Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Newest First  |  Oldest First  |  Threaded View
timintech
50%
50%
timintech,
User Rank: Author
6/19/2019 | 10:05:28 AM
Re: On Open Source, Freeware and other slithy toves
My core point being that open source components are likely throughout your environment, not just in a test area. That's in large part due to the types of problems solved. So, if you look closely at any firmware, you'll likely see open source components in there. The same goes for virtualization and containerization software or public cloud infrastructure. Even Microsoft is a huge supporter of open source with over 2500 projects published on GitHub and .Net Core available under an MIT license.

Net of this, you're absolutely right that a risk reward tradeoff is required – it's just that with the ubiquity of open source usage in commercial applications, you're going to want to ensure you know what's being used or embedded regardless of where it originated.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
6/19/2019 | 8:40:28 AM
Re: On Open Source, Freeware and other slithy toves
i neglected to comment that some open source or shareware can be VERY VERY useful, performing short-cut work that off the shelf applications do not and, by that virtue, are beloved.  That said, IT professionals then have to weigh the risk-reward equation on this product.  Is it worth the ease of task vs. ease of infection and lack or difficulty of patching resources.   There is also the severity of platform mount - is the software on a non-important system or a critical host server.  Some of it is just grand for programming.  Single workstation, ok, a threat point but not a server.  So it is a balance act between threat and gain. 
timintech
50%
50%
timintech,
User Rank: Author
6/18/2019 | 3:31:35 PM
Re: On Open Source, Freeware and other slithy toves
The most interesting thing we see when auditing an application is how strongly some teams hold on to the perception there is no, or at best limited, use of open source technologies in their applications or environments. The reality is that open source is part of most modern applications – be it in the app itself or how its deployed. Not knowing what you've got is the easiest way to get blind-sided. That's why the patch management strategy is so crucial, and if you'd prefer a patch Tuesday type model, there are many vendors out there who'll happily provide that type of service for a license/support fee. Just be careful to get that complete inventory so you can ensure full compliance from all vendors - otherwise that 50s Olds experience could be the result!

 
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
6/18/2019 | 2:31:15 PM
On Open Source, Freeware and other slithy toves
I have liked shareware ages ago because it was fun and generally free.  These days it is also wide open available and as an open door product, I have never considered for use in a corporate environment.  Rather like having an old 1950's Oldsmobile in the back yard - easy to break into.  It just is a risk by itself and patching is the next nightmare, point of this article.  Indeed you have to devote some resource and time to patching - no Patch tuesday here.  It just never struck me in the right vein and, today, I have none of it at all.   


Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7914
PUBLISHED: 2020-02-21
btif/src/btif_dm.c in Android before 5.1 does not properly enforce the temporary nature of a Bluetooth pairing, which allows user-assisted remote attackers to bypass intended access restrictions via crafted Bluetooth packets after the tapping of a crafted NFC tag.
CVE-2016-4606
PUBLISHED: 2020-02-21
Curl before 7.49.1 in Apple OS X before macOS Sierra prior to 10.12 allows remote or local attackers to execute arbitrary code, gain sensitive information, cause denial-of-service conditions, bypass security restrictions, and perform unauthorized actions. This may aid in other attacks.
CVE-2020-5243
PUBLISHED: 2020-02-21
uap-core before 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent hea...
CVE-2019-14688
PUBLISHED: 2020-02-20
Trend Micro has repackaged installers for several Trend Micro products that were found to utilize a version of an install package that had a DLL hijack vulnerability that could be exploited during a new product installation. The vulnerability was found to ONLY be exploitable during an initial produc...
CVE-2019-19694
PUBLISHED: 2020-02-20
The Trend Micro Security 2019 (15.0.0.1163 and below) consumer family of products is vulnerable to a denial of service (DoS) attack in which a malicious actor could manipulate a key file at a certain time during the system startup process to disable the product's malware protection functions or the ...