Posted by Haidee LeClair on Friday, February 2nd, 2018
This week in Open Source Insight, we examine blockchain security and the cryptocurrency boom. Plus, take an in-depth look at open source software in tech contracts with a legal expert from Tech Contracts Academy, Adobe Flash Player continues to be a security concern, the Open Source Initiative turns 20, and step-by-step instructions for migrating to Docker on Black Duck Hub. Cyber security and security breach news also dominates this week, as Synopsys examines security breaches in 2017 and how they could have been prevented.
Read on for more cyber security and open source security news:
via Synopsys Software Integrity blog: For the millions who have invested (or are considering investing) in cryptocurrencies such as Bitcoin, Litecoin, Ethereum, and the ever-growing list of alt-coins, little has been mentioned about the software and the infrastructure on which these cryptocurrencies are based. With all early adoption of technology, there is risk, so there’s a natural inclination to question the security of blockchain and the potential for cyber attack against it.
via Tech Contracts Academy: Contract drafters rarely understand open source software (OSS). They see it as a threat, so when they’re buying software, they try to exclude OSS from their vendors’ products. In most cases, the concern is misplaced. Software licensees may have good reason to worry about copyleft software, which is one type of OSS. But other open source software poses no real threat. Plus, even copyleft should cause far less concern than it often does. And most standard contracts already have IP terms that address copyleft pretty well.
via Threatpost: According to the South Korean Computer Emergency Response Team (KR-CERT), the zero-day is believed to be a Flash SWF file embedded in MS Word documents. Impacted is Adobe’s most recent Flash Player 188.8.131.52 and earlier… Adobe released a security advisory on Thursday acknowledging the vulnerability and attacks.
via ADT Mag: Also, as part of the celebration, the OSI is launching OpenSource.Net, which will serve both as a community of practice and a mentorship program. “The goal is to further promote adoption of open source software over the next twenty years as issues shift from open source’s viability/value to issues around implementation and authentic participation,” the Web site reads.
via Synopsys Software Integrity blog (Charlie Klein): Before Synopsys began leveraging Docker, customers utilized the App Manager Install Method to deploy the Hub. The Hub now deploys as a set of containers, so customers need to install Docker to take advantage of updates to the application. By the end of this guide, you’ll have a basic understanding of how to migrate the Hub to a containerized environment, as well as the benefits of using containers.
via App Developer Magazine: The answer to the “why” enterprises need a software security program question is pretty straightforward. There are no circumstances under which any but the smallest firms can expect a collection of independent activities – a pen test here, an hour of training there, some free tools that may or may not work as advertised – will consistently result in appropriately secure software.
via Synopsys Software Integrity blog: Whatever the actual count, the trend is the same—a major increase in breaches year after year. While that is offset a bit by a bit of good news – the Ponemon Institute’s finding that the average cost of a data breach incident worldwide in 2017 declined to $3.62 million, or by 10% from 2016, the United States bucked the trend, with a 5% increase to $7.35 million that put it at about double the worldwide average.
via IoT Now Transport (Mike Pittenger): According to research conducted by Synopsys’ Center for Open Source Research & Innovation, 23% of the code in the average automotive application is open source. Open source enters in-vehicle applications through a variety of paths. Automobile manufacturers rely on a wide range of component and application suppliers, who build solutions with open source components and extend open source platforms.
via The Hill: As you prepare your taxes this year, think of Equifax. Why? If you were one of the 145 million Americans who had their personal information breached at Equifax last year, you could become a victim of tax fraud.
After the breach, there were a flurry of articles advising people to place credit freezes on their accounts and set up fraud alerts at each of the credit bureaus. This is good advice, but it does not prevent scammers from filing with the IRS using your Social Security Number and requesting fraudulent tax returns in your name. All you can do to protect yourself from tax identity theft is file as early as possible, so identity thieves don’t file before you do.
via Synopsys Software Integrity blog: Where does software security really fit into your firm? We recently decided to conduct a study to find out. Gathering data in a series of in-person interviews with 25 chief information security officers (CISOs), our aim was to understand their strategies and approaches. The 2018 CISO Report presents the research findings.
via Informatik Aktuell (Tim Mackey): Container technologies are the next step in moving from physical, single-use computing resources to more efficient, multi-tenant virtual infrastructures that can run in legacy IT environments and in the cloud. Among other benefits, containers are ideal for continuous integration and continuous delivery environments designed to accelerate development and further optimize the path between development and production environments.
Get the latest AppSec news and trends sent directly to you.