open source insight: nvd's new look, struts vuln ransomware & google open source goodies
TRANSCRIPT
Open Source Insight: NVD's New Look, Struts Vuln
Ransomware & Google Open Source Goodies
By Fred Bals, Senior Content Writer & Editor
NIST redesigned the National Vulnerability Database with a much-needed, modernized look-and-feel — including a scrolling list of the latest scored vulnerabilities and a “visualization” section designed to provide different ways to look at the data.
First impression? While some kinks still need to be worked out (the site loads very slowly), it’s going to be much easier to find vulnerability and mitigation information in the NVD than in the past.
This Week’s Key Takeaways
More Open Source News
Other open source security and cybersecurity stories include: • Attackers targeted developers on GitHub with
Dimnie• New mutations in attacks targeting Apache
Struts2 • Google put its open source in one easy-to-find
place• Safeguard your software with Jenkins plug-ins• Five ways to keep open source-based apps
secure• Pain and confusion with open source licenses• Top four software development methodologies
For the past few months, developers who publish their code on GitHub have been targeted in an attack campaign that uses a little-known but potent cyberespionage malware, reports PCWorld.
Open Source Developers Targeted in Sophisticated Malware Attack
Open Source Developers Targeted in Sophisticated Malware Attack
Emails crafted to attract the attention of developers had .gz attachments that contained Word documents with malicious macro code attached. If allowed to execute, the macro code executed a PowerShell script that reached out to a remote server and downloaded a malware program known as Dimnie.
via SC Magazine UK: F5 Networks' researchers witnessed a campaign targeting the Apache Struts2 vulnerability pivot on 20 March and start delivering Cerber ransomware to servers. Cerber ransomware encrypts the files of its victims and charges them bitcoin to decrypt and regain access to them. It is apparently popular on Russian Underground forums and Malwarebytes called it “pretty powerful ransomware written with attention to detail.” The company touted its “rich customization options and various tricks to make analysis harder.”
Cerber for Servers: Apache Struts2 Campaign Targets Servers with Ransomware
Google Presents its Open Source Goodies to the World
via ZDnet: In a blog post, Will Norris, a software engineer at Google's Open Source Programs Office, wrote: "Free and open-source software has been part of our technical and organizational foundation since Google's early beginnings. From servers running the Linux kernel to an internal culture of being able to patch any other team's code, open source is part of everything we do. In return, we've released millions of lines of open-source code, run programs like Google Summer of Code and Google Code-in, and sponsor open-source projects and communities through organizations like Software Freedom Conservancy, the Apache Software Foundation, and many others."
Google Presents its Open Source Goodies to the WorldAnd now, 18 years after Google was founded, Google has launched opensource.google.com. This site "ties together all of our initiatives with information on how we use, release, and support open source."
Jenkins Users Can Shore Up Software Security with Plugins
In an in-depth InfoWorld article, Fahmida Rashid looks at how you can safeguard the software you develop from the start with Jenkins plug-ins and integrations that automate security testing.
For example, a Black Duck Hub plugin for Jenkins helps identify known vulnerabilities in open source components, set up open source security policies, identify license issues, and detect modified open source components.
Open source is used in numerous applications in all industries by organizations of all sizes. The reasons are straightforward: Using open source lowers development costs, speeds time to market, and accelerates innovation. More than 80 percent of all cyberattacks specifically target applications. The combination of these two facts—applications are the #1 target of cyberattacks and open source is the foundation of most of today’s application code—leads to the inevitable conclusion that open-source vulnerabilities are one of the biggest risks to application security.
5 Ways to Keep Open Source Based Apps Secure
5 Ways to Keep Open Source Based Apps Secure
Black Duck vice president of security strategy, Mike Pittenger, shares tips and best practices you can take now to manage open-source risks in TechBeacon.
Pain and Confusion with Open Source LicensesPhil Odence, Black Duck vice president and general manager, shares his thoughts on Kyle Mitchell’s blog, Open Source License Business Perception Report.“[Kyle] rates a list of popular licenses along two dimensions: Pain - how inconvenient they are to use; and Confusion - uncertainty in the meaning of their terms. He also includes some concise ‘Key Points’ about each. And, conveniently, he provided a link to the text of each license in the SPDX License List. (Kyle is an active contributor to the SPDX Legal Team.) The framework provides an interesting way to think about licenses and as input to developing an open source use policy or selecting a license for a project.”
Top 4 Software Development Methodologies
In order to manage a project efficiently, the manager or dev team must choose which software development method works best for the project at hand. All of the numerous software development methodologies that exist are used for different reasons. Black Duck intern Tyler Hubbell has done some research to understand why different methodologies exist, and which ones are the most commonly used software development methodologies.
Subscribe
Stay up to date on open source security and cybersecurity – subscribe to our blog today.
