SCA for DevOps, DHS Security, Securing Open Source for GDPR, CVE Gap


It’s an acronym-filled issue of Open Source Insight, as we look at the question of SCA (software composition analysis) and how it fits into the DevOps environment. The DHS (Department of Homeland Security) has concerning security gaps, according to its OIG (Office of Inspector General). Can the CVE (Common Vulnerabilities and Exposures) gap be closed? The GDPR (General Data Protection Regulation) is bearing down on us like a freight train, and it’s past time to include open source security into your GDPR plans. 

Plus, an intro to the Open Hub community, looking at security for blockchain apps, and best practices for open source security in container environments are all featured in this week’s cybersecurity and open source security news. 

How Can Blockchain Applications Adapt and Adopt Software Security Best Practices?

via Synopsys Software Integrity blog: Though blockchain-native software is in its infancy, the technology races forward to meet more and more use cases. But the community doesn’t seem to have taken software security principles seriously, as we can see from the recent scan of Ethereum smart contracts that identified 34,200 vulnerable contracts.

Building Open Source Security into DevOps

via InfoSecurity: Is SCA compatible with DevOps? The answer is: Absolutely, yes, writes Black Duck by Synopsys Technology Evangelist, Tim Mackey, but only if they provide the ability to integrate open source management throughout your DevOps environment from IDE through to runtime platform. Having this flexibility is critical as it allows you to tailor your DevOps environment to your needs rather than to a rigid vendor-centric framework. 

Breaking Down DevSecOps: Build AppSec Into Your CI/CD Pipeline with SAST and SCA

Getting to Know the Open Hub Community

via Black Duck blog: The Black Duck Open Hub is the premier source for research and comparisons of open source software components. The majority of visitors have an active, contributory role in open source. Visitors come to look at their own open source software contributions, to research and compare open source software projects, and to learn more about open source contributors.

DHS IT Systems Missing Security Patches for 'Critical' Vulnerabilities

via Tech Republic: Some IT systems of the US Department of Homeland Security (DHS) used unsupported operating systems and missed key security patches to protect against "critical" and "high-risk" vulnerabilities, according to a recent report from the department's Office of Inspector General (OIG). 

Evaluation of DHS’ Information Security Program for FY 2017

via DHS OIG: DHS did not did not implement all configuration settings required to protect component systems, continued using unsupported operating systems, and did not apply security patches in a timely manner to mitigate critical and high-risk security vulnerabilities on selected systems. DHS also did not monitor software licenses for unclassified systems and relied on data calls to monitor national security systems as part of its continuous monitoring process. 

Closing the CVE Gap Still a Work in Progress

via Synopsys Software Integrity blog: Chris Fearon, manager of research engineering at Black Duck by Synopsys, said it is tough for any organization to keep up with the explosive growth of vulnerabilities. “With increased adoption of open source software, the OSS landscape has become a target-rich landscape for attackers,” he said.

Securing Open Source Leading up to GDPR Enforcement

via Bob’s Guide: Open source continues to transform how we architect software solutions in every industry, writes Black Duck by Synopsys General Counsel, Matt Jacobs. Black Duck’s 2017 Open Source Security and Risk Analysis of over 1000 commercial applications revealed that 96% of applications scanned utilized open source. While the rate of open source reuse has been steadily climbing over the decades, policies, procedures, and safeguards for the responsible use of open source has lagged. This manifests by developers failing to use open source in compliance with the myriad of license types governing use of that code, and through their reuse of open source code without appreciation for, or the ability to track and remediate, known or later discovered security vulnerabilities in that code. Of the applications scanned in Black Duck’s 2017 survey, 67% contained known open source vulnerabilities, with 52% of those rated as severe. 

Achieving Open Source Security in Container Environments

via Black Duck blog: Recently Black Duck launched OpsSight for OpenShift and Kubernetes to help address container security. Once a container is scanned, OpsSight continually monitors Black Duck’s vulnerability database to determine whether any new vulnerabilities have been discovered that impact components in that container. Should a new vulnerability be disclosed, OpsSight proactively updates the container metadata with vulnerability information and can notify security response teams to the event. This allows operations teams to move from an unknown and uncertain vulnerability state to a known one with automated triggering of response plans. 

Partner Spotlight: Black Duck by Synopsys

via OpenShift:  Synopsys is at the forefront of smarter connected secure devices with the world’s most advanced tools for silicon chip design, verification, IP integration, and application security testing. Our technology helps customers innovate from silicon to software, so they can deliver smart, secure everything. A leader in software composition analysis, Black Duck provides products and on-demand audit services to secure and manage applications and containers at the speed of DevOps, eliminating pain related to open source security vulnerabilities, license compliance, and operational risk. 

Enhanced Legal Tab in Black Duck Audit Reports

via Black Duck blog: If you have reviewed any Black Duck audit reports recently, you may have noticed improvements in the legal tab and the way we report on findings. The new report format has received some very positive reviews, the theme being that it makes reported results more actionable. The biggest change we made on the legal tab was to add a layer of hierarchy in categorizing findings. We classify licenses for components as follows: Research Needed, Potential Conflicts and OK to Use.  

Black Duck Web Service Risk Audits

1 Comment
Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.
1 Comment


Who Owns Linux? TRITON Attack, App Security Testing, Future of GDPR

| Mar 16, 2018

We look at the three reasons you must attend the FLIGHT Amsterdam conference; how to build outstanding projects in the open source community; and why isn’t every app being security tested? Plus, in-depth into the TRITON attack; why 2018 is the year of open source; how open source is driving both

| MORE >

AppSec for DevOps, Open Source vs Proprietary, Malicious AIs & GDPR

| Mar 2, 2018

Welcome to the March 2nd edition of Open Source Insight from Black Duck by Synopsys! We look at places you’d never expect to find GDPR data, as well as answers to your most-frequently-asked GDPR questions. Synopsys Principal Scientist Sammy Migues explores why enterprises must have a software

| MORE >