It’s an acronym-filled issue of Open Source Insight, as we look at the question of SCA (software composition analysis) and how it fits into the DevOps environment. The DHS (Department of Homeland Security) has concerning security gaps, according to its OIG (Office of Inspector General). Can the CVE (Common Vulnerabilities and Exposures) gap be closed? The GDPR (General Data Protection Regulation) is bearing down on us like a freight train, and it’s past time to include open source security into your GDPR plans.
Plus, an intro to the Open Hub community, looking at security for blockchain apps, and best practices for open source security in container environments are all featured in this week’s cybersecurity and open source security news.
via Synopsys Software Integrity blog: Though blockchain-native software is in its infancy, the technology races forward to meet more and more use cases. But the community doesn’t seem to have taken software security principles seriously, as we can see from the recent scan of Ethereum smart contracts that identified 34,200 vulnerable contracts.
via InfoSecurity: Is SCA compatible with DevOps? The answer is: Absolutely, yes, writes Black Duck by Synopsys Technology Evangelist, Tim Mackey, but only if they provide the ability to integrate open source management throughout your DevOps environment from IDE through to runtime platform. Having this flexibility is critical as it allows you to tailor your DevOps environment to your needs rather than to a rigid vendor-centric framework.
via Black Duck blog: The Black Duck Open Hub is the premier source for research and comparisons of open source software components. The majority of visitors have an active, contributory role in open source. Visitors come to look at their own open source software contributions, to research and compare open source software projects, and to learn more about open source contributors.
via Tech Republic: Some IT systems of the US Department of Homeland Security (DHS) used unsupported operating systems and missed key security patches to protect against "critical" and "high-risk" vulnerabilities, according to a recent report from the department's Office of Inspector General (OIG).
via DHS OIG: DHS did not did not implement all configuration settings required to protect component systems, continued using unsupported operating systems, and did not apply security patches in a timely manner to mitigate critical and high-risk security vulnerabilities on selected systems. DHS also did not monitor software licenses for unclassified systems and relied on data calls to monitor national security systems as part of its continuous monitoring process.
via Synopsys Software Integrity blog: Chris Fearon, manager of research engineering at Black Duck by Synopsys, said it is tough for any organization to keep up with the explosive growth of vulnerabilities. “With increased adoption of open source software, the OSS landscape has become a target-rich landscape for attackers,” he said.
via Bob’s Guide: Open source continues to transform how we architect software solutions in every industry, writes Black Duck by Synopsys General Counsel, Matt Jacobs. Black Duck’s 2017 Open Source Security and Risk Analysis of over 1000 commercial applications revealed that 96% of applications scanned utilized open source. While the rate of open source reuse has been steadily climbing over the decades, policies, procedures, and safeguards for the responsible use of open source has lagged. This manifests by developers failing to use open source in compliance with the myriad of license types governing use of that code, and through their reuse of open source code without appreciation for, or the ability to track and remediate, known or later discovered security vulnerabilities in that code. Of the applications scanned in Black Duck’s 2017 survey, 67% contained known open source vulnerabilities, with 52% of those rated as severe.
via Black Duck blog: Recently Black Duck launched OpsSight for OpenShift and Kubernetes to help address container security. Once a container is scanned, OpsSight continually monitors Black Duck’s vulnerability database to determine whether any new vulnerabilities have been discovered that impact components in that container. Should a new vulnerability be disclosed, OpsSight proactively updates the container metadata with vulnerability information and can notify security response teams to the event. This allows operations teams to move from an unknown and uncertain vulnerability state to a known one with automated triggering of response plans.
via OpenShift: Synopsys is at the forefront of smarter connected secure devices with the world’s most advanced tools for silicon chip design, verification, IP integration, and application security testing. Our technology helps customers innovate from silicon to software, so they can deliver smart, secure everything. A leader in software composition analysis, Black Duck provides products and on-demand audit services to secure and manage applications and containers at the speed of DevOps, eliminating pain related to open source security vulnerabilities, license compliance, and operational risk.
via Black Duck blog: If you have reviewed any Black Duck audit reports recently, you may have noticed improvements in the legal tab and the way we report on findings. The new report format has received some very positive reviews, the theme being that it makes reported results more actionable. The biggest change we made on the legal tab was to add a layer of hierarchy in categorizing findings. We classify licenses for components as follows: Research Needed, Potential Conflicts and OK to Use.