Securing Software Stacks, Election Security, FDA Pacemaker Recall

Securing Software Stacks, Election Security, FDA Pacemaker Recall

News is slight as the US prepares to bore into the Labor Day weekend and the unofficial end of Summer 2017. Yet our crack staff of editors has scoured the Webbernets to produce the best in cybersecurity and open source security news for your reading pleasure. Enjoy, and if you celebrate Labor Day, have a great holiday weekend!

The Hidden Threat Lurking in an Otherwise Secure Software Stack

via The ServerSide: Summary: Is there a hidden threat buried in your software stack? Is there a hidden threat embedded within your Docker container? It's certainly not a prospect that lives outside of the realm of possibility, especially if you're not 100% sure as to exactly how the various open source components that make up your software stack or your container image were derived. "One of the aspects of open source is that it can be forked," said Tim Mackey, the Technical Evangelist for Black Duck Software.

Open Source Software Won't Ensure Election Security

via LawFare: The technology behind elections is hard to get right. Elections require security. They also require transparency: anyone should be able to observe enough of the election process, from distribution of ballots, to the counting and canvassing of votes, to verify that the reported winners really won. But if people vote on computers or votes are tallied by computers, key steps of the election are not transparent and additional measures are needed to confirm the results.

If Machine Learning is the question, open source is the answer. Right?

 via The Register: from Google’s TensorFlow to Microsoft’s Cognitive Toolkit, the world is awash in open source ML/AI code... none of which seems to be solving the gaping void between AI hype and production deployment reality. By Gartner’s estimates a mere 15 per cent of organisations actually get into production with ML/AI.

FDA Recalls 465K Pacemakers Tied to MedSec Research

 via Threatpost: The United States Federal Drug Administration is recalling 465,000 pacemakers that attackers can gain unauthorized access to issue commands, change settings and maliciously disrupt. Affected are four models manufactured by Abbott Laboratories.

Learn Your 4 Options for Vulnerability Remediation

Three Reasons Why The Cybersecurity Industry May Never Catch Up To Cybercrime

 via Forbes: Is the cybersecurity industry keeping up with cybercrime? Absolutely not. Cyberwarfare is at an all-time high, and cybersecurity is just unable—unequipped—to keep up. We’re seeing a convergence of three major vectors—devices, data, and a shortage of talent—coming to a head. That’s causing an explosion of what I’ll refer to as “cybercrime opportunity.” 

Firmware Update to Address Cybersecurity Vulnerabilities Identified in Abbott's (formerly St. Jude Medical's) Implantable Cardiac Pacemakers: FDA Safety Communication

 via FDA: On August 23, 2017, the FDA approved a firmware update that is now available and is intended as a recall, specifically a corrective action,  to reduce the risk of patient harm due to potential exploitation of cybersecurity vulnerabilities for certain Abbott (formerly St. Jude Medical) pacemakers. "Firmware" is a specific type of software embedded in the hardware of a medical device (e.g. a component in the pacemaker).

What Software Teams Can Learn from Building Radar Detectors

via Black Duck blog (Mike Pittenger): Twenty years ago, a software parts list would have seemed ludicrous. All software was built from scratch, and every code base was unique. Today, however, a software bill of materials is critical to organizations, for many of the same reasons they are required in radar detectors.

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


SEC and Cybersec Risks, GDPR Looms, What’s Going on with the NVD?

| Feb 23, 2018

In this week’s open source security and cybersecurity news: Free software comes with a price. Learn how a PE firm wraps open source due diligence into its tech investing. The SEC provides guidance on public cybersecurity. The Defense Department (re)launches its open source portal. A look at

| MORE >

Big Data Breaches, Costly Cyberattacks, Vuln Detection for Kubernetes

| Feb 16, 2018

  This week’s Open Source Insight features a powerful visualization tool displaying the world’s biggest data breaches at name brands such as Ebay, Equifax, Anthem, and Target. The White House and British Foreign Office have condemned a cyber-attack launched by the Russian military on Ukraine and

| MORE >

Happy Birthday Open Source and Application Security for 2018

| Feb 9, 2018

Opinions differ on exactly when, but open source turned twenty this year. Most security breaches in 2017 were preventable (you hear that, Equifax?), and it’s time to take a look back to prevent similar breaches in 2018. iPhone source code gets leaked (for a short time). And keeping medical

| MORE >