Open Source Insight: GDPR Best Practices, Struts RCE Vulns, SAST, DAST & Equifax
Download as PPTX, PDF1 like405 views
The document discusses critical vulnerabilities in Equifax's systems and the company’s failure to update to safer software versions, as well as the implications of GDPR on open-source security. It highlights opinions from cybersecurity experts on whether static and dynamic application security testing tools failed Equifax, and mentions potential security risks associated with open-source software. The evolving landscape of cybersecurity and modernization is also addressed, including the benefits of new database technologies and the necessity of adapting to emerging threats.
![Did SAST and DAST Fail Equifax?
via Black Duck blog (Fred Bals): [Equifax] hasn’t elaborated so
far on what was used to “scan” the Equifax systems, but given its
failure to identify a known open source vulnerability, one could
assume that it wasn’t a dedicated open source vulnerability
management solution (or if it was, Equifax should seriously
consider asking for its money back). It’s more likely that Equifax
was using some combination of traditional SAST and DAST tools
to protect itself.](https://image.slidesharecdn.com/opensourceinsightoctober6-171006205742/85/Open-Source-Insight-GDPR-Best-Practices-Struts-RCE-Vulns-SAST-DAST-Equifax-10-320.jpg)
Open Source Insight: GDPR Best Practices, Struts RCE Vulns, SAST, DAST & Equifax
- 1. Open Source Insight: GDPR Best Practices, Struts RCE Vulns, SAST, DAST & Equifax By Fred Bals | Senior Content Writer/Editor
- 2. Cybersecurity News This Week COSRI research director Chris Fearon makes the case that Equifax was either unaware of or slow to respond to reports of known critical vulnerabilities in their system, and as a result had not upgraded to safer versions. That opinion was later proven out by Congressional hearings into the breach, as Fred Bals relates in his blog on whether SAST and DAST fell down on the job for Equifax. Black Duck VP and General Counsel, Matt Jacobs partners with Irwin Mitchell’s Dan Headley to review what GDPR will mean for open source code. Is open source more dangerous than Windows? And Larry Ellison claims Oracle could have saved Equifax from much heartache in this week’s open source security and cybersecurity news wrap.
- 3. • How Do We Reconcile the Open Source Security Risk With GDPR Best Practice? • Examining Apache SCE Vulns • The Next Step in Modernization • The Attack of the Car Wash System and Other Menacing Stories of the Internet of Things • Step Aside, Windows! Open Source and Linux Are IT’s New Security Headache Open Source News
- 4. More Open Source News • Did SAST and DAST Fail Equifax? • Ellison Claims Oracle Software Could Have Prevented Equifax Hack • BigchainDB Brings Scalable Database Technology to Blockchains • Russian Intelligence Reportedly Breached the NSA in 2015, Stealing Cybersecurity Strategy • FICO-Like Cybersecurity Scores Are Imminent: What Do They Mean For Your Business? • Exception Based Review Process – Less Is More!
- 5. via SC Media: GDPR is a top-to-bottom reform of European data privacy law and deals with a much wider range of topics than information security. Nevertheless, security is a key element of GDPR's overall policy objective of promoting transparency, accountability and trust in organisations which deal with people's data, and its security provisions are a critical part of achieving that objective... How Do We Reconcile the Open Source Security Risk With GDPR Best Practice?
- 6. Examining Apache SCE Vulns via Black Duck blog (Christopher Fearon): The timeline of related events makes it clear that fixed versions of Struts were available at or before the security advisories were published, and that known exploits were not available in the wild beforehand. The timeline also bears witness to Apache's assertions of consistent good practise and tells us that the attack was likely to be a product of poor security practises on the part of Equifax.
- 7. via IBM Systems Magazine: Modernization has evolved from a buzzword to an imperative for any business that wishes to stay competitive. New computer hardware and enhanced internet interconnectivity don’t simply offer greater power and faster speeds, they allow for new possibilities. It’s in this environment — which includes the Internet of Things (IoT) — where open-source databases (OSDBs) are increasingly relied upon. The Next Step in Modernization
- 8. The Attack of the Car Wash System and Other Menacing Stories of the Internet of Things via Industry of Things (Germany): Safe software is a short-lived concept. What is considered safe today can change overnight when new vulnerabilities are discovered and disclosed. The older the code, the higher the probability that vulnerabilities will be revealed.
- 9. via ComputerWorld: The Equifax breach is the latest example of attackers targeting open- source software in the enterprise. Step Aside, Windows! Open Source and Linux Are IT’s New Security Headache
- 10. Did SAST and DAST Fail Equifax? via Black Duck blog (Fred Bals): [Equifax] hasn’t elaborated so far on what was used to “scan” the Equifax systems, but given its failure to identify a known open source vulnerability, one could assume that it wasn’t a dedicated open source vulnerability management solution (or if it was, Equifax should seriously consider asking for its money back). It’s more likely that Equifax was using some combination of traditional SAST and DAST tools to protect itself.
- 11. via Market Watch: The massive data breach at Equifax Inc. could have been prevented with Oracle Corp.’s automated databases, Larry Ellison claimed Tuesday, using the credit-reporting company’s woes as a selling point for Oracle’s new product. Ellison Claims Oracle Software Could Have Prevented Equifax Hack
- 12. BigchainDB Brings Scalable Database Technology to Blockchains via Black Duck blog (Masha McConaghy | Founder & CMO of BigchainDB): For nine years, the Black Duck Open Source Rookies of the Year awards have recognized some of the most innovative and influential open source projects launched during the previous year. We sat down with Founder and CMO Masha McConaghy to hear the exciting story of one of this year's rookies: BigchainDB.
- 13. via Techcrunch: The NSA suffered a serious breach in 2015, exposing the agency’s cyberwarfare strategy, including its own defenses and methods of attacking foreign networks, reports The Wall Street Journal today. Russian intelligence is said to be behind the attack, and software from Russia- based Kaspersky labs is suggested to have been their vector. Russian Intelligence Reportedly Breached the NSA in 2015, Stealing Cybersecurity Strategy
- 14. FICO-Like Cybersecurity Scores Are Imminent: What Do They Mean For Your Business? via Forbes: what if we started using a unified rating system for evaluating cybersecurity like we do in all other aspects of business? That system is already underway.
- 15. via Black Duck blog (Hal Hearst): In my previous post I wrote about how the changing situation around open source management has pushed the need for an exception based review process for open source. In my opinion, it's the only process that really works. And by “works,” I mean scales across a large enterprise in which the use of open source is common. Exception based is a key element in the “fast & simple” approach. Exception Based Review Process – Less Is More!
- 16. Subscribe Stay up to date on open source security and cybersecurity – subscribe to our blog today.