This document summarizes cybersecurity news and predictions for 2018 from Black Duck and Synopsys. It discusses the top 10 IT security stories of 2017, including many large data breaches. It also discusses how open source software vulnerabilities are a growing challenge since 96% of applications contain open source code and 60% have high-risk vulnerabilities. Predictions for 2018 include continued growth in machine learning powered by open source frameworks and a focus on software composition analysis to address open source security issues.

1. Open Source Insight:
2017 Top 10 IT Security Stories, Breaches, and Predictions for 2018
Fred Bals | Senior Content Writer/Editor

2. Cybersecurity News This Week
We’re winding up 2017 with the leading security stories of the year, as well as what
2018 might bring in terms of open source and cybersecurity. Several Black Duck
and Synopsys’ bloggers weigh in with articles ranging from the need of SCA
(software composition analysis), through how developers can navigate the
sometimes stormy seas of software security, to addressing the issues of open
source in tech contracts.
From Black Duck Software and Synopsys, we wish you a happy holiday season
and will see you again in 2018!

3. • Top 10 IT Security Stories of 2017
• WHOIS The First Casualty Of GDPR?
• Synopsys: Going the Distance with Open Source
Vulnerabilities
• Red Hat's Strong Results Fail to Impress
Scrooge-ish Investors
• Top Security Breaches of 2017 (+2018 Cyber
Security Predictions)
Open Source News

4. More Open Source News
• 2018 AI/ML Predictions (Part 2)
• Infographic: Set the Course for Developers to
Navigate Software Security
• Web Services Security: Providers and Consumers
of APIs
• How Do You Address the Complexity of Open
Source in Tech Contracts?
• Container Adoption by the Numbers

5. via Computer Weekly: Another new and growing security challenge facing
organisations is security flaws in open source code that is incorporated into
software used by the enterprise. An analysis of more than 1,000 applications
by Black Duck’s Centre for Open Source Research and Innovation
(COSRI) revealed that 96% of applications across all industry sectors
contained open source and a large proportion were vulnerable to open source
security issues. Overall, 60% of the applications audited contained high-risk
vulnerabilities. The retail and e-commerce industry had the highest proportion
of applications with high-risk open source vulnerabilities, with 83% of audited
applications containing high-risk vulnerabilities.
Top 10 IT Security Stories of 2017

6. WHOIS The First Casualty Of GDPR?
via Forbes: On May 25, 2018 the swarm will
wash over us and it will be an unfortunate event
for those organizations who did not get out in front
of the issues that this works to resolve. To recap
from my earlier article about this, GDPR is a
concerted effort to bring all of the privacy
regulations in Europe under a single standard
bearer.

7. via Computer Weekly (Jim Ivers): With an SCA
tool, you would be able to quickly scan the
information repository and know where
vulnerabilities were used, and additional
information about the version. Furthermore,
anyone who tried to use the offending version of
Apache Struts after the vulnerability was
disclosed should get a warning about that
vulnerability from the SCA tool, so the problem is
addressed before the code is deployed.
Synopsys: Going the Distance with
Open Source Vulnerabilities

8. Red Hat's Strong Results Fail to Impress
Scrooge-ish Investors
via SiliconANGLE News: “By any measure, the price drop wasn’t
extreme and shareholders should be pleased by Red Hat’s more-than-
solid performance.”

9. via Synopsys Software Integrity blog: The
number of publicly disclosed vulnerabilities in
2017 far exceeds the number from any
previous year. Below is a graph generated by
the National Vulnerability Database that shows
the number of publicly disclosed vulnerabilities
by year…
Top Security Breaches of 2017
(+2018 Cyber Security Predictions)

10. 2018 AI/ML Predictions (Part 2)
via DZone: Patrick Carey, VP of Product Marketing, Black
Duck Software
Machine learning use will increase exponentially, powered by
open-source projects like Amazon DSSTNE (pronounced
“Destiny”). “If you want your project to grow, making the code
open-source will ensure its development,” says Amazon as it gives
away DSSTNE, an open-source machine learning framework,
developed initially to power its product recommendation systems.
Because of frameworks like this being released as open-source,
organizations will continually find more use for machine learning,
from analyzing network traffic for malicious code and actors to
improved diagnostics in medicine.

11. via Synopsys Software Integrity
blog: Security is essential to software
development, and security concerns have
moved far beyond “check the box.” View this
infographic to learn what developers need most
in a software security tool.
Infographic: Set the Course for Developers
to Navigate Software Security

12. Web Services Security: Providers and
Consumers of APIs
via Black Duck blog: In my previous posts, I've highlighted
the importance and challenges of web services. This time I want to
focus on web services security. The primary challenge is that it’s
difficult to control the flow of data that goes through APIs. For this
reason, organizations need to have fixed policies around
data provided through APIs. Organizations are adopting two basic data
security solutions to effectively utilize the power of APIs without
sacrificing security and privacy…

13. via Black Duck blog: Many of the code bases Black Duck
audited this year comprised more than half open source.
Combine that with the fact that most companies don’t track
or manage it very well, and you have a concerning basis for
a range of risks. Black Duck educational materials often
connect the dots to the implications for software
development and M&A due diligence, but open source risks
are an issue worthy of attention in any contract negotiation
involving software.
How Do You Address the Complexity of Open
Source in Tech Contracts?

14. Container Adoption by the Numbers
via Black Duck blog: With a far smaller computing footprint, containers
are simple and nimble—eliminating the need for IT Operations and
DevOps teams to worry about underlying architecture when they deploy
applications. As a result of their simplicity, 73% of companies who use
containers indicate a more consistent deployment process. The most
common sentiment towards containers in this survey indicated that they
play a key role in organizations’ DevOps strategy, likely due to the
ability to deploy consistently and with agility.

15. Subscribe
Stay up to date on open source security and cybersecurity –
subscribe to our blog today.