COSRI research director Chris Fearon makes the case that Equifax was either unaware of or slow to respond to reports of known critical vulnerabilities in their system, and as a result had not upgraded to safer versions. That opinion was later proven out by Congressional hearings into the breach, as Fred Bals relates in his blog on whether SAST and DAST fell down on the job for Equifax. Black Duck VP and General Counsel, Matt Jacobs partners with Irwin Mitchell’s Dan Headley to review what GDPR will mean for open source code. Is open source more dangerous than Windows? And Larry Ellison claims Oracle could have saved Equifax from much heartache in this week’s open source security and cybersecurity news wrap.

1. Open Source Insight:
GDPR Best Practices, Struts RCE Vulns, SAST, DAST & Equifax
By Fred Bals | Senior Content Writer/Editor

2. Cybersecurity News This Week
COSRI research director Chris Fearon makes the case that Equifax
was either unaware of or slow to respond to reports of known critical
vulnerabilities in their system, and as a result had not upgraded to
safer versions. That opinion was later proven out by Congressional
hearings into the breach, as Fred Bals relates in his blog on whether
SAST and DAST fell down on the job for Equifax. Black Duck VP and
General Counsel, Matt Jacobs partners with Irwin Mitchell’s Dan
Headley to review what GDPR will mean for open source code. Is
open source more dangerous than Windows? And Larry Ellison claims
Oracle could have saved Equifax from much heartache in this week’s
open source security and cybersecurity news wrap.

3. • How Do We Reconcile the Open Source
Security Risk With GDPR Best Practice?
• Examining Apache SCE Vulns
• The Next Step in Modernization
• The Attack of the Car Wash System and
Other Menacing Stories of the Internet of
Things
• Step Aside, Windows! Open Source and
Linux Are IT’s New Security Headache
Open Source News

4. More Open Source News
• Did SAST and DAST Fail Equifax?
• Ellison Claims Oracle Software Could Have Prevented Equifax
Hack
• BigchainDB Brings Scalable Database Technology to
Blockchains
• Russian Intelligence Reportedly Breached the NSA in 2015,
Stealing Cybersecurity Strategy
• FICO-Like Cybersecurity Scores Are Imminent: What Do They
Mean For Your Business?
• Exception Based Review Process – Less Is More!

5. via SC Media: GDPR is a top-to-bottom reform of
European data privacy law and deals with a much
wider range of topics than information
security. Nevertheless, security is a key element
of GDPR's overall policy objective of promoting
transparency, accountability and trust in
organisations which deal with people's data, and
its security provisions are a critical part of
achieving that objective...
How Do We Reconcile the Open Source Security
Risk With GDPR Best Practice?

6. Examining Apache SCE Vulns
via Black Duck blog (Christopher Fearon): The timeline of
related events makes it clear that fixed versions of Struts were
available at or before the security advisories were published, and
that known exploits were not available in the wild beforehand. The
timeline also bears witness to Apache's assertions of consistent
good practise and tells us that the attack was likely to be a
product of poor security practises on the part of Equifax.

7. via IBM Systems Magazine: Modernization has
evolved from a buzzword to an imperative for
any business that wishes to stay competitive.
New computer hardware and enhanced internet
interconnectivity don’t simply offer greater power
and faster speeds, they allow for new
possibilities. It’s in this environment — which
includes the Internet of Things (IoT) — where
open-source databases (OSDBs) are
increasingly relied upon.
The Next Step in Modernization

8. The Attack of the Car Wash System and Other
Menacing Stories of the Internet of Things
via Industry of Things (Germany):
Safe software is a short-lived concept.
What is considered safe today can
change overnight when new
vulnerabilities are discovered and
disclosed. The older the code, the
higher the probability that
vulnerabilities will be revealed.

9. via ComputerWorld: The Equifax breach is the
latest example of attackers targeting open-
source software in the enterprise.
Step Aside, Windows! Open Source and Linux
Are IT’s New Security Headache

10. Did SAST and DAST Fail Equifax?
via Black Duck blog (Fred Bals): [Equifax] hasn’t elaborated so
far on what was used to “scan” the Equifax systems, but given its
failure to identify a known open source vulnerability, one could
assume that it wasn’t a dedicated open source vulnerability
management solution (or if it was, Equifax should seriously
consider asking for its money back). It’s more likely that Equifax
was using some combination of traditional SAST and DAST tools
to protect itself.

11. via Market Watch: The massive data breach
at Equifax Inc. could have been prevented
with Oracle Corp.’s automated databases,
Larry Ellison claimed Tuesday, using the
credit-reporting company’s woes as a selling
point for Oracle’s new product.
Ellison Claims Oracle Software Could Have
Prevented Equifax Hack

12. BigchainDB Brings Scalable Database
Technology to Blockchains
via Black Duck blog (Masha McConaghy | Founder & CMO of
BigchainDB): For nine years, the Black Duck Open Source Rookies
of the Year awards have recognized some of the most innovative and
influential open source projects launched during the previous year.
We sat down with Founder and CMO Masha McConaghy to hear the
exciting story of one of this year's rookies: BigchainDB.

13. via Techcrunch: The NSA suffered a serious
breach in 2015, exposing the agency’s
cyberwarfare strategy, including its own
defenses and methods of attacking foreign
networks, reports The Wall Street
Journal today. Russian intelligence is said to be
behind the attack, and software from Russia-
based Kaspersky labs is suggested to have
been their vector.
Russian Intelligence Reportedly Breached
the NSA in 2015, Stealing Cybersecurity
Strategy

14. FICO-Like Cybersecurity Scores Are Imminent: What
Do They Mean For Your Business?
via Forbes: what if we started using a unified rating system for
evaluating cybersecurity like we do in all other aspects of business?
That system is already underway.

15. via Black Duck blog (Hal Hearst): In my
previous post I wrote about how the changing
situation around open source management has
pushed the need for an exception based review
process for open source. In my opinion, it's the
only process that really works. And by “works,” I
mean scales across a large enterprise in which
the use of open source is common. Exception
based is a key element in the “fast & simple”
approach.
Exception Based Review Process –
Less Is More!

16. Subscribe
Stay up to date on open source security and cybersecurity –
subscribe to our blog today.