Software applications access many of the most important assets that organizations manage, such as intellectual property, strategic plans, and customer data. This makes it a very lucrative target for cyber criminals. Unfortunately, applications are often the weakest link in a company’s IT security chain.
Recent reports from IBM X-Force Threat Intelligence have shown that many security incidents disclosed in recent years are the result of application vulnerabilities. Reports indicate that many organizations do not know how to secure their valuable application resources. One area of ââapplication security that is often overlooked is the use of open source software.
Explosive growth of open source software
The use of open source software is ubiquitous across the web, cloud, containers, enterprise applications, mobiles, and the Internet of Things (IoT). Analysis by Black Duck, an IBM Security partner, showed that open source code represents about 30% of the average commercial software application; this figure can climb even higher for internal applications. According to Gartner, open source will be included in mission-critical applications in 99% of Global 2000 companies by the end of 2016.
It’s easy to see why open source is growing in popularity, even among organizations like the US Department of Defense and proprietary software vendors. Free to use, open source provides essential functionality while reducing development costs and accelerating time to market.
Open source is not without risk, however. In 2014 alone, the National Institute of Standards and Technology (NIST) reported more than 4,000 new vulnerabilities, including critical issues such as Heartbleed, Shellshock, Venom, and Ghost. In addition, thousands of open source vulnerabilities are likely to be present in existing applications of a typical large enterprise.
Unfortunately, most companies lack visibility and control over their open source. You can’t control what you can’t see, and meeting this challenge is essential for using open source with confidence.
Start a Free Cloud Application Security Trial Now
The role of application security testing
Automated safety testing has made significant progress over the past 10 years. In particular, static and dynamic analysis tools have helped organizations identify common coding errors that could lead to application security vulnerabilities. As technologies advance, more types of vulnerabilities can be detected and quickly remedied.
However, security researchers still have a role to play. Many classes of vulnerabilities remain undetectable by automated tools. Even among the classes of detectable vulnerabilities, some are just too complex for today’s technology. These include the types of vulnerabilities that are disclosed daily in open source components.
Why is Open Source different?
Open source software has benefited from the idea that enough people will examine open source code to find most security issues. While the validity of this theory depends in part on who is reviewing the code, it seems that the most common security bugs are often identified during the development process. This means that the biggest vulnerabilities are not present in the final product.
However, reusing open source components complicates matters. As new vulnerabilities are disclosed, developers should be diligent in ensuring that they are using the most recent version of an open source project and that they patch code whenever necessary.
As development teams become more sophisticated when it comes to security and incorporate best practices such as static and dynamic analysis, threat modeling, and security requirements into the software development lifecycle, the challenges Safety related to the reuse of components already present in the developer’s workspace are often overlooked.
Security is not a permanent state
Open source security concerns make it a particularly attractive target for attackers. The ubiquity of some components provides a target-rich environment: source code is available for manipulation, vulnerabilities are publicly available, and there is a lack of automatic updates. These elements combine to make open source vulnerabilities difficult for defenders.
Even when companies thoroughly verify their open source code before deployment, everything changes when a new vulnerability is revealed. An application once thought to be secure is becoming a target of choice, even for the most uninformed attackers.
A simple solution: know all your code
The good news is that there is a solution. A new technology partnership between IBM and Black Duck expands IBM’s solutions portfolio to include identifying, remedying and controlling risks in open source software through an integrated approach to application security management.
Black Duck Hub integrates into the authoring cycle with IBM Security AppScan to automatically identify all open source code used in an application. The resulting inventory or BOM is compared to Black Duck’s knowledge base of over 1.5 million open source components to identify known security vulnerabilities and view security information directly in IBM Security AppScan Enterprise. Additionally, Black Duck continues to monitor the threat space so that when new vulnerabilities are disclosed, users receive security alerts along with information telling them exactly which applications are using the now vulnerable component.
By working together, IBM and Black Duck help security and application development professionals take a holistic approach to identifying and resolving security issues in custom and open source software.
To learn more
To learn more about the importance of open-source testing, read our blog “Taming the Open-Source Beast with an Effective Application Security Testing Program”. You can also test IBM Application Security on Cloud by signing up for a free trial.