It’s an acronym-filled issue of Open Source Insight, as we look at the question of SCA (software composition analysis) and how it fits into the DevOps environment. The DHS (Department of Homeland Security) has concerning security gaps, according to its OIG (Office of Inspector General). Can the CVE (Common Vulnerabilities and Exposures) gap be closed? The GDPR (General Data Protection Regulation) is bearing down on us like a freight train, and it’s past time to include open source security into your GDPR plans. Plus, an intro to the Open Hub community, looking at security for blockchain apps, and best practices for open source security in container environments are all featured in this week’s cybersecurity and open source security news.

1. Open Source Insight:
SCA for DevOps, DHS Security, Securing Open
Source for GDPR, CVE Gap
By Fred Bals, Senior Content Strategist

2. Cybersecurity News This Week
It’s an acronym-filled issue of Open Source Insight, as we look at the question of
SCA (software composition analysis) and how it fits into the DevOps environment.
The DHS (Department of Homeland Security) has concerning security gaps,
according to its OIG (Office of Inspector General). Can the CVE (Common
Vulnerabilities and Exposures) gap be closed? The GDPR (General Data Protection
Regulation) is bearing down on us like a freight train, and it’s past time to include
open source security into your GDPR plans.
Plus, an intro to the Open Hub community, looking at security for blockchain apps,
and best practices for open source security in container environments are all
featured in this week’s cybersecurity and open source security news.

3. • How Can Blockchain Applications Adapt and Adopt
Software Security Best Practices?
• Building Open Source Security into DevOps
• Getting to Know the Open Hub Community
• DHS IT Systems Missing Security Patches for
'Critical' Vulnerabilities
• Evaluation of DHS’ Information Security Program for
FY 2017
Open Source News Stories

4. • Closing the CVE Gap Still a Work in Progress
• Securing Open Source Leading up to GDPR
Enforcement
• Achieving Open Source Security in Container
Environments
• Partner Spotlight: Black Duck by Synopsys
• Enhanced Legal Tab in Black Duck Audit Reports
Open Source News Stories

5. How Can Blockchain Applications Adapt and Adopt
Software Security Best Practices?
via Synopsys Software Integrity blog: Though blockchain-native
software is in its infancy, the technology races forward to meet more
and more use cases. But the community doesn’t seem to have taken
software security principles seriously, as we can see from the recent
scan of Ethereum smart contracts that identified 34,200 vulnerable
contracts.

6. Building Open Source Security into DevOps
via InfoSecurity: Is SCA compatible with DevOps? The answer is:
Absolutely, yes, writes Black Duck by Synopsys Technology
Evangelist, Tim Mackey, but only if they provide the ability to integrate
open source management throughout your DevOps environment
from IDE through to runtime platform. Having this flexibility is critical
as it allows you to tailor your DevOps environment to your needs
rather than to a rigid vendor-centric framework.

7. Getting to Know the Open Hub Community
via Black Duck blog: The Black Duck Open Hub is the premier
source for research and comparisons of open source software
components. The majority of visitors have an active, contributory role
in open source. Visitors come to look at their own open source
software contributions, to research and compare open source
software projects, and to learn more about open source contributors.

8. DHS IT Systems Missing Security Patches for 'Critical'
Vulnerabilities
via Tech Republic: Some IT systems of the US Department of
Homeland Security (DHS) used unsupported operating systems and
missed key security patches to protect against "critical" and "high-
risk" vulnerabilities, according to a recent report from the
department's Office of Inspector General (OIG).

9. Evaluation of DHS’ Information Security
Program for FY 2017
via DHS OIG: DHS did not did not implement all
configuration settings required to protect
component systems, continued using unsupported
operating systems, and did not apply security
patches in a timely manner to mitigate critical and
high-risk security vulnerabilities on selected
systems. DHS also did not monitor software
licenses for unclassified systems and relied on data
calls to monitor national security systems as part of
its continuous monitoring process.

10. Closing the CVE Gap Still a Work
in Progress
via Synopsys Software Integrity blog: Chris
Fearon, manager of research engineering at Black
Duck by Synopsys, said it is tough for any
organization to keep up with the explosive growth
of vulnerabilities. “With increased adoption of open
source software, the OSS landscape has become
a target-rich landscape for attackers,” he said.

11. via Bob’s Guide: Open source continues to transform how we architect software
solutions in every industry, writes Black Duck by Synopsys General Counsel, Matt
Jacobs. Black Duck’s 2017 Open Source Security and Risk Analysis of over 1000
commercial applications revealed that 96% of applications scanned utilized open
source. While the rate of open source reuse has been steadily climbing over the
decades, policies, procedures, and safeguards for the responsible use of open source
has lagged. This manifests by developers failing to use open source in compliance with
the myriad of license types governing use of that code, and through their reuse of open
source code without appreciation for, or the ability to track and remediate, known or
later discovered security vulnerabilities in that code. Of the applications scanned in
Black Duck’s 2017 survey, 67% contained known open source vulnerabilities, with 52%
of those rated as severe.
Securing Open Source Leading up to GDPR Enforcement

12. via Black Duck blog: Recently Black Duck launched OpsSight
for OpenShift and Kubernetes to help address container security.
Once a container is scanned, OpsSight continually monitors Black
Duck’s vulnerability database to determine whether any new
vulnerabilities have been discovered that impact components in that
container. Should a new vulnerability be disclosed, OpsSight
proactively updates the container metadata with vulnerability
information and can notify security response teams to the event. This
allows operations teams to move from an unknown and uncertain
vulnerability state to a known one with automated triggering of
response plans.
Achieving Open Source Security in
Container Environments

13. via OpenShift: Synopsys is at the forefront of smarter
connected secure devices with the world’s most
advanced tools for silicon chip design, verification, IP
integration, and application security testing. Our
technology helps customers innovate from silicon to
software, so they can deliver smart, secure everything.
A leader in software composition analysis, Black Duck
provides products and on-demand audit services to
secure and manage applications and containers at the
speed of DevOps, eliminating pain related to open
source security vulnerabilities, license compliance,
and operational risk.
Partner Spotlight: Black Duck by
Synopsys

14. via Black Duck blog: If you have reviewed any Black Duck audit
reports recently, you may have noticed improvements in the legal tab
and the way we report on findings. The new report format has
received some very positive reviews, the theme being that it makes
reported results more actionable. The biggest change we made on the
legal tab was to add a layer of hierarchy in categorizing findings. We
classify licenses for components as follows: Research Needed,
Potential Conflicts and OK to Use.
Enhanced Legal Tab in Black Duck Audit Reports