Open Source Security in SCA, M&A, IoT, & Teddy Bear Cyber Threats

Open Source Security in SCA, M&A, IoT, & Teddy Bear Cyber Threats

February wound down with 1075 CVEs entries total  in the National Vulnerability database.  Before we get into this week’s news, some interesting numbers around software composition analysis (SCA) and open source security via the recently released reports:  The Forrester Wave™: Software Composition Analysis, Q1 2017 and Gartner’s Magic Quadrant for Application Security Testing.

“In their haste to create applications, developers use open source components as their foundation, creating applications using only 10% to 20% new code. Unfortunately, many of these components come with liabilities in their license agreements, and one out of every 16 open source download requests is for a component with a known vulnerability.”  ~ Forrester

“SCA is becoming a critical or a mandatory feature of AST (application security testing) solutions, as open-source and third-party components are proliferating in applications that enterprises build.”  "By 2019, 80% of application security testing vendors will include software composition analysis in their offerings, up from 40% today."  ~ Gartner

Read on for the latest open source and cybersecurity news in this week’s edition of Open Source Insight from Black Duck Software.

Cracking the Code: Open Source Software Meets the M&A World

Black Duck’s Phil Odence,  in an in-depth interview with Lawyer Monthly, discusses what firms and their legal counsel need to know when it comes to open source, license and security compliance and IP during a merger or acquisition transaction. “… lawyers want to ensure that intellectual property rights are clear and the software isn’t burdened with license infringements or full of cybersecurity vulnerabilities.”

New Technology, Same Bugs: the Rise and Fall of the Robot Revolution

A plethora of vulnerabilities across multiple models and brands of robots is leaving cyber-security experts scratching their heads, writes SC Magazine UK.  Are we making the same old mistakes again?

The paper detailing the vulnerabilities 'Hacking Robots Before Skynet' [PDF] was the result of six months intensive testing of mobile applications, robot operating systems, firmware images and miscellaneous software by IOActive researchers Cesar and Lucas.

So just how 'real world' is the robot hacking threat according to other security industry experts? Mike Pittenger, vice president of security strategy at Black Duck Software, is in no doubt that we will have already seen the consequences.

"Drones (unmanned aerial vehicles) are a form of robot," he explains, "and an attractive target for our adversaries. Taking control of a drone would certainly disrupt a military mission, and could possibly turn a military's weapons on itself."  

Indeed, Iran claims to have already done the former. "It's not unreasonable to think the same could be done to robots having arms and legs instead of wings," Pittenger warns.

Recognizing Innovation through Open Source Rookies

For nine years, the Black Duck Open Source Rookies of the Year awards have recognized some of the most innovative and influential open source projects launched during the previous year. This recognition is a tribute to the success and momentum of these projects, and affirmation of their prospects moving forward. This year, we saw organizations stretching for broader influence across use cases and to evolve the standards for performance and ability.

Our selected Rookies have impressive reach, creating solutions that offer distinct implications for the technology they’ve developed. As exemplary open source projects, they engaged the community for contributions, feedback, inspiration and support. Driven by passionate teams, these projects overcame notable challenges.

The Top 8 New Open Source Projects

Via InfoWorld: The past year saw a surge of activity in several areas. One of the most interesting was in blockchain technologies, which continue to stake out their positions in the immutable data ecosystem, going beyond cryptocurrency exchange. Machine learning — including deep learning and neural networks also came up big, as intelligence is added to everything from financial services to design and manufacturing.

Big data, software-defined networking (SDN), container management, and security were also hot areas. Congratulations to the winners! We hope this selection offers insight into the direction of technology development across the industry.

GitHub Shows How to Get Started with Open Source

via Application Development Trends: With open source software "eating the world," many developers might be hungering to get a seat at the dinner table, so GitHub Inc. has published guides to do just that. The giant open source code repository published Open Source Guides earlier this month that provide resources explaining how to get involved.

The IoT Era: A Connected World Where Even Teddy Bears Pose a Threat

2.2 million voice recordings of children and parents have allegedly been exposed in a CloudPets toys data breach, reports Computer Business Review. The CloudPets saga serves to highlight two important areas – manufacturers and security. CloudPets has also brought open source databases back into the headlines, with MongoDB only getting a couple weeks respite following ransomware attacks in January. Troy Hunt revealed on his blog that the breached CloudPets data had been leaked from a MongoDB database, a database that wasn’t password-protected or behind a firewall.

The Only Leader in Software Composition Analysis Providers

0 Comments
Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.
0 Comments

MORE BY THIS AUTHOR

Equifax, Apache Struts, & CVE-2017-5638 Vulnerability

| Sep 15, 2017

It’s an all Equifax breach/Apache Struts/ CVE-2017-5638 issue of Open Source Insight this week as we examine how an unpatched open source flaw and an apparent lack of diligence exposed sensitive data for over 140 million US consumers. We look at what happened, how you can see if you’ve been

| MORE >

CVE–2017-9805, Equifax Breach & Wacky Open Source Licenses

| Sep 8, 2017

Our vulnerability of the week is CVE-2017-9805, which resides in Apache Struts’ REST plugin, a must-have in almost all Struts enterprise deployments. Attackers can exploit the bug via HTTP requests or via any other socket connection, with a public exploit published on Thursday. Happily, on Monday

| MORE >

Securing Software Stacks, Election Security, FDA Pacemaker Recall

| Sep 1, 2017

News is slight as the US prepares to bore into the Labor Day weekend and the unofficial end of Summer 2017. Yet our crack staff of editors has scoured the Webbernets to produce the best in cybersecurity and open source security news for your reading pleasure. Enjoy, and if you celebrate Labor Day,

| MORE >