COVID-19 has impacted everything over the past year, and mobile app security is no exception. The Synopsys Cybersecurity Research Center (CyRC) has taken an in-depth look at application security and found out just how vulnerable applications that use open source code really are. According to the report, 98% of applications use open source code and 63% of these applications have at least one known vulnerability.
Open source code is no more and no less vulnerable than any other code, Jonathan Knudsen, senior security strategist at Synopsys, was quick to point out in an email interview. The main security task for any organization that uses open source code is knowing how to handle the code properly.
âThe report highlights, among other things, that managing security vulnerabilities in open source software components is a very real problem,â Knudsen said. The challenge lies in the self-service nature of using open source. In the absence of a commercial vendor to distribute updates and fixes, then the onus is on developers and the business to assess and monitor security risks and strategize for unavoidable security issues.
Open Source adoption
Developers are turning to open source because it helps them code 20-30 times faster than writing their own from scratch; Getting a mobile app to market quickly is a top priority. This need to go fast has created a dependency on open source. It has also led to development over security in many IT organizations just to stay competitive in the market.
âTo stay competitive, software development teams must figure out how to write code quickly, without sacrificing security to create value and maintain a competitive advantage for their organizations,â said Yaniv Bar-Dayan, CEO and co-founder of Vulcan Cyber. Until that happens, open source will continue to be the benchmark code.
Code audits for vulnerabilities are easier to do on open source software, which is both a blessing and a curse; threat actors and well-meaning developers both have equal access to the code.
âEthical hackers can review well-maintained open source projects and quickly identify and report vulnerabilities to help them be remedied,â said Hank Schless, senior director of security solutions at Lookout. “Threat actors can observe the code, find a vulnerability, and figure out how to exploit it as quickly as possible.”
On the other hand, Schless added, closed or proprietary source code can experience the same maintenance issues. âAlthough the quality of open and closed source code varies, moving from open source to closed source code can mean swapping known vulnerabilities for unknown ones. “
A more secure mobile application
When open source code is used, it is often accompanied by its own list of other open source solutions required for the functionality. This transitive dependency can be deep and snowball by adding hundreds or more. An open source project can end up including hundreds of layers and dozens of possible vulnerabilities. Because of this, you can never trust or test a diaper and think it’s okay. Each layer should be tested and regularly checked for updates and patches.
“Software Composition Analysis (SCA) is a type of security testing that automates much of the work of identifying software components in use, correlating known vulnerabilities, and raising alerts when new vulnerabilities are identified.” âKnudsen said.
Managing the open-source components of an application is important, Knudsen added, but it’s far from the end of the story.
âApplications will only be more secure when they are better designed with a holistic and proactive approach to security. This means integrating security into every phase of software development, from design to implementation, testing and maintenance. Automated safety testing is useful in several phases and includes SCA, static analysis, fuzzing, and other types of dynamic testing.