Record Vulns in 2017 and Predictions for Open Source in 2018

Blog-Dec 1.jpg

We enter the last month of 2017 with two reports that should give pause: The National Vulnerability Database, has documented more than 13,400 vulnerabilities so far this year, more than double the database logged in all of 2016. Plus, as unbelievable as it sounds, more than 90 percent of firms using the same open source framework that led to the Equifax data breach have failed to keep the software up to date. 

Several Black Duck executives published commentaries on security issues of the day, including VP of Product Marketing Patrick Carey’s predictions for open source in 2018; Senior Security Evangelist Tim Mackey on the Uber data breach; VP of Security Strategy Mike Pittenger on the updated OWASP top ten list of web app vulnerabilities; and Vice President & General Counsel Matt Jacobs on the Equifax breach, the GDPR and open source security. Read more on the top cybersecurity and open source security news in this week’s Open Source Insight.

Black Duck Software 2018 Predictions: What's in Store for Open Source in 2018?

via VM Blog: Everyone uses open source. It's now found in around 95% of applications, a figure likely to edge closer to 100% by the end of 2018. Polishing up his crystal ball, here are some events Black Duck VP of Product Marketing Patrick Carey sees around open source in the coming year. 

Reported Software Vulnerabilities on Track to Break Record in 2017

via eWeek: A combination of increased reporting and more software programs are causing vulnerability reports to rise by more than a third compared to 2016 and are on track to set a record.

Learn Your 4 Options for Vulnerability Remediation

AWS + Black Duck Adds Security for Cloud-build Environments

via Black Duck blog (Evan Klein): DevOps teams expect to spend less time on security, while updating applications more frequently and adding new open source components as a regular part of their process. As DevOps teams continue this trend, they also need to fully integrate and automate security.

How Israel Became the Land of Connected Car Research and Development

via Security Intelligence: A recent study by Black Duck Software noted that, because smart automobile manufacturers have been “focusing their attention on differentiating features, the disparity between innovation and security is growing at an accelerated speed.” With so much investment in connected car research and development, Israel is leading the way in the effort to make the roads safer for smart car operators around the world.

Open Source's Killer Features: What Makes Open Source So Popular?

via Channel Futures: Open source software is massively popular. A majority of organizations now use open source software, and 65 percent of companies contribute to open source projects, according to Black Duck, an open source security and compliance company. 

9 in 10 Firms Also Failed to Patch Software That Sunk Equifax

via the Hill: More than 90 percent of applications using the same computer programming library that, left unpatched, lead to the Equifax data breach also fail to keep the software up to date.

OpenEMR Flaw Leaves Millions of Medical Records Exposed to Attackers

via Help Net Security:  A vulnerability in the free, open source electronic medical record and medical practice management software OpenEMR can be exploited to steal patients’ medical records and other personally identifiable information.

Security Industry Responds to Massive Uber Data Breach Cover-up

via IT Security Thing: Black Duck Software’s Senior Security Evangelist, Tim Mackey notes, “The larger issues of Uber’s actions and failure to disclose a breach that occurred in 2016 aside, the breach apparently occurred when hackers discovered that the company’s developers had published code that included their usernames and passwords on a private account of the software repository GitHub.”

OWASP Vulnerability Chart Suggests Web App Devs Are Not Smelling the Security Coffee

via SC Magazine: When you consider that Black Duck's 2017 Open Source Security and Risk Analysis (OSSRA) report found open source in 96 percent of the commercial software tested, and known vulnerabilities in two-thirds of those code bases, it's an inertia that's proving very costly. "This lack of visibility is seen even in companies with strong application security programs" insists Black Duck's VP of security strategy, Mike Pittenger.

The Shape of Things to Come: The Equifax Breach, the GDPR and Open-Source Security

via Science Direct (Elsevier): Although the General Data Protection Regulation (GDPR) is being hailed as a sort of revolution, what it really represents is the law catching up with reality. The GDPR isn't alone, of course – in the information security space it is accompanied by the Network and Information Security Directive (NISD). Both the GDPR and NISD go into effect in May 2018. Daniel Hedley of Irwin Mitchell LLP and Matthew Jacobs of Black Duck Software describe the consequences of not getting to grips with the GDPR and the processes and policies you need to get into place now.

Uber's Data Breach Cover-Up Strategy May Be More Common Than You'd Think

via The National Law Journal: Uber has been widely criticized for its decision to hide a 2016 data breach and pay hackers for their silence, but it may not be the only company in town to do so. 

Don't Let Poor IoT Security Turn Your Devices Against You 

via IoT Agenda: Earlier this year, the IoT-focused security firm Senrio discovered a hackable flaw called Devil’s Ivy, which has the potential to put thousands of different models of security cameras at risk. The vulnerability is found in a piece of open source code called gSOAP, created and maintained by a small company named Genivia. At least 30 companies use gSOAP in their IoT products.

Find Out More About the Internet of Things

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Who Owns Linux? TRITON Attack, App Security Testing, Future of GDPR

| Mar 16, 2018

We look at the three reasons you must attend the FLIGHT Amsterdam conference; how to build outstanding projects in the open source community; and why isn’t every app being security tested? Plus, in-depth into the TRITON attack; why 2018 is the year of open source; how open source is driving both

| MORE >

SCA for DevOps, DHS Security, Securing Open Source for GDPR, CVE Gap

| Mar 9, 2018

It’s an acronym-filled issue of Open Source Insight, as we look at the question of SCA (software composition analysis) and how it fits into the DevOps environment. The DHS (Department of Homeland Security) has concerning security gaps, according to its OIG (Office of Inspector General). Can the

| MORE >

AppSec for DevOps, Open Source vs Proprietary, Malicious AIs & GDPR

| Mar 2, 2018

Welcome to the March 2nd edition of Open Source Insight from Black Duck by Synopsys! We look at places you’d never expect to find GDPR data, as well as answers to your most-frequently-asked GDPR questions. Synopsys Principal Scientist Sammy Migues explores why enterprises must have a software

| MORE >