Almost 60% of all code bases used by businesses contain at least one vulnerability from open source components, according to the “Open Source Security and Risk Analysis“(OSSRA) report, published by Black Duck by Synopsys.
As worrying as it sounds, the reality is that, whether it’s proprietary code or open source code, software will inevitably have vulnerabilities. But experts overwhelmingly agree that open source code libraries are much more secure than commercial software.
The problem is not in using open source libraries. Software vulnerabilities exist because writing secure code is so difficult, which is one of the reasons so many companies rely on open source projects.
âOpen source code is not inherently more secure; it’s more secure, âsays Justin Hutchings, senior product manager, security at GitHub. “Yes [companies] writing less custom code is less likely to introduce new security issues. However, the use of open source also requires that companies remain as diligent in updating their open source dependencies as they would be in updating their own code. “
Stimulate innovation with Open Source
To stay competitive, businesses must use open source code, says Bart Copeland, CEO of ActiveState. âToday, in any organization, if you don’t use open source, you won’t be relevant anymore,â he says. âThe only way to drive innovation, speed, quality and cost is to embrace open source. “
It’s about focusing on the areas where you add value, adds Copeland. In areas where an organization itself does not add value, it relies on other people. The same is true for the development of software applications. âThere are a multitude of applications that are not essential to your business, and that’s where open source comes in,â says Copeland.
Where are the vulnerabilities?
The problem with seeing the same vulnerabilities over and over again is not with open source code, but with the lack of analysis and monitoring of the various libraries that companies use to develop products.
âIf developers are using open source libraries to develop their products and there is a vulnerability, the risk lies with the organization,â says Chris Eng, research director at Veracode. As applications are increasingly assembled from open source components, the potential for vulnerabilities to turn into risk is magnified.
Unfortunately, many organizations do not know where their risks are because they do not manage the software or the versions of the software that they are running, although there are tools available to help mitigate and manage the software risks.
âIn short, you don’t know what you don’t know,â says Cody Brocious, hacker and hacker training manager at HackerOne. âWe haven’t done a great job educating people on how to manage their networks with security in mind, which includes creating audit logs around the creation of new servers and knowledge of the software used. “
Most organizations do not have a clearly defined policy that ensures that developers who wish to use software go through an authorization process. âThere’s not a lot of direct return on this investment,â Brocious says. “People don’t think about these processes, and developing and adhering to policies costs money.”
Vulnerability versus risk
It’s worth repeating in any conversation about open source code vulnerabilities is that bugs come from software libraries, not from the applications themselves. And because open source libraries are used across a variety of applications, these vulnerabilities can affect a wide range of applications.
âIn most cases, however, these library vulnerabilities do not reduce the security of the application. Libraries are not used in a way that makes them vulnerable, âexplains Brocious.
While the risk should always be seen in context, it is important to note the difference between the technical aspect and what an attacker can actually do with the vulnerability. However, keep in mind that users don’t care how the software is built.
âWhen the Equifax breach occurred, users weren’t lining up to sue the Apache Foundation, but the vulnerability started in their Struts library,â said Hutchings of GitHub.
Open source risk management
Because many organizations don’t know what software they are running in the first place, when a vulnerability is detected, it is difficult to examine their networks and know if and where they can run any version of the software.
âThe problem here is that many organizations fail to keep up with updates released in third-party components combined with transparency from the open source community,â says Craig Young, IT security researcher for Tripwire’s VERT (Vulnerability and Exposure Research Team). “Vendors often use open source as a way to cut costs and speed to market without realizing the need to closely monitor these components for security or licensing issues.”
In general, Young adds, organizations that have moved forward without the right policies likely lack the expertise to catalog and effectively manage their software. While it can be useful to seek help outside the organization, there are also license analysis tools that are able to find and find common code patterns and assign them to the original project.
Regularly reviewing their open source inventory list is a key risk mitigation strategy for organizations, as is knowing what open source components are in different products. Companies should have a policy for cataloging the software they run and for managing vulnerabilities in that software.
âIt’s really about first knowing all the apps they have,â says Eng. âSome companies don’t even have that. For others, this information is scattered around. There are many different ways for someone to set up an application that an RSSI might not know about. [is] the.”
CISOs strive to evolve to a place where they have access to the most up-to-date information so that when an event comes out, they can respond to it and minimize business risk and exposure risk.
âDependence on open source will only increase as organizations are challenged to innovate faster,â says Eng. “The speed of innovation is going to make this problem a little more difficult, and it’s probably going to get a bit worse before it gets better.”