It’s our second all-Equifax “Open Source Insight,” as the Equifax breach unfortunately still leads the cybersecurity and open source security news cycle this week. As the Equifax breach has shown, open source security risks are a daunting reality. But that breach should never have happened — a known, fixable open source vulnerability not being remediated. Open source software — such as Apache Struts — comprises 80 to 90 percent of the code in modern applications, yet most organizations lack any visibility into the open source they are using. In response, Black Duck, the global leader in automated solutions for securing and managing open source software, announced this week the availability of a free-use tool that enables organizations to determine if they are at risk from the Apache Struts vulnerability that was exploited in the recent, high-profile Equifax breach.

1. Open Source Insight:
Threat Check for Struts Released,
Equifax Breach Dominates News
By Fred Bals | Senior Content Writer/Editor

2. Cybersecurity News This Week
It’s our second all-Equifax “Open Source Insight,” as the Equifax breach
unfortunately still leads the cybersecurity and open source security news cycle this
week. As the Equifax breach has shown, open source security risks are a daunting
reality. But that breach should never have happened — a known, fixable open
source vulnerability not being remediated.
Open source software — such as Apache Struts — comprises 80 to 90 percent of
the code in modern applications, yet most organizations lack any visibility into the
open source they are using. In response, Black Duck, the global leader in
automated solutions for securing and managing open source software, announced
this week the availability of a free-use tool that enables organizations to determine
if they are at risk from the Apache Struts vulnerability that was exploited in the
recent, high-profile Equifax breach.

3. • Black Duck Releases Threat Check for Struts; Free-Use
Tool Allows Organizations Worldwide to Auto-Detect
Equifax Vulnerability
• The Equifax Data Breach: What to Do | Consumer
Information
• After Equifax Breach, Companies Advised to Review
Open-Source Software Code
• Data Privacy Requires Data Security, Just Ask Equifax
• What do Equifax and a UK City Council have in
common?
Open Source News

4. More Open Source News
• Equifax Reminds Us: Open Source Audits are Only a First Step
• CIO: The sacrificial lamb of the data breach
• Equifax's disastrous Struts patching blunder: THOUSANDS of
other orgs did it too
• IT Briefcase Exclusive Interview: Equifax Data Breach —
Protecting Privacy and Avoiding a PR Nightmare
• Black Duck’s Response To New, Critical Apache Struts
Cybersecurity Vulnerability (REST Plugin)
• After Equifax: What Makes a Good CSO? Also: App Sec is a
Mess. We Talk about Why. (Podcast)

5. via Black Duck: Black Duck said Threat Check
for Struts can rapidly and accurately analyze
applications or containers to detect Struts
vulnerabilities, including CVE-2017-5638 that
was exploited at Equifax, resulting in the theft of
the personal data of 143 million consumers.
Black Duck Releases Threat Check for Struts;
Free-Use Tool Allows Organizations Worldwide to
Auto-Detect Equifax Vulnerability

6. The Equifax Data Breach: What to Do |
Consumer Information
via Federal Trade Commission: If you
have a credit report, there’s a good
chance that you’re one of the 143 million
American consumers whose sensitive
personal information was exposed in a
data breach at Equifax, one of the
nation’s three major credit reporting
agencies.

7. via Wall Street Journal: Lou Shipley, chief
executive of Black Duck Software, which sells
products to manage and protect open-source
software, says the most effective way for
companies to understand what is in their open-
source software and how to better control it is to
use automated processes that scan applications
for open-source code, create an inventory of
open-source components and check those
components against what is in open-source
vulnerability databases.
After Equifax Breach, Companies Advised
to Review Open-Source Software Code

8. Data Privacy Requires Data Security, Just
Ask Equifax
via Black Duck blog (David Znidarsic |
Founder & President of Stairstep
Consulting): The Equifax breach makes
clear in a visceral way what the GDPR
will make clear through regulations: the
consequences to the private individual
are just as damaging, if not more, when
their private data is breached compared
to when it is sold to an unauthorized
party, ask the 140 million individuals in
Equifax’s database.

9. via IT Pro Portal: Outside of their respective
breaches and the resultant exposure of personal
information, the common thread connecting
Equifax and Gloucester City Council is their use
of open source components with known
vulnerabilities.
What do Equifax and a UK City Council have
in common?

10. Equifax Reminds Us: Open Source
Audits are Only a First Step
via Black Duck blog (Phil Odence): My blog, A Case for
Continuous Open Source Management, lays out a number of
reasons why an audit by itself isn’t enough. The Equifax disaster
underscores the importance of post-audit vigilance, particularly
with respect to security vulnerabilities.

11. via Computer Business Review: Mike
Pittenger is VP security at Black Duck
Software said: “If security is not treated as a
priority, and regulatory standards like GDPR
are not addressed with appropriate
measures, I believe CIOs are placing their
careers in jeopardy.”
CIO: The sacrificial lamb of the data breach

12. Equifax's disastrous Struts patching blunder:
THOUSANDS of other orgs did it too
via The Register: Mike Pittenger, VP of security strategy at
SecDevOps tools firm Black Duck Software, told El Reg that it could
be that developers – whose work performance is generally judged by
the functionality of their software rather than security factors —
neglect to check whether the version of Struts they are using is
secure or not.

13. via IT Briefcase: An average of at least 3,000
new open source vulnerabilities are discovered
every year. That’s more than ten a day —
which is a lot to keep up with. Unfortunately,
you can’t rely on the National Vulnerabilities
Database (NVD) to give you early warning of
them.
IT Briefcase Exclusive Interview: Equifax
Data Breach — Protecting Privacy and
Avoiding a PR Nightmare

14. Black Duck’s Response To New, Critical Apache
Struts Cybersecurity Vulnerability (REST Plugin)
via Information Security Buzz: This fire drill happens with every
new critical vulnerability, because the vulnerability assessment tools
have no persistent knowledge of the applications we build and the
components used. Also, these tools only have plug-ins for a handful
of the vulnerabilities reported in open source components each year.

15. via Security Ledger: Mike Pittenger of the open
source software management firm Black Duck
Software joins us to talk about the difficulty that
software companies have tracking and
monitoring that software within their
environment.
After Equifax: What Makes a Good CSO?
Also: App Sec is a Mess. We Talk about
Why. (Podcast)

16. Subscribe
Stay up to date on open source security and cybersecurity –
subscribe to our blog today.