Seldom a month goes by where the NVD entries don’t break 1,000, and March 2017 is no exception. The vulnerability of the week is CVE-2017-2636, a serious security flaw in Linux kernel that appears to have been around since 2009. More on that story follows.

1. Open Source Insight:
CVE-2017-2636 Vuln of the Week and the
UK National Cyber Security Strategy
By Fred Bals, Senior Content Writer & Editor

2. Seldom a month goes by where the NVD
entries don’t break 1,000, and March
2017 is no exception.
The vulnerability of the week is CVE-
2017-2636, a serious security flaw in
Linux kernel that appears to have been
around since 2009. More on that story
follows.
This Week’s Key Takeaways

3. More Open Source News
Other open source security and cybersecurity stories
include:
• Learn how an open source audit works, and why it’s an
important part of diligence.
• Last year the UK Government announced £1.9bn of
public investment in cyber-security.
• Does machine learning have a place in cyber security?
• Three steps for vulnerability management and triage.

4. Most of our readers understand that an open
source software audit involves expert
consultants analyzing a proprietary code base
using Black Duck tools, writes Black Duck VP
& General Manager, Phil Odence.
The deliverable is a report that identifies open
source in the code as well as associated risks.
If you’d like to understand our process —
what comes before, during and after, read this
post.
How an Open Source Software Audit
Works

5. Linux Security Flaw Patched After Years Unspotted
Security researchers have discovered a serious security
flaw in the Linux kernel that appears to have existed since
2009. The vulnerability, CVE-2017-2636, is rated ‘high’ on
the National Vulnerability Database (NVD) because it could
allow local users to gain privileges or cause a denial of
service.

6. • According to The Hacker News, it affects a
large number of Linux distributors,
including Red Hat, Debian, Fedora,
OpenSUSE, and Ubuntu. Users are advised
to install the latest security updates right
away.
• The discovery was made by Alex Popov
of Positive Technologies. Patrick Carey, a
director at Black Duck Software comments.
Linux Security Flaw Patched After
Years Unspotted

7. Open Source: The New Normal in Enterprise Software
via CIODive: Open source is "no longer about
people in t-shirts and sandals railing against the
corporate machine and trying to do something
different.”
"Still, just as with closed source software,
security is never 'fixed' and is an ongoing cost
and risk. And in some cases, faith in open source
software can be a blind spot. ”

8. Open Source: The New Normal in Enterprise Software
“A 2016 survey, sponsored by Black Duck, a
software development company, and
investment firm North Bridge, found that not
all end users of open source software are
taking adequate security measures. One-
third of respondents said they lacked a
system for 'identifying, tracking or
remediating known open source
vulnerabilities.'"

9. The UK's £1.9bn Cyber-Security Spend —
Getting the Priorities Right
via Computer Fraud & Security. The increased
focus on cyber-security and the level of investment
has been broadly welcomed in the industry. And
the ‘National Cyber Security Strategy 2016-2021’ is
not lacking ambition. But how do the Government's
efforts really shape up? Are they addressing the
right issues, and are they enough?

10. Black Duck vice president of security strategy,
Mike Pittenger comments in the article,
“Forrester Research recently reported that one
out of every 16 open source download requests
is for a component with a known vulnerability.”
“With open source making up as much as 50%
of an application, it’s vital to know what open
source is used, where it is in the codebase, and
to secure it against known vulnerabilities. Firms
should target an equivalent amount of effort and
resources at this primary weakness in their
cyber-security.”
The UK's £1.9bn Cyber-Security Spend —
Getting the Priorities Right

11. Does Machine Learning Have
a Future Role in Cyber Security?
According to Google Trends, machine
learning has shown a steady (almost
threefold) increase in interest since
2015, blogs Paul O’Neill, Black Duck
Data Analyst.
Coursera and Udacity machine
learning courses are both in the top
ten related topics. It appears that
many people want to learn more about
it.

12. Does Machine Learning Have
a Future Role in Cyber Security?
If you have ever used Google, Netflix,
Amazon, Gmail, then you have interacted
with machine learning (ML). It has become
an important component in online retail,
recommendation systems, fraud detection
and others.
Open source machine learning and data
science tools such as Python’s Scikit-learn
package are freely available, very powerful
and often used to build these tools.

13. Vulnerability Management and Triage in 3 Steps
Security testing tools can help organizations
build better software by identifying
vulnerabilities early in the SDLC. For security
professionals and developers, however, the
hard work begins when the testing is complete.

14. Once you have a list of vulnerabilities across
multiple applications, what's your next step
in vulnerability management and triage?
And how do you ensure that you maximize
your remediation efforts?
Vulnerability Management
and Triage in 3 Steps

15. Leading Linux distros dawdle as kernel flaw persists
A race condition flaw has been fixed in
the mainline Linux kernel, but some Red
Hat, Canonical, and Debian distributions
don't yet have patches, notes InfoWorld.
The vulnerability would affect Linux
servers and workstations, as well as
virtual machines, but not most
containers.

16. Leading Linux distros dawdle as kernel
flaw persists
"Due to the ioctl settings on Docker, this
shouldn't be executable from within a
container," said Patrick Carey of open source
security company Black Duck Software.
"Obviously if you have access to the
container host, all bets are off."

17. Subscribe
Stay up to date on open source security and cybersecurity –
subscribe to our blog today.