This week in Open Source Insight we examine blockchain security and the cryptocurrency boom. Plus, take an in depth look at open source software in tech contracts with a legal expert from Tech Contracts Academy, Adobe Flash Player continues to be a security concern, the Open Source Initiative turns 20, and step by step instructions for migrating to Docker on Black Duck Hub. Cybersecurity and security breach news also dominates this week, as Synopsys examines security breaches in 2017 and how they were preventable.
Read on for more cybersecurity and open source security news:
Blockchain Security and the Cryptocurrency Boom, Part 1: Theory
via Synopsys Software Integrity blog: For the millions who have invested (or are considering investing) in cryptocurrencies such as Bitcoin, Litecoin, Ethereum, and the ever-growing list of alt-coins, little has been mentioned about the software and the infrastructure on which these cryptocurrencies are based. With all early adoption of technology, there is risk, so there’s a natural inclination to question the security of blockchain and the potential for cyber attack against it.
Open Source Software in Tech Contracts – 1. Intro
via Tech Contracts Academy: Contract drafters rarely understand open source software (OSS). They see it as a threat, so when they’re buying software, they try to exclude OSS from their vendors’ products. In most cases, the concern is misplaced. Software licensees may have good reason to worry about copyleft software, which is one type of OSS. But other open source software poses no real threat. Plus, even copyleft should cause far less concern than it often does. And most standard contracts already have IP terms that address copyleft pretty well.
Adobe Flash Player Zero-day Spotted in the Wild
via Threatpost: According to the South Korean Computer Emergency Response Team (KR-CERT), the zero-day is believed to be a Flash SWF file embedded in MS Word documents. Impacted is Adobe’s most recent Flash Player 184.108.40.206 and earlier... Adobe released a security advisory on Thursday acknowledging the vulnerability and attacks.
Open Source Initiative Turns 20
via ADT Mag: Also, as part of the celebration, the OSI is launching OpenSource.Net, which will serve both as a community of practice and a mentorship program. "The goal is to further promote adoption of open source software over the next twenty years as issues shift from open source's viability/value to issues around implementation and authentic participation," the Web site reads.
Migrating to Docker on Black Duck Hub
via Black Duck Blog (Charlie Klein): Before Black Duck began leveraging Docker, customers utilized the App Manager Install Method to deploy the Hub. The Hub now deploys as a set of containers, so customers need to install Docker to take advantage of updates to the application. By the end of this guide, you'll have a basic understanding of how to migrate the Hub to a containerized environment, as well as the benefits of using containers.
Enterprises Need a Software Security Program
via App Developer Magazine: The answer to the “why” enterprises need a software security program question is pretty straightforward. There are no circumstances under which any but the smallest firms can expect a collection of independent activities - a pen test here, an hour of training there, some free tools that may or may not work as advertised - will consistently result in appropriately secure software.
New Reports Detail How Most 2017 Security Breaches Were Easily Preventable
via Synopsys Software Integrity blog: Whatever the actual count, the trend is the same—a major increase in breaches year after year. While that is offset a bit by a bit of good news – the Ponemon Institute’s finding that the average cost of a data breach incident worldwide in 2017 declined to $3.62 million, or by 10% from 2016, the United States bucked the trend, with a 5% increase to $7.35 million that put it at about double the worldwide average.
Four Key Questions for Automotive Cybersecurity
via IoTNow Transport (Mike Pittenger): According to research conducted by Black Duck’s Centre for Open Source Research & Innovation, 23% of the code in the average automotive application is open source. Open source enters in-vehicle applications through a variety of paths. Automobile manufacturers rely on a wide range of component and application suppliers, who build solutions with open source components and extend open source platforms.
Equifax's Data Breach Sins Live on to This Year's Tax Season
via The Hill: As you prepare your taxes this year, think of Equifax. Why? If you were one of the 145 million Americans who had their personal information breached at Equifax last year, you could become a victim of tax fraud.
After the breach, there were a flurry of articles advising people to place credit freezes on their accounts and set up fraud alerts at each of the credit bureaus. This is good advice, but it does not prevent scammers from filing with the IRS using your Social Security Number and requesting fraudulent tax returns in your name. All you can do to protect yourself from tax identity theft is file as early as possible, so identity thieves don’t file before you do.
Infographic: What do the 4 CISO tribes say about software security in your firm?
via Synopsys Software Integrity blog: Where does software security really fit into your firm? We recently decided to conduct a study to find out. Gathering data in a series of in-person interviews with 25 chief information security officers (CISOs), our aim was to understand their strategies and approaches. The 2018 CISO Report presents the research findings.
Tackling Security with Container Deployments
via Informatik Aktuell (Tim Mackey): Container technologies are the next step in moving from physical, single-use computing resources to more efficient, multi-tenant virtual infrastructures that can run in legacy IT environments and in the cloud. Among other benefits, containers are ideal for continuous integration and continuous delivery environments designed to accelerate development and further optimize the path between development and production environments.