This issue of Open Source Insight looks at how data leaks on Amazon servers may have exposed the personal information of 198 million American voters and 14 million Verizon customers. Is the federal cybersecurity infrastructure keeping up with threats? Why do some many companies have problems keeping their software up to date? Are vulnerability tools up to snuff?  All this and more open source security and cybersecurity news…

1. Open Source Insight:
Amazon Servers Exposed
Open Source & the Public Sector
How Not to be the Next Equifax
By Fred Bals | Senior Content Writer/Editor

2. Cybersecurity News This Week
This issue of Open Source Insight looks at how data leaks on
Amazon servers may have exposed the personal information of
198 million American voters and 14 million Verizon customers. Is
the federal cybersecurity infrastructure keeping up with threats?
Why do some many companies have problems keeping their
software up to date? Are vulnerability tools up to snuff?
All this and more open source security and cybersecurity news…

3. • Researchers Find 7 Percent of All Amazon
S3 Servers Exposed
• Open Source and the Public Sector
• Cybersecurity Threats Demand Modernizing
Federal Technology
• How Open Source is Transforming the
Automotive Industry
• 3 Keys to the Road Ahead with Autonomous
Vehicles
Open Source News

4. More Open Source News
• Why Don't Big Companies Keep Their Computer Systems Up-
to-date?
• Equifax CEO Richard Smith Retires After Mass Hack
• The Equifax Example: Bridging the Gap Between Security and
DevOps
• Flaws in Open-source Software Pose Big Risks to Companies
That Use It
• Nessus, Qualys, Metasploit for Struts Vulnerabilities?
• So, You Want to Be a Data Protection Officer

5. via SC Media: A recent study by SkyHigh
Networks found seven percent of all Amazon S3
servers are exposed which may explain a
recent surge of data leaks in the last few
months including the information on 198 million
American voters.
Researchers Find 7 Percent of All Amazon S3
Servers Exposed

6. Open Source and the Public Sector
via GCN: With open-source a significant
part of the nation’s digital infrastructure,
the risks associated with this type of
software are enough to pique the interest
of department official, writes Black Duck
VP of Product Management, Patrick
Carey.

7. via The Hill: If it’s not obvious yet that
cybersecurity is a major issue, you’re not paying
attention. Accordingly, cybersecurity must be a
priority for all levels of government, not to
mention the private sector. Yet much of the
federal government’s networks remain
vulnerable simply because of outdated and
obsolete technology. This must change.
Cybersecurity Threats Demand
Modernizing Federal Technology

8. How Open Source is Transforming the
Automotive Industry
via Autobody News: Automakers are adopting open source software
for core technologies like the infotainment operating system. This
allows them to focus more resources towards the industry-wide race to
develop new technologies, mobility services, and autonomous vehicles.

9. via Black Duck blog (Rob Hawkins): It's certainly been
an interesting month thus far for the mobility industry.
The House of Representatives passed the SELF DRIVE
Act, which proposes to grant 25,000 autonomous light
vehicle testing exemptions (ratcheting up to 100,000
within a few years), exemptions that supersede existing
state laws for pre-market approval processes.
The Department of Transportation (DOT) followed suit,
trimming and softening prior guidelines. Now it’s up to
the Senate, where similar legislation includes
autonomous trucking. This is an area of considerable
investment that, according to some, is accompanied by
concerns surrounding artificial intelligence and jobs.
3 Keys to the Road Ahead with
Autonomous Vehicles

10. Why Don't Big Companies Keep Their
Computer Systems Up-to-date?
via Business Standard: Equifax, like most Fortune 100 firms,
was using an open-source software platform called Apache Struts
to run parts of its website. Every major piece of software has
vulnerabilities, almost inevitably. When they’re found, typically the
company or organization that writes the software creates a fix and
shares it with the world, along with notifications that users should
update to the latest version.

11. via Investor’s Business Daily: Equifax CEO
and Chairman Richard Smith retired, effective
immediately, in the wake of a massive hack
recently disclosed that may have exposed up
to 143 million Americans.
Equifax CEO Richard Smith Retires After Mass Hack

12. The Equifax Example: Bridging the Gap
Between Security and DevOps
via The Stack: Many security professionals struggle hugely to
communicate on a daily basis with the fast-moving needs of
developers and operations staff who now need to get an application
or service from the test development environment to live faster than
ever before. Security teams are not experts in what typical Open
Source libraries are needed for the safe and secure running of a
specific web server or application stack.

13. via IT Briefcase: An average of at least 3,000
new open source vulnerabilities are discovered
every year. That’s more than ten a day —
which is a lot to keep up with. Unfortunately,
you can’t rely on the National Vulnerabilities
Database (NVD) to give you early warning of
them.
IT Briefcase Exclusive Interview: Equifax
Data Breach — Protecting Privacy and
Avoiding a PR Nightmare

14. Flaws in Open-source Software Pose Big Risks to
Companies That Use It
via Third Certainty: While open source is no less secure than
commercial code, most companies lack the visibility into and control
over the open-source code they use, according to Mike Pittenger,
vice president of security strategy at Black Duck. “Last year, Black
Duck’s Center for Open Source Research & Innovation (COSRI)
analyzed more than 1,000 applications that were audited as part of
Merger & Acquisition transactions. The COSRI audit analysis found
that while 96 percent of the applications contained open-source
software, more than 60 percent of those applications contained
known open-source security vulnerabilities,” he says.

15. via Black Duck blog (Mike Pittenger): The
Equifax breach has brought Remote Code
Execution (RCE) vulnerabilities in Struts into the
spotlight. Nobody wants to be the “next Equifax,”
much less the company leadership “retiring” or
answering questions from Congress.
Nessus, Qualys, Metasploit for Struts
Vulnerabilities?

16. So, You Want to Be a Data Protection Officer
via Black Duck blog (David Znidarsic, Founder & President of
Stairstep Consulting): The General Data Protection Regulation
(GDPR) will be enforced starting on May 25, 2018. One of the
requirements of the GDPR is that many companies who handle
personal data of EU citizens will need to appoint either an employee
or contractor to be their Data Protection Officer.

17. Subscribe
Stay up to date on open source security and cybersecurity –
subscribe to our blog today.