Securing Software Stacks, Election Security, FDA Pacemaker Recall

Securing Software Stacks, Election Security, FDA Pacemaker Recall

News is slight as the US prepares to bore into the Labor Day weekend and the unofficial end of Summer 2017. Yet our crack staff of editors has scoured the Webbernets to produce the best in cybersecurity and open source security news for your reading pleasure. Enjoy, and if you celebrate Labor Day, have a great holiday weekend!

The Hidden Threat Lurking in an Otherwise Secure Software Stack

via The ServerSide: Summary: Is there a hidden threat buried in your software stack? Is there a hidden threat embedded within your Docker container? It's certainly not a prospect that lives outside of the realm of possibility, especially if you're not 100% sure as to exactly how the various open source components that make up your software stack or your container image were derived. "One of the aspects of open source is that it can be forked," said Tim Mackey, the Technical Evangelist for Black Duck Software.

Open Source Software Won't Ensure Election Security

via LawFare: The technology behind elections is hard to get right. Elections require security. They also require transparency: anyone should be able to observe enough of the election process, from distribution of ballots, to the counting and canvassing of votes, to verify that the reported winners really won. But if people vote on computers or votes are tallied by computers, key steps of the election are not transparent and additional measures are needed to confirm the results.

If Machine Learning is the question, open source is the answer. Right?

 via The Register: from Google’s TensorFlow to Microsoft’s Cognitive Toolkit, the world is awash in open source ML/AI code... none of which seems to be solving the gaping void between AI hype and production deployment reality. By Gartner’s estimates a mere 15 per cent of organisations actually get into production with ML/AI.

FDA Recalls 465K Pacemakers Tied to MedSec Research

 via Threatpost: The United States Federal Drug Administration is recalling 465,000 pacemakers that attackers can gain unauthorized access to issue commands, change settings and maliciously disrupt. Affected are four models manufactured by Abbott Laboratories.

Learn Your 4 Options for Vulnerability Remediation

Three Reasons Why The Cybersecurity Industry May Never Catch Up To Cybercrime

 via Forbes: Is the cybersecurity industry keeping up with cybercrime? Absolutely not. Cyberwarfare is at an all-time high, and cybersecurity is just unable—unequipped—to keep up. We’re seeing a convergence of three major vectors—devices, data, and a shortage of talent—coming to a head. That’s causing an explosion of what I’ll refer to as “cybercrime opportunity.” 

Firmware Update to Address Cybersecurity Vulnerabilities Identified in Abbott's (formerly St. Jude Medical's) Implantable Cardiac Pacemakers: FDA Safety Communication

 via FDA: On August 23, 2017, the FDA approved a firmware update that is now available and is intended as a recall, specifically a corrective action,  to reduce the risk of patient harm due to potential exploitation of cybersecurity vulnerabilities for certain Abbott (formerly St. Jude Medical) pacemakers. "Firmware" is a specific type of software embedded in the hardware of a medical device (e.g. a component in the pacemaker).

What Software Teams Can Learn from Building Radar Detectors

via Black Duck blog (Mike Pittenger): Twenty years ago, a software parts list would have seemed ludicrous. All software was built from scratch, and every code base was unique. Today, however, a software bill of materials is critical to organizations, for many of the same reasons they are required in radar detectors.

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


You Can’t Beat Hackers and the Pentagon Moves into Open Source

| Nov 17, 2017

We take a deep dive into security researchers Charlie Miller and Chris Valasek’s keynote at last week’s FLIGHT 2017 conference. What is “Hidden Cobra” and is it targeting US aerospace, telecommunications and finance industries? Both banks and the Pentagon are making big moves into open source. And

| MORE >

It Wasn’t an Equifax Toaster That Stole 145M People’s Personal Data

| Nov 15, 2017

The good news? Bad guy hackers are lazy, and will move on to easier pickings when confronted with good security. The bad news?  Good security is often expensive, and not necessarily a cost businesses are enthusiastic about adding to product prices and passing on to customers. Those were key

| MORE >

Black Duck Announces OpsSight for DevOps Open Source Security

| Nov 10, 2017

Continuing a month of major announcements, Black Duck launched its new product, OpsSight — comprehensive, automated open source container security for production environments — at its FLIGHT 2017 user conference in Boston this week. Targeting the production phase of the software development life

| MORE >