Software Integrity Blog


SEC and CyberSec risks, GDPR looms, what’s going on with the NVD?

SEC and Cybersec Risks, GDPR Looms, What’s Going on with the NVD?

In this week’s open source security and cyber security news: Free software comes with a price. Learn how a PE firm wraps open source due diligence into its tech investing. The SEC provides guidance on public cyber security. The Defense Department (re)launches its open source portal. A look at cyber security through the (virtual) lens of video gaming. What you need to know to be a DPO. And what’s up with the National Vulnerability Database? 

Why pay for something when it’s free? 

via Forbes: People have long thought that OSS is less secure than proprietary software. They point to security bugs such as the OpenSSL vulnerability known as Heartbleed discovered in 2014 that allowed for stealing of protected information. Open source is no more or less secure than proprietary software. The difference is that software vendors can offer security and reliability guarantees. When a problem arises, whether it be security-related or performance-related, commercial vendors provide support for companies using their software. Overall, open source software can offer reliable, innovative technology to companies drawn to the idea of free software.

NorthEdge: Making tech investments with confidence

via Black Duck by Synopsys: Black Duck On-Demand helps private equity firm NorthEdge Capital make tech investments with confidence—alerting the firm to potential legal, operational, and security issues in acquisitions and sales by identifying open source code and third-party components and licenses.

The SEC says companies must disclose more information about cybersecurity risks

via TechCrunch: The guidance was issued as an “interpretive release,” which the SEC uses to publish their views and interpret federal securities laws and SEC regulations. In it, the commission urged companies to develop policies that allow them to quickly assess cybersecurity risks and decide when to tell the public, and also prevent executives, board members and other corporate insiders from trading shares when they have important information that hasn’t been released yet.

Commission statement and guidance on public company cybersecurity disclosures 

via Given the frequency, magnitude and cost of cybersecurity incidents, the Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.

What can we learn from the video game industry’s approach to software security?

via Synopsys Software Integrity blog: The video game market is a $100+ billion industry. Some of the most complex software developed today is for video games, using clients, servers, web components, monetary transfers, social interactions, and virtual markets—with every part needing security. Video games are attractive and lucrative targets for hackers, especially when it comes to cheating and piracy. 

Defense Department (re)launches open source software portal

via Nextgov: The Defense Department launched the website on Tuesday, a new, streamlined portal for its similarly named initiative, a collaborative approach to meeting the government’s open source policy.

The new website was designed to give a more straightforward user experience. The site features a suite of new tools, including checklists that links to offer guidance, and represents “an evolution of the project,” according to Ari Chivukula, policy wrangler for the Defense Digital Service.

Webinar: What will GDPR requirements mean for your security initiative?

via Synopsys Software Integrity blog: Listen as experts Adam Brown of Synopsys and legal expert Dan Hedley of Irwin Mitchell, LLP provide insights into:

  • What GDPR requirements mean for your security initiative
  • How your existing security activities can support compliance
  • Best practices to keep in mind as you look to mature your software security program

Watch the webinar here.

So, you want to be a Data Protection Officer

via Synopsys Software Integrity blog:  Coming into the role, the Data Protection Officer (DPO) must have expert knowledge of data protection law and the practices necessary to protect data, because they will be involved with all issues related to protection of personal data. Since often personal data is not (or cannot feasibly be) isolated from non-personal data, the DPO will be involved in the protection of all data in systems that have any personal data.

What’s happening with the National Vulnerability Database?

via Synopsys Software Integrity blog: Since February 2, 910 vulnerabilities have been published in NVD without CVSS scores, far more than usual during such a short period of time. NIST appears to be following a plan that favors providing partial information in earlier disclosure.

That’s a decent trade-off for consumers of NVD, assuming you have sufficient security resources to investigate these vulnerabilities internally. Unfortunately, that’s not usually the case. Security teams are almost always stretched thin. The first filter from any vulnerability feed are going to be: a) are my products affected; and b) how severe is the vulnerability. The missing CVSS scores eliminates the ability to apply the latter item, without a considerable amount of work calculating scores.

Are you ready for GDPR? Read the checklist. 


More by this author