The amount of open source code used in modern applications has exploded. According to several surveys, a large majority of companies report that open source components and third-party libraries are implanted in their applications, both internal and external. Developers recognize that using open source allows them to both speed up software development and focus more on unique code attributes instead of recreating what has already been successfully established.
But the question of whether open source is as secure as proprietary code has arisen with this adoption of use. In its defense, open source is vulnerable to hackers because they can see the code, but due to the large number of contributors to many open source projects, more people can react quickly to code vulnerabilities and fix them when they do. are discovered.
Ou Chen, director of R&D and head of the software composition analysis (SCA) group at the software security solutions provider Check-marx, said open source developers are more aware of security and vulnerabilities than ever before, but many do not follow company standards for secure coding practices.
Among those standards, he said, ensure that code is reviewed at all stages of software development, that there are repository custodians, and that you notify your customers and consumers about newly discovered vulnerabilities. Most importantly, he noted, make sure that developers using open source in their applications understand the components, who are the maintainers of that code, and that the repositories are constantly analyzed.
RELATED CONTENT: How to effectively manage the modern risks of open source code
“Developers should keep upgrading their packages even if there are no new vulnerabilities or new functionality they need. Just make sure you’re up to date, ”Chen said. “It will make your life easier when you need to update it due to a vulnerability. “
Another key standard that developers using open source should follow is repository scanning with security tools similar to those they already use for static code analysis. But in this case, software composition analysis is also needed to quickly scan your code base to detect open source libraries, including direct and transitive dependencies, identify specific versions used, and identify associated vulnerabilities and vulnerabilities. licensing risks that you should be aware of. The ideal scenario is to find a solution that offers both static and open source analysis capabilities so that developers can take a one-stop-shop approach.
Chen noted that there are differences between using open source components or frameworks supported by organizations such as the Linux Foundation or commercial open source providers such as Red Hat and many others, and the use of open source built by a small community of developers who may not have established corporate standards.
Vulnerabilities can be found in these small projects, but it may take longer to fix the vulnerability as there may be no one checking the board for newly discovered issues, and the community supporting the project may not be there. have good practices in place for remediation, he said.
Modern security risks
Major frameworks, web servers, and languages such as React, Angular, Django, and Spring are backed by major vendors who use industry standards. But small packages that Chen says are used for specific purposes such as a mathematical calculation or a database connection may not have the same type of media. “I see, based on the usage of our customers, that every large company could end up with an open source component developed by [small communities], and these packages may have been discontinued and no longer be maintained.
“So when you find a security vulnerability in a smaller package, there may be no one available to fix it immediately,” he continued. “It’s part of what we call modern open source risks and technical debt that can be inherited from packages that are no longer supported by the community. This responsibility also increases risk beyond just vulnerabilities and licensing issues. “
Currently, hackers are looking for packages that are not supported by Linux and all those big vendors, but they are popular. In this case, hackers will often try to open the mining requests, inject some sort of malicious code inside that no one will notice, and a company can end up with a Bitcoin miner in production, for example. Chen explained. “As this ecosystem evolves, we are starting to see increasingly sophisticated and modern risks in open source areas. “
Another big risk for businesses comes from legacy projects that could use outdated open source packages. In those, he said, there may not be the kind of governance and oversight of what goes in and what goes out of those packages.
In addition, some vulnerabilities are not exploitable at the moment, but in the next version of the application, new attacks could evolve and exploit these vulnerabilities within methods and functions. “My recommendation is to keep your code as clean as possible and as secure as possible at all times. Don’t leave any vulnerabilities inside.
“In legacy projects,” he said, “trying to upgrade all of the dependencies to the latest is going to be a near impossible task. Upgrading them isn’t a small effort, but by sorting out the most exploitable vulnerabilities and focusing on the packages you use the most, this task will be less threatening.
New environments are a challenge
Chen pointed out that organizations experiencing a slight increase in digital transformation are working with microservices and consuming a lot of open source to help them kick-start their efforts to get their projects ready for production as quickly as possible. The lack of best practices in some of these cases, he said, will hurt them in the long run. “Hackers create all kinds of fake packages, type packages on fake sites, or just inject vulnerable code into existing packages. Additionally, hackers often use open source for their own financial benefit, so when you run your application in production, they just want you to run their Bitcoin miner.
Finally, hackers are now looking to detect repositories on GitHub that don’t have any sort of security barrier, he said, so hackers are “just free to put in whatever they want and wait. that someone consumes it “.
At the end of the line
Ultimately, open source is here to stay. It brings immense benefits to developers by enabling them to build applications faster and at scale. However, as malicious actors increasingly target these components to gain access to sensitive and valuable data, taking advantage of SCA Solutions that not only spot vulnerabilities earlier in development cycles, but also help prioritize and resolve issues more effectively and efficiently, are essential. Only then will developers be able to enjoy the real benefits of open source in a secure manner.
Content provided by SD Times and Checkmarx