NIST redesigned the National Vulnerability Database with a much-needed, modernized look-and-feel — including a scrolling list of the latest scored vulnerabilities and a “visualization” section designed to provide different ways to look at the data. First impression? While some kinks still need to be worked out (the site loads very slowly), it’s going to be much easier to find vulnerability and mitigation information in the NVD than in the past.

1. Open Source Insight:
NVD's New Look, Struts Vuln Ransomware
& Google Open Source Goodies
By Fred Bals, Senior Content Writer & Editor

2. NIST redesigned the National Vulnerability
Database with a much-needed, modernized look-
and-feel — including a scrolling list of the latest
scored vulnerabilities and a “visualization” section
designed to provide different ways to look at the
data.
First impression? While some kinks still need to be
worked out (the site loads very slowly), it’s going to
be much easier to find vulnerability and mitigation
information in the NVD than in the past.
This Week’s Key Takeaways

3. More Open Source News
Other open source security and cybersecurity stories
include:
• Attackers targeted developers on GitHub with Dimnie
• New mutations in attacks targeting Apache Struts2
• Google put its open source in one easy-to-find place
• Safeguard your software with Jenkins plug-ins
• Five ways to keep open source-based apps secure
• Pain and confusion with open source licenses
• Top four software development methodologies

4. For the past few months, developers who
publish their code on GitHub have been
targeted in an attack campaign that uses a
little-known but potent cyberespionage
malware, reports PCWorld.
Sophisticated Malware Attack

5. Open Source Developers Targeted in Sophisticated
Malware Attack
Emails crafted to attract the attention of developers had
.gz attachments that contained Word documents with
malicious macro code attached. If allowed to execute, the
macro code executed a PowerShell script that reached out
to a remote server and downloaded a malware program
known as Dimnie.

6. via SC Magazine UK: F5 Networks' researchers witnessed a
campaign targeting the Apache Struts2 vulnerability pivot on 20
March and start delivering Cerber ransomware to servers. Cerber
ransomware encrypts the files of its victims and charges them
bitcoin to decrypt and regain access to them.
It is apparently popular on Russian Underground forums and
Malwarebytes called it “pretty powerful ransomware written with
attention to detail.” The company touted its “rich customization
options and various tricks to make analysis harder.”
Cerber for Servers: Apache Struts2 Campaign Targets
Servers with Ransomware

7. Google Presents its Open Source Goodies to the World
via ZDnet: In a blog post, Will Norris, a software engineer at
Google's Open Source Programs Office, wrote: "Free and open-
source software has been part of our technical and organizational
foundation since Google's early beginnings. From servers running
the Linux kernel to an internal culture of being able to patch any
other team's code, open source is part of everything we do. In
return, we've released millions of lines of open-source code, run
programs like Google Summer of Code and Google Code-in, and
sponsor open-source projects and communities through
organizations like Software Freedom Conservancy, the Apache
Software Foundation, and many others."

8. Google Presents its Open Source Goodies to the World
And now, 18 years after Google was
founded, Google has
launched opensource.google.com. This site
"ties together all of our initiatives with
information on how we use, release, and
support open source."

9. Jenkins Users Can Shore Up Software Security with
Plugins
In an in-depth InfoWorld article, Fahmida Rashid
looks at how you can safeguard the software you
develop from the start with Jenkins plug-ins and
integrations that automate security testing.
For example, a Black Duck Hub plugin for
Jenkins helps identify known vulnerabilities in
open source components, set up open source
security policies, identify license issues, and detect
modified open source components.

10. Open source is used in numerous applications in all industries by
organizations of all sizes. The reasons are straightforward: Using
open source lowers development costs, speeds time to market,
and accelerates innovation. More than 80 percent of all
cyberattacks specifically target applications. The combination of
these two facts—applications are the #1 target of cyberattacks and
open source is the foundation of most of today’s application
code—leads to the inevitable conclusion that open-source
vulnerabilities are one of the biggest risks to application security.
5 Ways to Keep Open Source Based Apps Secure

11. 5 Ways to Keep Open Source Based Apps Secure
Black Duck vice president of security
strategy, Mike Pittenger, shares tips
and best practices you can take now
to manage open-source risks in
TechBeacon.

12. Pain and Confusion with Open Source Licenses
Phil Odence, Black Duck vice president and general manager,
shares his thoughts on Kyle Mitchell’s blog, Open Source
License Business Perception Report.
“[Kyle] rates a list of popular licenses along two dimensions:
Pain - how inconvenient they are to use; and Confusion -
uncertainty in the meaning of their terms. He also includes
some concise ‘Key Points’ about each. And, conveniently, he
provided a link to the text of each license in the SPDX License
List. (Kyle is an active contributor to the SPDX Legal Team.) The
framework provides an interesting way to think about licenses
and as input to developing an open source use
policy or selecting a license for a project.”

13. Top 4 Software Development Methodologies
In order to manage a project efficiently, the
manager or dev team must choose which
software development method works best for
the project at hand. All of the numerous
software development methodologies that
exist are used for different reasons. Black
Duck intern Tyler Hubbell has done some
research to understand why different
methodologies exist, and which ones are the
most commonly used software development
methodologies.

14. Subscribe
Stay up to date on open source security and cybersecurity –
subscribe to our blog today.