Posted by Fred Bals on June 1, 2018
Software Integrity Insight is your resource on the cyber security and open source security news that made headlines this week, including news on North Korea hacking, the remote code execution vulnerability exposed in JScript, and how the World Cup 2018 might be a ripe target for cybercrime. Read on!
via The Washington Post: North Korea’s ability to carry out highly disruptive cyberattacks against the United States and its allies is one of the hermit country’s most powerful assets. Its digital army allows the country to project power on the world stage where its traditional military might fall short. And as the Trump administration tries to coax Kim toward nuclear disarmament, the regime’s cyberweapons could become even more valuable, experts said.
via Network World: Open source has taken over the server side of things, but admins are doing a terrible job of keeping the software patched and up to date. Black Duck by Synopsys, a developer of auditing software for open-source security, has released its annual Open Source Security and Risk Analysis, which finds enterprise open source to be full of security vulnerabilities and compliance issues.
via Bleeping Computer: Yesterday, ZDI published a summary containing light technical details about the bug. According to this summary, the vulnerability allows remote attackers to execute malicious code on users’ PCs.
via The Sun: When you consider the scope and scale of technology infrastructure required to host and broadcast one of the largest sporting events in the world, there is plenty of opportunity for malicious cyber-activity,” said Steve Giguere, lead engineer at cyber-security firm Synopsys. One of the ways hackers could ruin the event for travellers is by hijacking the self-printed ticket kiosks or connected QR code readers for e-tickets, warns Giguere.
via TechBeacon: Application security testing is not optional. Experts share six best practices for DevOps environments. “Use automated tools in your toolchain. Leverage automated application security testing tools that plug directly into your CI/CD toolchain,” says Meera Subbarao, senior principal consultant at Synopsys Software Integrity Group.
via JAXenter: Tim Mackey from Black Duck by Synopsys discussed containers in his session “AppSec at the Speed of DevOps in the Age of Open Source”. Mackey reported that containers are immutable (they are created once and run many instances) and ephemeral (a container’s life should only be as long as necessary). Containers must be sacrificed and a system may terminate a container if needed; there is no guarantee of a container’s lifespan. The final takeaway of Tim Mackey’s session is that we are all researchers and when you find a security issue, you should report it.
via Computer Business Review: “Each year after publishing the report the authors face criticisms,” says OSSRA co-author Fred Bals. “One being that we are arguing for the use of proprietary software over open source, the other that we claim that open source is less secure than proprietary alternatives. Here’s our response.”
via ITProToday: Earlier this month, Black Duck Software released its annual Open Source Security and Risk Analysis, the first time the report has been issued since the company was acquired by the integrated systems design company, Synopsys, in December. As expected from Black Duck, the company has again found open source to be rife with security vulnerabilities and compliance issues.
via ThreatPost: “It is not clear if this was simply a software flaw or a malicious attack, but it is a stark wake-up call nonetheless,” Andreas Kuehlmann, senior vice president and general manager at Synopsys said, in an email. “The reports that a popular voice assistant unexpectedly recorded a personal conversation and leaked information to a third party should be a reminder of the potential security and privacy risks of our… always-connected world.”
via Enterprise CIO: Synopsys commissioned 451 Research to conduct a study on the state of DevSecOps. As described in the report “DevSecOps Realities and Opportunities,” it was found that only half of DevOps teams include application security testing (AST) in their continuous integretion and continuous deploypment (CI/CD) workflows. DevOps teams face both challenges and opportunities as they apply application security tools and best practices in their CI/CD workflows. Automation, speed, accuracy, and CI/CD integration are critical to making DevSecOps successful.
via Synopsys Software Integrity (video): Taylor Armerding, Synopsys Software Integrity Group senior strategist, gives you the scoop on application security and unsecurity in this week’s Security Mashup episode. What’s in this week’s episode, you ask? Russia vs. Ukraine, Beemer as the ultimate hackable machine, and Nest “smart home” devices. It’s a must watch.
Get the latest Software Integrity news, thought leadership, and more.