The big news for open source last week was Microsoft’s announced purchase of GitHub. A major win for open source? The beginning of the end? Read Software Integrity Insight to see both sides of the coin, as well as the rest of the cyber security and open source security news that made headlines this week!
With the editors traveling, we’re combining the June 8 and June 15 editions of Software Integrity Insight. We’ll be back on our regular schedule next week.
via BleepingComputer: The developers behind Git and various companies providing Git repository hosting services have pushed out a fix to patch a dangerous vulnerability in the Git source code versioning software. The fix is included with Git 2.17.1, which patches two security bugs, CVE-2018-11233 and CVE-2018-11235. Of these, CVE-2018-11235 is considered the most dangerous, as it allows a malicious actor to create a malformed Git repository containing a specially-built Git submodule.
via TechCrunch: After a week of rumors, Microsoft [last week] confirmed that it has acquired GitHub, the popular Git-based code sharing and collaboration service. The price of the acquisition was $7.5 billion in Microsoft stock.
via SC Magazine: Microsoft has announced a £5.6 billion deal to acquire software development platform GitHub, arguably the most visible open source resource online.… Patrick Carey, director of security strategy at Black Duck by Synopsys, welcomed the move: “This is tremendously good news for open source, and perhaps the single most significant validation conceivable that open source IS the mainstream for software development.”
via TechCrunch: The fact that Microsoft is buying GitHub has left a lot of developers with a deep feeling of unease and a lot of them are now looking for alternatives. One of those is GitLab and that company has decided to strike the iron while it’s hot. GitLab today announced that its premium self-hosted GitLab Ultimate plan and its hosted Gold plan are now available for free to open source projects and educational institutions.
via Forbes: Duncan Clark, head of PatSnap Academy points out that open source software can enter customers source code, including their internally developed proprietary code, in many different and often undocumented ways. Managing this process is key to working with open source channels effectively.
via Network World: Open source has taken over the server side of things, but admins are doing a terrible job of keeping the software patched and up to date. Black Duck [by Synopsys], a developer of auditing software for open-source security, has released its annual Open Source Security and Risk Analysis, which finds enterprise open source to be full of security vulnerabilities and compliance issues.
via Black Duck by Synopsys: Do you know how to protect containers from software security vulnerabilities? Learn how to do it in the build phase of the SDLC when you register for our June 19 webinar “Enforce Continuous Container Security” with Black Duck by Synopsys and NeuVector.
via Synopsys Software Integrity: Bottom line? “Patching is starting to fail, which means that we’re losing the best mechanism we have for improving software security at exactly the same time that software is gaining autonomy and physical agency,” [says Bruce Schneier].
via The Irish Times: The answer, if it’s a modern car with a big screen and a smartphone link, is probably quite a lot.… Art Dahnert of the cybersecurity firm Synopsys says: “Most vehicles built within the last five years and fitted with an appropriate infotainment unit will be similar in the data that is available. Navigation data can be accessible, and usually the navigation will contain the last origin and destination locations, as well as favourite places if the owner has configured that feature.”
via The New Stack: It’s been 10 weeks since ransomware crippled the network of city workers in Atlanta, and it has almost fully recovered. But after all the news stories about the dangers of anonymous bad actors online, are we ready for next time? If this serves as our new cautionary tale about network security—what have we learned?