Software Integrity Blog


The year in review: 2017 top posts

As we race into 2018, let’s take a moment to look back at the most fascinating topics in open source security and compliance. What were the 2017 top posts?

The year in review: 2017 top posts in open source

As we race into 2018 (can you believe it’s February?), let’s take a moment to look back at some of the most fascinating topics in open source security and compliance from the past year. No surprise, the 2017 top posts were dominated by the data breach at Equifax, traced back to the exploit of a known open source vulnerability.

1. Top 4 software development methodologies

Successful projects are managed well. In order to manage a project efficiently, the manager or dev team must choose which software development method works best for the project at hand.  All of the numerous software development methodologies that exist are used for different reasons. I’ve been doing some research to understand why different methodologies exist, and which ones are the most commonly used software development methodologies. Read more.

2. Equifax, Apache Struts & CVE-2017-5638 vulnerability

It’s an all Equifax breach/Apache Struts/ CVE-2017-5638 issue of Open Source Insight this week as we examine how an unpatched open source flaw and an apparent lack of diligence exposed sensitive data for over 140 million US consumers. We look at what happened, how you can see if you’ve been affected by the breach, and discuss whether you should replace Struts with another framework. Read more.

3. OWASP Top 10: Application security risks

Your chance to contribute to the OWASP Top 10 2016 report expired July 20, 2016. This was rare opportunity to influence best practices in web operations. The Open Web Application Security Project (OWASP) is a non-profit community of software developers, engineers and freelancers that provides resources and tools for web application security. Every three years, OWASP releases a report on the ten most critical web application security risks. The OWASP Top 10 raises awareness of the challenges organizations face ensuring web application security in a rapidly changing application security environment.  Ahead of the new report, let’s reflect on the Open Web Application Security Project Top 10 from 2013. This is a high-level overview of what each security risk means. Read more.

4. 6 open source DevOps tools you can’t do without

Over the past few years, Open Source software has made considerable strides towards mainstream adoption – and if the results of the 2015 Future of Open Source Survey are anything to go by, it looks like this might be the year that we finally turn the corner: only 3% of respondents said that they didn’t use any open source software at all, more than two-thirds of respondents said they would consider open source software before purchasing proprietary software, and rates of adoption and engagement with open source software in enterprises is at an all-time high.

5. CVE-2017-5638 Apache Struts 2 vulnerability & more security sews

If you’re running an Apache Struts 2 server and haven’t patched for CVE-2017-5638, stop reading right now and do so. Researchers are reporting that exploits of the vulnerability are trivial to carry out, highly reliable and require no authentication. While NIST has only had a placeholder for the Apache Struts 2 vulnerability, Synopsys has been reporting on it to customers who use this component. Our reporting started on Monday the 6th (the same day the patch was released), through our Enhanced Vulnerability Data (EVD) insight embedded into the Black Duck Hub, which provides much deeper analysis than the NVD alone.

6. Rocket.Chat: Enabling privately hosted chat services

This is the eighth year we’ve run the Open Source Rookies of the Year. Each year we review the world of open source and recognize top new projects launched during the past year, be sure to check out the top new projects of 2016. Today, we’re excited to share the story of the Rocket.Chat projectRead more.

7. Did lack of visibility into Apache Struts lead to the Equifax breach?

As most of you are aware, last Friday news broke of a major data breach at Equifax. As one of the major credit reporting agencies, Equifax maintains a vast amount of sensitive personal and financial information for residents of the United States and the United Kingdom, and this breach is reported to have compromised the information for nearly 150 million US and UK citizens.  Read more.

8. CVE-2017-5638: Anatomy of the Apache Struts vulnerability

With good reason, a lot of attention has been given to the recent vulnerability in the Struts MVC framework (CVE-2017-5638). Because of its extensive functionality, Struts is a widely used open source component in web applications. However, these same benefits and Struts’ integration with other frameworks can make upgrades and patches challenging. My goal is to help readers understand how an attacker might exploit this Apache Struts vulnerability. Read more.

9. Does machine learning have a future role in cyber security?

According to Google Trends, machine learning has shown a steady (almost threefold) increase in interest since 2015. Coursera and Udacity machine learning courses are both in the top ten related topics. It appears that many people want to learn more about it. If you have ever used Google, Netflix, Amazon, Gmail, then you have interacted with machine learning (ML). It has become an important component in online retail, recommendation systems, fraud detection and others. Open source machine learning and data science tools such as Python’s Scikit-learn package are freely available, very powerful and often used to build these tools. Read more.

10. Are SaaS companies immune to open source risk?

The brief answer to the question in my title is “no.” While there’s a grain of truth with respect to the use of the GPL licensed components, SaaS companies are not immune to legal risks. And there are other elements of open source risk to which SaaS companies are actually more exposed than non-SaaS vendors. Read more. 

 Read the latest on the Synopsys Software Integrity blog. Subscribe now.


More by this author