The Black Duck blog and Open Source Insight become part of the Synopsys Software Integrity blog in early April. You’ll still get the latest open source security and license compliance news, insights, and opinions you’ve come to expect, plus the latest software security trends, news, tips, best practices, and thought leadership every week. Don’t delay, subscribe today! Now on to this week’s open source security and cybersecurity news.

1. Open Source Insight:
Securing IoT, Atlanta Ransomware Attack,
Congress on Cybersecurity
By Fred Bals, Senior Content Strategist

2. The Black Duck blog and Open Source Insight become
part of the Synopsys Software Integrity blog in early
April. You’ll still get the latest open source security and
license compliance news, insights, and opinions you’ve
come to expect, plus the latest software security trends,
news, tips, best practices, and thought leadership every
week. Don’t delay, subscribe today! Now on to this
week’s open source security and cybersecurity news.
Cybersecurity News This Week

3. • What you should know about the recent Atlanta
ransomware attack
• Innovation may be outpacing security in cars
• Comment: securing IoT devices before (and after) they
ship
• Mozilla's radical open-source move helped rewrite rules
of tech
• Synopsys on source code security sensitivities
• Digging deeper into the GitHub security alerts numbers
Open Source News Stories

4. • Black Duck On-Demand and Synopsys: running the walk
• U.K. threatens to force IoT security by design
• Report to Congress on cybersecurity
• Cybersecurity agency warns of ‘extremely dangerous’
risks of 5G technology
• Drupal issues highly critical patch: over 1M sites
vulnerable
Open Source News Stories

5. What you should know about the
recent Atlanta ransomware attack
via Synopsys Software Integrity: The city of Atlanta has become
one of the latest victims of a ransomware attack. The attack is
believed to be the result of the SamSam malware that has
compromised various healthcare, government, and educational
systems over the past several years.

6. Innovation may be outpacing security in cars
via EE News: As the UK government’s
car cybersec guidelines recognize,
innovation may be outpacing security in
cars. Automotive OEMs therefore need
to adopt a security strategy that goes
beyond the obvious.

7. Comment: securing IoT devices before (and after) they
ship
via Electronics Weekly: “When it comes to IoT
devices, you need to consider a security
architecture risk analysis, to find weaknesses that
might occur as the result of business logic or
component interactions," writes Art Dahnert of
Synopsys.

8. Mozilla's radical open-source move helped rewrite rules
of tech
via CNET: A gamble 20 years ago unleashed the source code for the
browser that became Firefox. The approach is now core to
Facebook, Google and everyone else.

9. Synopsys on source code security
sensitivities
via Computer Weekly: Senior security strategist at
Synopsys Taylor Armerding further suggests that a
2016 Forrester Research study commissioned by
Synopsys set a baseline example of five hours of
work to fix a defect in the coding/development
stage. But, he reminds us, finding and fixing that
same defect in the final testing phase would take
five to seven times longer.

10. Digging deeper into the GitHub
security alerts numbers
via Black Duck blog: The GitHub numbers are
interesting; specifically the numbers 450,000
resolved vulnerabilities out of 4,000,000 discovered.
We know that the National Vulnerability
Database (NVD) doesn’t contain anywhere near that
many disclosures, so how are they arriving at that
number? GitHub is likely taking the number of
vulnerabilities and applying it to all the forks and
versions within GitHub using that code. That makes
their metric an interesting one, as I said, but masks the
real problem — knowing which code has been patched
in which fork. Consumers of open source projects may
themselves create a fork, and that fork could very
easily be outside of GitHub’s visibility.

11. via Black Duck blog: As outlined previously, the Synopsys culture is extraordinarily
well-aligned with the critical elements of our audit business: Maintaining trust through
integrity, being hyper-responsive through execution and leading the market with
superior services and tools. And all that with the same passion that drives my team
every day. To be fair, those initial impressions were based on Synopsys’s “talking the
talk.” However, a few months of “walking the walk” have only reinforced my conviction
that we have a great home. Actually, these months have felt more like running the
walk!
Black Duck On-Demand and Synopsys: running the walk

12. via Synopsys Software Integrity: Securing the Internet of Things
(IoT) seems like an endless reality version of “Mission Impossible”—
really impossible. Many have tried—with lists of best practices and
standards, exhortations, and warnings—but none has succeeded.
Still, the U.K. government, in a policy paper titled Secure by
Design released earlier this month, says it is also going to try, with a
13-point Code of Practice that it will force all IoT stakeholders to follow
if they don’t do it voluntarily.
U.K. threatens to force IoT security by
design

13. via USNI News: Cybersecurity has been gaining
attention as a national issue for the past decade.
During this time, the country has witnessed cyber
incidents affecting both public and private sector
systems and data. These incidents have included
attacks in which data was stolen, altered, or access to
it was disrupted or denied. The frequency of these
attacks, and their effects on the U.S. economy,
national security, and people’s lives have driven
cybersecurity issues to the forefront of congressional
policy conversations. This report provides an overview
of selected cybersecurity concepts and a discussion of
cybersecurity issues that are likely to be of interest
during the 115th Congress.
Report to Congress on cybersecurity

14. via EURACTIV: Superfast 5G mobile networks come with “extremely
dangerous” cybersecurity risks, the EU cybersecurity agency ENISA
has warned. 5G is expected to become available to European
consumers by 2025.
Cybersecurity agency warns of ‘extremely
dangerous’ risks of 5G technology

15. via Threatpost: Drupal released a patch for a “highly
critical” flaw in versions 6, 7 and 8 of its CMS platform
that could allow an attacker to take control of an affected
site simply by visiting it. Drupal also warned an
unprivileged and untrusted attacker could modify or
delete data hosted on affected CMS platforms.
Drupal issues highly critical
patch: over 1M sites vulnerable