Open Source Insight:Record Vulns in 2017 and Predictions for Open Source in 2018

Fred Bals | Senior Content Writer/Editor

Cybersecurity News This Week

We enter the last month of 2017 with two reports that should give pause: The National Vulnerability Database, has documented more than 13,400 vulnerabilities so far this year, more than double the database logged in all of 2016. Plus, as unbelievable as it sounds, more than 90 percent of firms using the same open source framework that led to the Equifax data breach have failed to keep the software up to date.

Several Black Duck executives published commentaries on security issues of the day, including VP of Product Marketing Patrick Carey’s predictions for open source in 2018; Senior Security Evangelist Tim Mackey on the Uber data breach; VP of Security Strategy Mike Pittenger on the updated OWASP top ten list of web app vulnerabilities; and Vice President & General Counsel Matt Jacobs on the Equifax breach, the GDPR and open source security. Read more on the top cybersecurity and open source security news in this week’s Open Source Insight.

• Black Duck Software 2018 Predictions: What's in Store

for Open Source in 2018?

• Reported Sofxtware Vulnerabilities on Track to Break

Record in 2017

• AWS + Black Duck Adds Security for Cloud-build

Environments

• How Israel Became the Land of Connected Car

Research and Development

• Open Source's Killer Features: What Makes Open

Source So Popular?

• 9 in 10 Firms Also Failed to Patch Software That Sunk

Equifax

Open Source News

More Open Source News

• OpenEMR Flaw Leaves Millions of Medical Records Exposed to Attackers

• Security Industry Responds to Massive Uber Data Breach Cover-up

• OWASP Vulnerability Chart Suggests Web App Devs Are Not Smelling the Security Coffee

• The Shape of Things to Come: The Equifax Breach, the GDPR and Open-Source Security

• Uber's Data Breach Cover-Up Strategy May Be More Common Than You'd Think

• Don't Let Poor IoT Security Turn Your Devices Against You

via VM Blog: Everyone uses open source. It's

now found in around 95% of applications, a

figure likely to edge closer to 100% by the end of

2018. Polishing up his crystal ball, here are

some events Black Duck VP of Product

Marketing Patrick Carey sees around open

source in the coming year.

Black Duck Software 2018 Predictions: What's in Store for Open Source in 2018?

Reported Software Vulnerabilities on Track to Break Record in 2017

via eWeek: A combination of increased reporting and more software programs are causing vulnerability reports to rise by more than a third compared to 2016 and are on track to set a record.

via Black Duck blog (Evan Klein): DevOps

teams expect to spend less time on security,

while updating applications more frequently and

adding new open source components as a

regular part of their process. As DevOps teams

continue this trend, they also need to fully

integrate and automate security.

AWS + Black Duck Adds Security for Cloud-build Environments

How Israel Became the Land of Connected Car Research and Development

via Security Intelligence: A recent study by Black Duck Software noted that, because smart automobile manufacturers have been “focusing their attention on differentiating features, the disparity between innovation and security is growing at an accelerated speed.” With so much investment in connected car research and development, Israel is leading the way in the effort to make the roads safer for smart car operators around the world.

via Channel Futures: Open source software is

massively popular. A majority of organizations

now use open source software, and 65 percent

of companies contribute to open source

projects, according to Black Duck, an open

source security and compliance company.

Open Source's Killer Features: What Makes Open Source So Popular?

9 in 10 Firms Also Failed to Patch Software That Sunk Equifax

via the Hill: More than 90 percent of applications using the same computer programming library that, left unpatched, lead to the Equifax data breach also fail to keep the software up to date.

via Help Net Security: A vulnerability in the

free, open source electronic medical record and

medical practice management software

OpenEMR can be exploited to steal patients’

medical records and other personally identifiable

information.

OpenEMR Flaw Leaves Millions of Medical Records Exposed to Attackers

Security Industry Responds to Massive Uber Data Breach Cover-up

via IT Security Thing: Black Duck Software’s Senior Security

Evangelist, Tim Mackey notes, “The larger issues of Uber’s actions and

failure to disclose a breach that occurred in 2016 aside, the breach

apparently occurred when hackers discovered that the company’s

developers had published code that included their usernames and

passwords on a private account of the software repository GitHub.”

via SC Magazine: When you consider that Black Duck's

2017 Open Source Security and Risk Analysis (OSSRA)

report found open source in 96 percent of the commercial

software tested, and known vulnerabilities in two-thirds of

those code bases, it's an inertia that's proving very costly.

"This lack of visibility is seen even in companies with strong

application security programs" insists Black Duck's VP of

security strategy, Mike Pittenger.

OWASP Vulnerability Chart Suggests Web App Devs Are Not Smelling the Security Coffee

The Shape of Things to Come: The Equifax Breach, the GDPR and Open-Source Security

via Science Direct (Elsevier): Although the General Data Protection

Regulation (GDPR) is being hailed as a sort of revolution, what it really

represents is the law catching up with reality. The GDPR isn't alone, of

course – in the information security space it is accompanied by the

Network and Information Security Directive (NISD). Both the GDPR and

NISD go into effect in May 2018. Daniel Hedley of Irwin Mitchell LLP

and Matthew Jacobs of Black Duck Software describe the

consequences of not getting to grips with the GDPR and the processes

and policies you need to get into place now.

via The National Law Journal: Uber has been

widely criticized for its decision to hide a 2016

data breach and pay hackers for their silence,

but it may not be the only company in town to do

so.

Uber's Data Breach Cover-Up Strategy May Be More Common Than You'd Think

Don't Let Poor IoT Security Turn Your Devices Against You

via IoT Agenda: Earlier this year, the IoT-focused security firm Senrio

discovered a hackable flaw called Devil’s Ivy, which has the potential to

put thousands of different models of security cameras at risk. The

vulnerability is found in a piece of open source code called gSOAP,

created and maintained by a small company named Genivia. At least 30

companies use gSOAP in their IoT products.

Subscribe

Stay up to date on open source security and cybersecurity –

subscribe to our blog today.