NotPetya Strikes, Patching Is Vital for Risk Management

Blog-June 30.jpg

News about NotPetya is rebounding around the world this week as malware experts quickly determined that the resemblence to Petya is superficial. The consensus is now that NotPetya is a wiper, designed to inflict permanent damage, not ransomware as initially reported. Following closely on the heels of WannaCry incidents, NotPetya hit 64 countries by June 28, but with no kill switch available this time. Global cyberattacks such as these highlight the importance of cybersecurity everywhere, staying up to date on patches and ensuring that backups are up-to-date.

In other cybersecurity and open source news: open source is pervasive in the automotive industry, a hackathon in Leeds looks at how to deploy NHSUbuntu in place of Microsoft, open source oversight key to GDPR, and security code reviews by Russian agencies are under discussion.

Safety, Security & Open Source in the Automotive Industry

via Black Duck blog (Fred Bals): Open source use is pervasive across every industry vertical, including the automotive industry. When it comes to software, every auto manufacturer wants to spend less time on what are becoming commodities — such as the core operating system and components connecting the various pieces together — and focus on features that will differentiate their brand. The open source model supports that objective by expediting every aspect of agile product development.

Managing and Securing Open Source in the Automotive Industry

Petya Cyber Attack That Spread Around the World Was Intent on Destruction, Not on Making Money

via The Independent: Experts say that initial suggestions that the software was being used to make money may have been a distraction. The software might instead be part of a plan simply to cripple as many systems, companies and countries as possible, they said.

Ubuntu 'Weaponised' to Cure NHS of its Addiction to Microsoft Windows

via The Register: A gathering of software developers whose mission was to find a way to deploy NHSbuntu, a flavour of the open-source Linux distro Ubuntu built for the NHS, on 750,000 smartcards used to verify clinicians accessing 80 per cent of applications – excluding those for clinical use – on millions of health service PCs.

Oversight of Use of Open Source Code Crucial As GDPR Approaches, Says Industry Expert

via Mike Pittenger, vice president of security strategy at Black Duck Software, told that many businesses either remain unaware that they are running popular open source components within their software at all or that security vulnerabilities exist in the versions of that software they are operating. This is despite the profile of open source software security risk being raised by media coverage in recent times, he said.

Customer Questions: What Is Docker Anyway?

via Black Duck blog (Megan McIntyre): We've been thinking about how Docker containers can help us deliver our software effectively for quite a while now. Recently Hal Hearst shared excellent information about how and why we're releasing Hub as a Dockerized container.

Open Source Vulnerabilities & Application Security

via IT SecCity (Germany): Der Appetit der Welt auf Open-Source-Software ist unersättlich. Unternehmen weltweit haben im vergangenen Jahr den Einsatz von Open Source deutlich erhöht; doch obwohl diese bereitwillig die mit Open Source verbundenen Bedenken bezüglich der sicherheitsrelevanten und operationellen Risiken zur Kenntnis nehmen, hält das effektive Management von Open Source nicht mit der zunehmenden Nutzung mit.

A Methodology for Quantifying Risks from Web Services

via Black Duck blog (Baljeet Malhotra): Every API comes with a set of obligations, which are typically documented in various (legally binding) agreements (for example, Terms of Service, Developer Agreement, Privacy Statement) that govern the usage of API and its underlying data and functionalities. According to our research there are essentially four key factors that affect the governance of API usage.

Security Code Reviews by Russian Agencies Cause Concern

via TechTarget SearchSecurity: Before allowing cybersecurity products into Russia, U.S. tech companies are reportedly being required to submit source code for review, and many are worried of the privacy and security impacts of this testing. Rising tensions between the U.S. and Russia over apparent election interference appear to be to blame for both Russia's insistence on security code reviews and U.S. experts' wariness of the practice.

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Could Open Sourcing  Adobe Flash Preserve Internet History?

| Aug 7, 2017

  Anyone who has spent time on the internet over the last quarter of a century has probably seen Adobe Flash in one iteration or another, and has likely spent quite a bit of time updating it in light of newly discovered security vulnerabilities. There have been over 1,000 vulnerabilities in the

| MORE >

Q&A on Risk-Ranking Open Source Vulnerabilities

| Aug 3, 2017

Earlier this year VP of Security Strategy Mike Pittenger presented a webinar on risk-ranking open source vulnerabilities, and how that process can increase security effectiveness while maintaining developers' agility. As developers continue their rapid adoption of both containers and Continuous

| MORE >