We enter the last month of 2017 with two reports that should give pause: The National Vulnerability Database, has documented more than 13,400 vulnerabilities so far this year, more than double the database logged in all of 2016. Plus, as unbelievable as it sounds, more than 90 percent of firms using the same open source framework that led to the Equifax data breach have failed to keep the software up to date.
Several Black Duck executives published commentaries on security issues of the day, including VP of Product Marketing Patrick Carey’s predictions for open source in 2018; Senior Security Evangelist Tim Mackey on the Uber data breach; VP of Security Strategy Mike Pittenger on the updated OWASP top ten list of web app vulnerabilities; and Vice President & General Counsel Matt Jacobs on the Equifax breach, the GDPR and open source security. Read more on the top cybersecurity and open source security news in this week’s Open Source Insight.
via VM Blog: Everyone uses open source. It's now found in around 95% of applications, a figure likely to edge closer to 100% by the end of 2018. Polishing up his crystal ball, here are some events Black Duck VP of Product Marketing Patrick Carey sees around open source in the coming year.
via eWeek: A combination of increased reporting and more software programs are causing vulnerability reports to rise by more than a third compared to 2016 and are on track to set a record.
via Black Duck blog (Evan Klein): DevOps teams expect to spend less time on security, while updating applications more frequently and adding new open source components as a regular part of their process. As DevOps teams continue this trend, they also need to fully integrate and automate security.
via Security Intelligence: A recent study by Black Duck Software noted that, because smart automobile manufacturers have been “focusing their attention on differentiating features, the disparity between innovation and security is growing at an accelerated speed.” With so much investment in connected car research and development, Israel is leading the way in the effort to make the roads safer for smart car operators around the world.
via Channel Futures: Open source software is massively popular. A majority of organizations now use open source software, and 65 percent of companies contribute to open source projects, according to Black Duck, an open source security and compliance company.
via the Hill: More than 90 percent of applications using the same computer programming library that, left unpatched, lead to the Equifax data breach also fail to keep the software up to date.
via Help Net Security: A vulnerability in the free, open source electronic medical record and medical practice management software OpenEMR can be exploited to steal patients’ medical records and other personally identifiable information.
via IT Security Thing: Black Duck Software’s Senior Security Evangelist, Tim Mackey notes, “The larger issues of Uber’s actions and failure to disclose a breach that occurred in 2016 aside, the breach apparently occurred when hackers discovered that the company’s developers had published code that included their usernames and passwords on a private account of the software repository GitHub.”
via SC Magazine: When you consider that Black Duck's 2017 Open Source Security and Risk Analysis (OSSRA) report found open source in 96 percent of the commercial software tested, and known vulnerabilities in two-thirds of those code bases, it's an inertia that's proving very costly. "This lack of visibility is seen even in companies with strong application security programs" insists Black Duck's VP of security strategy, Mike Pittenger.
via Science Direct (Elsevier): Although the General Data Protection Regulation (GDPR) is being hailed as a sort of revolution, what it really represents is the law catching up with reality. The GDPR isn't alone, of course – in the information security space it is accompanied by the Network and Information Security Directive (NISD). Both the GDPR and NISD go into effect in May 2018. Daniel Hedley of Irwin Mitchell LLP and Matthew Jacobs of Black Duck Software describe the consequences of not getting to grips with the GDPR and the processes and policies you need to get into place now.
via The National Law Journal: Uber has been widely criticized for its decision to hide a 2016 data breach and pay hackers for their silence, but it may not be the only company in town to do so.
via IoT Agenda: Earlier this year, the IoT-focused security firm Senrio discovered a hackable flaw called Devil’s Ivy, which has the potential to put thousands of different models of security cameras at risk. The vulnerability is found in a piece of open source code called gSOAP, created and maintained by a small company named Genivia. At least 30 companies use gSOAP in their IoT products.