In this week’s open source security and cybersecurity news: Free software comes with a price. Learn how a PE firm wraps open source due diligence into its tech investing. The SEC provides guidance on public cybersecurity. The Defense Department (re)launches its open source portal. A look at cybersecurity through the (virtual) lens of video gaming. What you need to know to be a DPO. And what’s up with the National Vulnerability Database?

1. Open Source Insight:
SEC and Cybersec Risks, GDPR Looms,
What’s Going on with the NVD?
By Fred Bals, Senior Content Strategist

2. Cybersecurity News This Week
In this week’s open source security and cybersecurity news: Free
software comes with a price. Learn how a PE firm wraps open source
due diligence into its tech investing. The SEC provides guidance on
public cybersecurity. The Defense Department (re)launches its open
source portal. A look at cybersecurity through the (virtual) lens of video
gaming. What you need to know to be a DPO. And what’s up with the
National Vulnerability Database?

3. • Why Pay For Something When It's Free?
• NorthEdge: Making Tech Investments with
Confidence
• The SEC Says Companies Must Disclose More
Information about Cybersecurity Risks
• Commission Statement and Guidance on Public
Company Cybersecurity Disclosures
• What Can We Learn From the Video Game
Industry’s Approach to Software Security?
Open Source News Stories

4. • Defense Department (Re)Launches Open Source
Software Portal
• Webinar: What Will GDPR Requirements Mean for
Your Security Initiative?
• So, You Want to Be a Data Protection Officer
• What's Happening with the National Vulnerability
Database?
Open Source News Stories

5. Why Pay For Something When It's Free?
via Forbes: People have long thought that OSS is less secure than proprietary
software. They point to security bugs such as the OpenSSL vulnerability known
as Heartbleed discovered in 2014 that allowed for stealing of protected
information. Open source is no more or less secure than proprietary software.
The difference is that software vendors can offer security and reliability
guarantees. When a problem arises, whether it be security-related or
performance-related, commercial vendors provide support for companies using
their software. Overall, open source software can offer reliable, innovative
technology to companies drawn to the idea of free software.

6. NorthEdge: Making Tech Investments
with Confidence
via Black Duck by Synopsys: Black Duck helps
private equity firm NorthEdge Capital make tech
investments with confidence—alerting the firm to
potential legal, operational, and security issues in
acquisitions and sales by identifying open source
code and third-party components and licenses.

7. The SEC Says Companies Must Disclose More
Information about Cybersecurity Risks
via TechCrunch: The guidance was issued as an “interpretive release,” which
the SEC uses to publish their views and interpret federal securities laws and SEC
regulations. In it, the commission urged companies to develop policies that allow
them to quickly assess cybersecurity risks and decide when to tell the public, and
also prevent executives, board members and other corporate insiders from
trading shares when they have important information that hasn’t been released
yet.

8. Commission Statement and Guidance on
Public Company Cybersecurity Disclosures
via SEC.gov: Given the frequency, magnitude and cost of
cybersecurity incidents, the Commission believes that it is
critical that public companies take all required actions to
inform investors about material cybersecurity risks and
incidents in a timely fashion, including those companies that
are subject to material cybersecurity risks but may not yet
have been the target of a cyber-attack.

9. via Synopsys Software Integrity blog: The video game
market is a $100+ billion industry. Some of the most
complex software developed today is for video games,
using clients, servers, web components, monetary
transfers, social interactions, and virtual markets—with
every part needing security. Video games are attractive
and lucrative targets for hackers, especially when it
comes to cheating and piracy.
What Can We Learn From the Video
Game Industry’s Approach to Software
Security?

10. via Nextgov: The Defense Department launched
the Code.mil website on Tuesday, a new, streamlined
portal for its similarly named Code.mil initiative, a
collaborative approach to meeting the government’s
open source policy.
The new website was designed to give a more
straightforward user experience. The site features a suite
of new tools, including checklists that links to offer
guidance, and represents “an evolution of the Code.mil
project,” according to Ari Chivukula, policy wrangler for
the Defense Digital Service.
Defense Department (Re)Launches
Open Source Software Portal

11. via Synopsys Software Integrity blog: Listen as
experts Adam Brown of Synopsys and legal expert
Dan Hedley of Irwin Mitchell, LLP provide insights into:
• What GDPR requirements mean for your security
initiative
• How your existing security activities can support
compliance
• Best practices to keep in mind as you look to mature
your software security program
Register for the webinar here.
Webinar: What Will GDPR
Requirements Mean for Your Security
Initiative?

12. via Black Duck blog: Coming into the role, the Data Protection Officer
(DPO) must have expert knowledge of data protection law and the
practices necessary to protect data, because they will be involved with
all issues related to protection of personal data. Since often personal
data is not (or cannot feasibly be) isolated from non-personal data, the
DPO will be involved in the protection of all data in systems that have
any personal data.
So, You Want to Be a
Data Protection Officer

13. What's Happening with the National Vulnerability
Database?
via Black Duck blog: Since February 2, 910 vulnerabilities have been published
in NVD without CVSS scores, far more than usual during such a short period of
time. NIST appears to be following a plan that favors providing partial information
in earlier disclosure.
That’s a decent trade-off for consumers of NVD, assuming you have sufficient
security resources to investigate these vulnerabilities internally. Unfortunately,
that’s not usually the case. Security teams are almost always stretched thin. The
first filter from any vulnerability feed are going to be: a) are my products affected;
and b) how severe is the vulnerability. The missing CVSS scores eliminates the
ability to apply the latter item, without a considerable amount of work calculating
scores.