In this week’s open source security and cybersecurity news: Free software comes with a price. Learn how a PE firm wraps open source due diligence into its tech investing. The SEC provides guidance on public cybersecurity. The Defense Department (re)launches its open source portal. A look at cybersecurity through the (virtual) lens of video gaming. What you need to know to be a DPO. And what’s up with the National Vulnerability Database?
via Forbes: People have long thought that OSS is less secure than proprietary software. They point to security bugs such as the OpenSSL vulnerability known as Heartbleed discovered in 2014 that allowed for stealing of protected information. Open source is no more or less secure than proprietary software. The difference is that software vendors can offer security and reliability guarantees. When a problem arises, whether it be security-related or performance-related, commercial vendors provide support for companies using their software. Overall, open source software can offer reliable, innovative technology to companies drawn to the idea of free software.
via Black Duck by Synopsys: Black Duck helps private equity firm NorthEdge Capital make tech investments with confidence—alerting the firm to potential legal, operational, and security issues in acquisitions and sales by identifying open source code and third-party components and licenses.
via TechCrunch: The guidance was issued as an “interpretive release,” which the SEC uses to publish their views and interpret federal securities laws and SEC regulations. In it, the commission urged companies to develop policies that allow them to quickly assess cybersecurity risks and decide when to tell the public, and also prevent executives, board members and other corporate insiders from trading shares when they have important information that hasn’t been released yet.
via SEC.gov: Given the frequency, magnitude and cost of cybersecurity incidents, the Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.
via Synopsys Software Integrity blog: The video game market is a $100+ billion industry. Some of the most complex software developed today is for video games, using clients, servers, web components, monetary transfers, social interactions, and virtual markets—with every part needing security. Video games are attractive and lucrative targets for hackers, especially when it comes to cheating and piracy.
via Nextgov: The Defense Department launched the Code.mil website on Tuesday, a new, streamlined portal for its similarly named Code.mil initiative, a collaborative approach to meeting the government’s open source policy.
The new website was designed to give a more straightforward user experience. The site features a suite of new tools, including checklists that links to offer guidance, and represents “an evolution of the Code.mil project,” according to Ari Chivukula, policy wrangler for the Defense Digital Service.
via Synopsys Software Integrity blog: Listen as experts Adam Brown of Synopsys and legal expert Dan Hedley of Irwin Mitchell, LLP provide insights into:
- What GDPR requirements mean for your security initiative
- How your existing security activities can support compliance
- Best practices to keep in mind as you look to mature your software security program
via Black Duck blog: Coming into the role, the Data Protection Officer (DPO) must have expert knowledge of data protection law and the practices necessary to protect data, because they will be involved with all issues related to protection of personal data. Since often personal data is not (or cannot feasibly be) isolated from non-personal data, the DPO will be involved in the protection of all data in systems that have any personal data.
via Black Duck blog: Since February 2, 910 vulnerabilities have been published in NVD without CVSS scores, far more than usual during such a short period of time. NIST appears to be following a plan that favors providing partial information in earlier disclosure.
That’s a decent trade-off for consumers of NVD, assuming you have sufficient security resources to investigate these vulnerabilities internally. Unfortunately, that’s not usually the case. Security teams are almost always stretched thin. The first filter from any vulnerability feed are going to be: a) are my products affected; and b) how severe is the vulnerability. The missing CVSS scores eliminates the ability to apply the latter item, without a considerable amount of work calculating scores.