Posted by Fred Bals on Monday, April 9th, 2018
Open Source Insight makes the transition to the Synopsys Software Integrity (SIG) blog this week, and you can find us here, as well as the latest posts from SIG technology evangelist Tim Mackey. This week’s edition looks at security for container images, cyber security in healthcare, how most data breaches occur, and a host of other open source security and cyber security news.
via Synopsys Software Integrity: “Do you know what’s in your containers?” asks Tim Mackey, Synopsys Software Integrity Group technology evangelist. No, the question has nothing to do with those mystery containers in your fridge. But if you don’t know what’s in those lovely Docker containers which are all the rage, you could be in store for just as rude a surprise as discovering what might be hiding deep in your fridge.
via CSO: Black Duck Software, Inc., for example, tracks more than 10 billion lines of open source code in more than 550,000 projects. Even that isn’t a complete picture. The Linux Foundation reports that 31 billion lines of code have been committed to open source repositories. Who’s using all that open source code? Everybody. According to the latest Black Duck report, open source components are now present in 96 percent of commercial applications. The average application had 147 different open source components—and 67 percent of the applications used components with known vulnerabilities.
via DZone.com: Spring Break is a critical remote code execution vulnerability in Pivotal Spring REST, one of the most popular frameworks for building web applications, and the effects of this vulnerability are widespread. A patch for Spring Break has been available since September of last year, but the vulnerability broke into the news only last month, after the researchers who discovered Spring Break published their findings. The researchers agreed to hold back publishing until now, allowing organizations more time to update their applications. Pivotal recommended patching the vulnerability as soon as possible in a blog post from Spring Data Project Lead Oliver Gierke. Yet even after six months, many organizations with applications built using the Spring REST component are likely still unpatched.
via Dark Reading: Nearly 60% of organizations that suffered a data breach in the past two years cite as the culprit a known vulnerability for which they had not yet patched. Patching software security flaws by now should seem like a no-brainer for organizations, yet most organizations still struggle to keep up with and manage the process of applying software updates.
via SiliconANGLE: The patch released by Microsoft today directly addresses a vulnerability called CVE-2018-0986. The vulnerability was described by Microsoft as a remote code execution vulnerability where the Microsoft Malware Protection Engine does not properly scan a specially crafted file, leading to memory corruption. Using the vulnerability, attackers could execute arbitrary code in the security context of the LocalSystem account and take control of a targeted system, allowing them to install programs, edit or delete data and create new accounts.
via ReportBuyer: The healthcare industry has been amongst the prime targets for hackers over the last several years. The Ponemon Institute’s Fifth Annual Study reported that cyberattacks in healthcare have increased by a factor of 125% since 2010. In the first half of 2017, the healthcare industry had been compromised a number of times, having experienced a total of 228 data breaches, representing 25% of the total number of breaches worldwide. Across these instances, around 31 million records were compromised, stolen or lost, representing an increase of 423% as compared to the first six months of 2016.
via Forbes: Into this cyber Wild West, the major cloud companies have begun moving aggressively to take their own lessons learned and massive internal security investments and make them broadly available to the rest of the world. Could this finally shift the cyber tide?
via ZDNet: Facebook is being skewered for its data management, but every company needs to think about its customer data strategy well beyond GDPR. The wild west of data is being tamed.
via Synopsys Software Integrity: Anonymity—one of the biggest draws of cryptocurrency and the blockchain infrastructure it depends on—could get turned on its head if the vision of the head of the International Monetary Fund (IMF) comes true. Christine Lagarde, managing director of the IMF, called in a recent blog post for more regulation of the cryptocurrency market—to include the use of tools to enable more effective surveillance.
Get the latest AppSec news and trends sent directly to you.