global survey finds that 58% of respondents fear a future data breach. Application vulnerabilities are the #1 cyberattack target, but what the right tools to secure applications?

After the recent MongoDB debacle, security specialists are saying to expect more of the same. A researcher is paid a $40K bounty after reporting an open source security flaw to Facebook. Connected car researchers are calling all white hats to find the flaws in their open source automotive software. And a new study by Red Hat highlights open source software's growing acceptance, but reservations around security still remain.

Read on for the news that made the open source and cybersecurity headlines this week.

Report: Attacks Based on Open Source Vulnerabilities Will Rise 20 Percent This Year

In an interview with, said Mike Pittenger, vice president of security strategy at Black Duck Software, predicts that as open source code becomes more prevalent in both commercial and home-grown applications, the number of attacks based on its vulnerabilities will increase by 20 percent this year.

Survey Says 66% Of Consumers Won't Work With Breached Companies

A global survey finds that despite being aware of online security risks, customers continue to take chances but expect protection from businesses that handle their data - despite only 29% believing that companies will protect their data seriously and 58% fearing a future data breach. You can download (form entry required) the full report here.

Do You Have the Right Tools in Your Application Security Toolkit?

“It’s a trick question,” writes Black Duck’s Patrick Carey. “No single tool or approach will fully cover the range of vulnerabilities present in most applications. To do the job right you are going to need to assemble a multi-tool toolkit tailored to the needs of your applications and development processes. To help you get started we’ve put together an Application Security Buyers Guide. In it you will find descriptions of the various appsec testing approaches as well as strengths and limitations of each.” 

On the Law and Your Open Source License

Via Gigaom: It is more important than ever to know your way around the world of laws and licenses that pertain to open source software. Did you know that there is an official, free journal dedicated to open source law? It's the International Free and Open Source Software Law Review, and it's worth looking into.

After MongoDB Debacle, Expect More Ransomware, Open Source Vuln Attacks in 2017

Via Application Development Trends: Although these much-publicized attacks concerned only a few types of databases, they serve as a sobering reminder of the vulnerabilities in open source software, where it's often incumbent upon users to secure the open source components they use in projects.

Failure to Patch Known ImageMagick Flaw Costs Facebook $40k

It's not common for a security-conscious internet company to leave a well-known vulnerability unpatched for months, writes Facebook paid a US$40,000 reward to a researcher after he warned the company that its servers were vulnerable to an exploit called ImageTragick.

White Hat Hackers Called to Poke Holes in Open Source Connected Car Security Platform

SC Media reports that the New York University Tandon School of Engineering, University of Michigan Transportation Research Institute and the Southwest Research Institute have developed a cybersecurity framework called Uptane for the automotive industry to protect wireless software updates in connected vehicles. The developers are offering Uptane for free and as an open source platform because they want researchers to scrutinize the design to ensure the safety of everyone.

Security Concerns Remain as Open Source Usage Surges

The use of open source software in the Asia-Pacific region is on its way up, reports ARN, with more than half of those surveyed in a new study by Red Hat already implementing or embracing the technology. At the same time, however, the research suggests that concerns around the security of open source software remains, despite its rising popularity among enterprises, with 56 percent of respondents viewing open source security as a potential risk if not a major concern.

Unhappy Meal: McDonald's Website Doesn't Securely Protect Passwords, Researcher Finds

Registered users of McDonald's website may be susceptible to credential theft due to the combination of a cross-site scripting (XSS) vulnerability and a cryptographic storage vulnerability, claims an article in SC Media. By abusing these two flaws, “It is possible to steal and decrypt the password from a McDonald's user,” wrote Netherlands researcher Tijme Gommers earlier this month in a blog post on his website. “Besides that, other personal details like the user's name, address and contact details can be stolen too.” Managing application security with a comprehensive toolkit

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Equifax, Apache Struts, & CVE-2017-5638 Vulnerability

| Sep 15, 2017

It’s an all Equifax breach/Apache Struts/ CVE-2017-5638 issue of Open Source Insight this week as we examine how an unpatched open source flaw and an apparent lack of diligence exposed sensitive data for over 140 million US consumers. We look at what happened, how you can see if you’ve been

| MORE >

CVE–2017-9805, Equifax Breach & Wacky Open Source Licenses

| Sep 8, 2017

Our vulnerability of the week is CVE-2017-9805, which resides in Apache Struts’ REST plugin, a must-have in almost all Struts enterprise deployments. Attackers can exploit the bug via HTTP requests or via any other socket connection, with a public exploit published on Thursday. Happily, on Monday

| MORE >

Securing Software Stacks, Election Security, FDA Pacemaker Recall

| Sep 1, 2017

News is slight as the US prepares to bore into the Labor Day weekend and the unofficial end of Summer 2017. Yet our crack staff of editors has scoured the Webbernets to produce the best in cybersecurity and open source security news for your reading pleasure. Enjoy, and if you celebrate Labor Day,

| MORE >