Open source components are the building blocks of the application economy. According to recent research, open source components constitute 60 to 80 percent code base in modern applications.
Developers depend on components written and maintained by the open source community to work faster and more efficiently, and to meet the rapid demand for new releases and updates.
What is driving the rise of Open Source?
According to a WhiteSource poll titled “The State of Open Source Vulnerability Management“96.8% of developers said they used open source components” all the time “,” very often “or” sometimes “. Only 3.2% of developers said they don’t use open source at all, likely due to policies that don’t allow them to do so in their organizations. Interestingly, developers who use open source components rely on them significantly, which may explain why none of the respondents described their use as “rarely”.
However, despite the tech industry’s reliance on these components, there is an unfortunate lack of understanding of how to properly manage risks when using them. To fully understand how to follow best practices for using open source components securely, organizations must first realize how much code they are using.
Why is it important to keep track of your open source components
Open source components face the risks of threat actors who can exploit vulnerabilities in popular open source projects to potentially target thousands of organizations, many of whom are not even aware that they even use these vulnerable components in their products.
Tracking inventory and managing security, especially if there is no practice in place to guide how open source components should be managed, is no small feat. Companies looking to harness the power of open source components in their products have a responsibility to use them safely.
In far too many organizations, developers don’t effectively track the open source components they use in their code. In other cases, they need to make manual records in spreadsheets or notify their coworkers via email about the components they are using. Neither option is truly viable at scale, nor does it meet the security need to identify components with known vulnerabilities.
What are the potential risks of using open source components?
Unlike proprietary code written internally – where the primary concern is that an attacker might discover a previously unknown vulnerability – open source faces different risks.
When a vulnerability is discovered by a security researcher in the open source community, it is reported to one of the many databases and security advisory organizations, such as the National Vulnerability Database (NVD). Vulnerability disclosures help inform organizations that they may be using faulty components.
Potential attackers monitor these databases and use them to target organizations that deploy vulnerable components, in the hopes of attacking victims who are too slow to fix the flaws immediately. Therefore, the challenge for organizations is knowing which open source components they are using and which are vulnerable to exploitation. Basically, you can’t patch what you don’t know.
Another challenge is that it is virtually impossible to manage an ongoing inventory of the open source components used in your products and match them to newly discovered vulnerabilities through manual tracking. It’s certainly not scalable for any organization that has teams of developers, which is common today.
It is also extremely difficult to collect all open source vulnerability information from NVD and other resources. We will look at this topic in a future article.
Take control of open source application security testing
Understanding the vulnerability of your open source components is the first step towards improving the security of your applications. When managed properly, open source code is a valuable asset in the hands of developers.
However, with great power comes great responsibility. For leadership, that means making sure your team has the tools they need to effortlessly maintain an appropriate inventory of open source components – and use that information to create actionable steps to keep your products safe.