As the number of open source components used in software supply chains shoot up, hackers are going along for the ride. Threat actors increasingly plant bad code in open-source repositories, hoping to harvest the flaws later when used in larger banking, manufacturing and healthcare DevOp projects.
Sonatype’s 2018 State of the Software Supply Chain Report reveals that of the more than 300 billion open source components downloaded in the past year, one in eight have known security vulnerabilities. Sonatype also found that open source vulnerabilities increased 120 percent year over year.
Read more about the findings of the Sonatype report on Threatpost.
A new report into the state of enterprise security suggests that the majority of codebases in use contain known vulnerabilities due to the use of open-source components. Synopsys has released the Black Duck by Synopsys 2018 Open Source Security and Risk Analysis (OSSRA) report, which found that open-source adoption is on the rise in the enterprise — but security controls have not necessarily matched the pace.
Open-source projects, software, and library adoption have become a common theme in the enterprise. Open-source systems can save a vast amount of time and money for developers and businesses alike. However, the nature of open-source projects means that as developers are giving away their time for free, sometimes, bugs may escape the net and cause chaos further down the line unless users and staff are aware of its use and maintain regular security checks.
Read more about the findings of the new report by Synopsys on ZDNet.
Everyone uses open source. It’s found in around 95 per cent of applications and it’s easy to understand why. Open source’s value in reducing development costs, in freeing internal developers to work on higher-order tasks, and in accelerating time to market is undeniable.
Read Mike Pittenger give seven open source cyber security predictions for 2017 on IT Pro Portal.
Watch out for vulnerable open-source components hidden in commercial applications, a security firm warns.
The security of open-source components is a blind spot that’s leaving businesses exposed to dozens of very old bugs, security firm Black Duck Software contends in a new report, based on open-source security work it’s conducted.
Read more about the new report by Black Duck Software which reveals that most commercial apps are riddled with bugs making the companies that use them vulnerable to cyber attacks on ZDNet.
Instead of developing their own hacking tools or buying them from third parties, threat groups have increasingly turned their attention to open source security tools, Kaspersky Lab reported on Wednesday.
Read about the new report by Kaspersky Lab which reveals that cyber criminals are abusing open source security tools on Security Week.
Companies often have little clue about the extent of third-party code in the enterprise or the risks it poses, security experts say. The data breaches disclosed earlier this month at Park ‘N Fly and OneStopParking.com, two major airport parking services, highlight the continuing risk that enterprises face from using open-source software in their environments without a plan for managing it.
Both Park ‘n Fly and OneStopParking,con were victimized by a security vulnerability in the Joomla open-source content management platform for which a patch had been issued last September, but which neither company had apparently installed.
Read more about how open sourcing increases security risks for enterprises on Dark Reading.
Business continuity and control eclipse cost savings are the top reasons why U.S. IT professionals prefer open source to proprietary software. According to a Ponemon Institute study, more than 70 percent of IT professionals in the U.S agree that commercial open source software provides more control and ensures better business continuity than proprietary software.
This research shows that cost savings are no longer the hallmark of open source in the minds of IT professionals, with the ability to lower costs ranking below quality in importance. This viewpoint is echoed by IT and IT security practitioners in Europe, the Middle East and Africa. Findings from the survey, which was conducted in the U.S. as well as in 18 EMEA countries, show that 67 percent of IT professionals in EMEA agree with their American counterparts that commercial open source outperforms proprietary software when it comes to business continuity. However, IT practitioners in the U.S. and EMEA disagree on the security and privacy risks associated with collaboration and messaging platforms, both open source and proprietary.
Throughout the study, there is evidence that EMEA organizations are more concerned with the privacy consequences of messaging and collaboration; U.S. organizations focus more on security.
Read more about the latest Ponemon Institute’s study on US IT professionals on Help Net Security.
Microsoft open sourced the full server-side .NET stack and expanded .NET to run on the Linux and Mac OS platforms. The company also released Visual Studio Community 2013, a new free edition of Visual Studio that provides easy access to the Visual Studio core toolset.
Delivering on its promise to support cross-platform development, Microsoft is providing the full .NET server stack in open source, including ASP.NET, the .NET compiler, the .NET Core Runtime, Framework and Libraries, enabling developers to build with .NET across Windows, Mac or Linux.
Through this implementation, Microsoft will work closely with the open source community, taking contributions for future improvements to .NET and will work through the .NET Foundation.
“Today’s open source announcement means that developers will have a fully supported, fully open source, fully cross platform .NET stack for creating server and cloud applications – including everything from the C#/VB compilers, to the CLR runtime, to the core .NET base class libraries, to the higher-level .NET Web, Data and API frameworks,” explained Scott Guthrie, Executive VP of the Cloud and Enterprise group in Microsoft.
Read more about Microsoft’s decision to open up and open source the .Net server stack on Help Net Security.