The Black Duck blog and Open Source Insight become part of the Synopsys Software Integrity blog in early April. You’ll still get the latest open source security and license compliance news, insights, and opinions you’ve come to expect, plus the latest software security trends, news, tips, best practices, and thought leadership every week. Don’t delay, subscribe today! Now on to this week’s open source security and cybersecurity news.
via Synopsys Software Integrity: The city of Atlanta has become one of the latest victims of a ransomware attack. The attack is believed to be the result of the SamSam malware that has compromised various healthcare, government, and educational systems over the past several years.
via EE News: As the UK government’s car cybersec guidelines recognize, innovation may be outpacing security in cars. Automotive OEMs therefore need to adopt a security strategy that goes beyond the obvious.
via Electronics Weekly: “When it comes to IoT devices, you need to consider a security architecture risk analysis, to find weaknesses that might occur as the result of business logic or component interactions," writes Art Dahnert of Synopsys.
via CNET: A gamble 20 years ago unleashed the source code for the browser that became Firefox. The approach is now core to Facebook, Google and everyone else.
via Computer Weekly: Senior security strategist at Synopsys Taylor Armerding further suggests that a 2016 Forrester Research study commissioned by Synopsys set a baseline example of five hours of work to fix a defect in the coding/development stage. But, he reminds us, finding and fixing that same defect in the final testing phase would take five to seven times longer.
via Black Duck blog: The GitHub numbers are interesting; specifically the numbers 450,000 resolved vulnerabilities out of 4,000,000 discovered. We know that the National Vulnerability Database (NVD) doesn’t contain anywhere near that many disclosures, so how are they arriving at that number? GitHub is likely taking the number of vulnerabilities and applying it to all the forks and versions within GitHub using that code. That makes their metric an interesting one, as I said, but masks the real problem — knowing which code has been patched in which fork. Consumers of open source projects may themselves create a fork, and that fork could very easily be outside of GitHub’s visibility.
via Black Duck blog: As outlined previously, the Synopsys culture is extraordinarily well-aligned with the critical elements of our audit business: Maintaining trust through integrity, being hyper-responsive through execution and leading the market with superior services and tools. And all that with the same passion that drives my team every day. To be fair, those initial impressions were based on Synopsys’s “talking the talk.” However, a few months of “walking the walk” have only reinforced my conviction that we have a great home. Actually, these months have felt more like running the walk!
via Synopsys Software Integrity: Securing the Internet of Things (IoT) seems like an endless reality version of “Mission Impossible”—really impossible. Many have tried—with lists of best practices and standards, exhortations, and warnings—but none has succeeded. Still, the U.K. government, in a policy paper titled Secure by Design released earlier this month, says it is also going to try, with a 13-point Code of Practice that it will force all IoT stakeholders to follow if they don’t do it voluntarily.
via USNI News: Cybersecurity has been gaining attention as a national issue for the past decade. During this time, the country has witnessed cyber incidents affecting both public and private sector systems and data. These incidents have included attacks in which data was stolen, altered, or access to it was disrupted or denied. The frequency of these attacks, and their effects on the U.S. economy, national security, and people’s lives have driven cybersecurity issues to the forefront of congressional policy conversations. This report provides an overview of selected cybersecurity concepts and a discussion of cybersecurity issues that are likely to be of interest during the 115th Congress.
via EURACTIV: Superfast 5G mobile networks come with “extremely dangerous” cybersecurity risks, the EU cybersecurity agency ENISA has warned. 5G is expected to become available to European consumers by 2025.
via Threatpost: Drupal released a patch for a “highly critical” flaw in versions 6, 7 and 8 of its CMS platform that could allow an attacker to take control of an affected site simply by visiting it. Drupal also warned an unprivileged and untrusted attacker could modify or delete data hosted on affected CMS platforms.