CVE-2017-5638 – the Struts Buster – still leads the news cycle with the Canadian Revenue Agency taken offline to deal with the vulnerability, and Statistics Canada hacked. If you haven’t patched for CVE-2017-5638, go get that update. The hits keep on coming at the NVD with 657 entries now listed for March.
In this week’s open source security and cybersecurity news: Learn more than you ever wanted to know about the life and times of zero-day vulnerabilities. Who should you trust: The Hacker News or NIST? What if SkyNet had been open source? SCA: what is it and is it compatible with Agile DevOps? Trends on open source, and what you need to know about open source security…
Hackers Exploit Software Bug and Breach Canadian Government Agency Site
via Software Testing News: As a precautionary measure, the Canadian Revenue Agency took its website offline to deal with an unspecified “internet vulnerability,” later revealed to be related to the newly disclosed security bug in Apache Struts 2. The revenue agency’s digital services have since been restored and government officials said no personal information was compromised. During a press briefing, government officials said that the Statistics Canada’s website was hacked. Statistics Canada, which reported stopping the intrusion before hackers stole any data, is the first high-profile organization to say it was hacked due to Apache Struts 2’s bug. The vulnerability surfaced last week when the Apache Software Foundation released an urgent update to fix the bug, reporting hackers could exploit it to gain remote control of a web server.
What You Need to Know about Canada Revenue Agency's 'Internet Vulnerability'
Wait, the government is using free software in important systems? Yeah. This is actually pretty common — Apache, for example, is one of the most widely used web server software packages around. Most organizations use a mix of free open source and commercial software.
Was CRA the only government department affected?
No. Government officials also revealed that some Statistics Canada servers were vulnerable, too — and that an attacker actually gained access for a brief period of time. (It's not yet clear who was responsible in that case.) The affected Statistics Canada servers were then taken offline and patched, while network-based protections were put in place to block any additional attacks — something Wilson said typically buys IT staff time to patch servers without causing too much downtime.
Black Duck: Struts' Guts Went Nuts, Need to Patch Is Clear Cut
Security strategy firm Black Duck Software has advised users to urgently update Struts, which Apache has now patched, writes ComputerWeekly.com. According to Mike Pittenger, head of security strategy at Black Duck, the CVE-2017-5638 vulnerability makes it simple for even lesser skilled attackers to make trouble.
Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits
A new research report available from the RAND Corporation, notes zero-day exploits and their underlying vulnerabilities have a relatively long average life expectancy (6.9 years). Only 25 percent of vulnerabilities do not survive to 1.51 years, and only 25 percent live more than 9.5 years. Once an exploitable vulnerability has been found, time to develop a fully functioning exploit is relatively fast, with a median time of 22 days.
Vulnerability Information Sources: The Hacker News vs. NIST
“While that may be a catchy title,” writes Black Duck Technology Evangelist, Tim Mackey, “it’s also the question I've been asking attendees at SCALE and Container World over the past few weeks. More precisely, ‘Where would you rather get your security vulnerability information from?' Now I’m going to pause here and let that sink in for a minute. Think about it, which source do you trust more? Both are valid options and both are on the short list for many people. Made your choice? Cool, then onward!”
Open Source Security and ‘Hacking Robots Before Skynet’
“Hacking Robots Before Skynet” notes, “Many robots use open source frameworks and libraries. One of the most popular is the Robot Operating System (ROS) used in several robots from multiple vendors. ROS suffers from many known cyber security problems, such as cleartext communication, authentication issues, and weak authorisation schemes. All of these issues make robots insecure.”
In Black Duck’s on-demand audit practice, we see this in application development every day, whether in robotics/IoT, financial services, automotive, and even cyber security applications – more from Information Age.
Is Software Composition Analysis Compatible with Agile DevOps?
You can integrate Software Composition Analysis with your DevOps environment if you choose your tools wisely, blogs Black Duck’s Patrick Carey. Wait…you say you’ve never heard the term Software Composition Analysis and aren’t sure what it is? I’m not surprised. While SCA is a term used by Forrester, Gartner and other analyst firms, it’s not exactly a term that rolls off the tongues CTOs, CIOs, or CISOs, much less the developers or DevOps engineers who deal most directly with software composition. Furthermore, there seems to be some confusion about the role of SCA in agile development and DevOps and whether they are even compatible. So, let’s first start by defining some terms…
Trends im Bereich der Open Source-Sicherheit: Schlüsselrolle Softwarepflege
Organizations of all sizes and industries rely on the use of cloud and mobile applications, writes Mike Pittenger, Vice President of Security Strategy at Black Duck in Line-Of.Biz (German publication). They mainly rely on open-source components - which in turn are generated outside the company firewall. Hackers have learned that such applications are the weak point in the cybersecurity of most organizations and widespread open source vulnerability exploits have a quick return on investment, leaving thousands of sites, applications, and IoT devices vulnerable.
Open Source Vulnerabilities in Application Software
Patrick Carey, Director of Product Marketing, Black Duck Software, discusses what software testers need to know about open source vulnerabilities in application software in Software Testing News. “In a world that runs on software,” Carey writes, “we face a big problem: the difficulty of ensuring that the software we build, use, and sell is reliable and secure. This is true of purchased software, custom-developed proprietary software, and software delivered as a service. It is also true of open source, which now often comprises the bulk of the average proprietary application’s code.”