Lots of DevOps news this week, including why automation is critical for securing code, as well as balancing agility with security needs.  Learn how to manage security in GitHub projects with CoPilot from Black Duck Software. Pre-GDPR, Carphone Warehouse gets hit with £400k fine over a 2015 hack.  And why you should think like your attackers when developing your cybersecurity portfolio. Read on for this week’s cybersecurity and open source security news in Open Source Insight! 

1. Open Source Insight:
Balancing Agility and Open Source Security for DevOps
Fred Bals | Senior Content Writer/Editor

2. Cybersecurity News This Week
Lots of DevOps news this week, including why automation is critical for securing
code, as well as balancing agility with security needs. Learn how to manage
security in GitHub projects with CoPilot from Black Duck Software. Pre-GDPR,
Carphone Warehouse gets hit with £400k fine over a 2015 hack. And why you
should think like your attackers when developing your cybersecurity portfolio.
Read on for this week’s cybersecurity and open source security news in Open
Source Insight!

3. • Sidestepping the Security Traps of Open
Source
• Manage Security Risk in GitHub Open
Source Projects with CoPilot
• Automation Critical to Securing Code in an
Agile, DevOps World
• Open Source Software Security Challenges
Persist, but the Risk Can Be Managed
Open Source News

4. More Open Source News
• Carphone Warehouse Slapped With Maximum
£400k Fine by ICO Over 2015 Hack
• Black Duck by Synopsys: Being Part of Our Kind of
Company
• Does DevOps Plus Open Source Equal Security?
• Synopsys Forms Technical Advisory Board for
Software Integrity Group
• Why Thinking Like Your Enemy Is A Valuable
Strategy For Your Cybersecurity Portfolio

5. via CA Technologies: According to security company Black
Duck Software, now part of Synopsys, open components are
used in 96 percent of all proprietary applications. On average,
a total of 147 different open components are used in an
application. Most important from a safety standpoint is that 67
percent of all applications use components that have known
vulnerabilities.
Sidestepping the Security Traps of Open Source

6. Manage Security Risk in GitHub Open Source Projects
with CoPilot
via Black Duck blog (Lisa Bryngelson): CoPilot is a publicly-
facing free application that allows owners of open source
projects on GithHub to monitor security risk associated with used
components as part of their Git Flow development process.

7. via GovTech Works: Performing a manual,
detailed security analysis of each open-
source software component takes hours to
ensure it is safe and free of vulnerabilities.
Tools from Sonatype, Black Duck of
Burlington, Mass., and others can automate
most of that work.
Automation Critical to Securing Code
in an Agile, DevOps World

8. Open Source Software Security Challenges
Persist, but the Risk Can Be Managed
via CSO: In the average application, over a third of the code base is
open source," says Mike Pittenger, Black Duck security strategist at
Synopsys, Inc. "To replace that third of the code base, you're going
to have to increase either your development team or development
time by 50 percent -- and I don't think those are viable options in
today's world."

9. via V3: Carphone Warehouse used 'out-of date
software and failed to carry out routine security
testing', says ICO.
Carphone Warehouse Slapped With Maximum
£400k Fine by ICO Over 2015 Hack

10. Black Duck by Synopsys: Being Part of Our Kind
of Company
via Black Duck blog (Phil Odence): The Black Duck
audit business is built on trust, doing great work, and,
critically, responsiveness. We pride ourselves on “moving
at the speed of transactions.” As part of a large public
company, can we remain as amazingly responsive as we
have been to client needs? Yes!

11. via Forbes: The pressure on development
teams to become agile and work at DevOps
speeds has led to an increase in the use of
open-source software. However, a hidden
danger in increasing reliance on software you
haven’t developed is that it typically carries with
it performance and security risks, which must be
properly identified and fixed before an
application goes into production.
Does DevOps Plus Open Source
Equal Security?

12. Synopsys Forms Technical Advisory
Board for Software Integrity Group
via Synopsys: Five-member board of experienced security
executives to guide technical innovations of Synopsys security
products and services.

13. via Forbes: When you have third-parties that are
providing services to you, that’s a much different
threat model, because then you have to ask what if
someone actually attacks the third-party provider
and we’re using their software in our architecture?
What if someone taints the supply chain and
actually puts rogue code into our code base?
Why Thinking Like Your Enemy Is A Valuable
Strategy For Your Cybersecurity Portfolio

14. Subscribe
Stay up to date on open source security and cybersecurity –
subscribe to our blog today.