Tools detect security flaws in open source code


This year has been the best of times and the worst of times for open source and security.

On the one hand, the latest survey conducted by Black Duck Software and North Bridge Venture Partners shows that 72% of industry professionals prefer open source software because it is more secure than proprietary solutions.

[Are open-source projects the pathway to better security?]

On the other hand, Heartbleed revealed a security flaw in the widely used open-source OpenSSL encryption tool that affected more than half a million websites. Also this spring, TrueCrypt quit unexpectedly, citing “unresolved security issues” on its SourceForge page, and a critical bug in Linux, GnuTLS, was finally exposed after being undiscovered for over 10 years. .

Open source software is widely used in business – in web servers running Linux and Apache, in databases, in the Android operating system, in code libraries used by enterprise developers and embedded in commercial software packages.

Avoiding open source altogether is not an option, but blindly trusting the open source community to fix all errors is also problematic.

One solution is to use automated code analysis tools to scan code for known vulnerabilities and common programming errors. Fortunately, automated tools are improving every year.

Trust, but verify

Over the past few years, more than 5,000 security vulnerabilities have been discovered in open source code, according to the National Vulnerability Database.

Ideally, a company would check each of these vulnerabilities against open source software packages they use, as well as open source software used in commercial packages, and even pieces of code that their own programmers have copied from the Internet.

“The reality is that developers are copying and pasting code from open source projects every day,” said Dave Gruber, vice president of product management at Black Duck Software.

And large organizations are constantly adding new open source software to their environments, which means checking for vulnerabilities should be an ongoing process.

“For organizations that do it manually, it becomes very overwhelming very quickly,” Gruber said.

Black Duck Software, in addition to conducting an annual survey of how companies use open source, also offers software analysis tools that help companies find all open source software, components, and even snippets that ‘they use, then compare them to the list. of known vulnerabilities.

[Tech titan funding just a start in securing critical open-source projects]

Its more than 1,400 customers include 27 of the Fortune 100, six of the top 10 investment banks and seven of the top ten software companies. The company currently has more than a million open source projects in its database, Gruber said.

“We follow all major open source forges around the world,” he said.

Find new bugs before they bite

Finding and fixing known vulnerabilities is important and an essential first step in securing open source software.

But what about unknown vulnerabilities? There are also tools to help you.

One such tool is New York-based CAST’s Application Intelligence Platform, which can scan software for bugs and vulnerabilities and pinpoint where problems lie.

“In an average application, there are 100 to 120 security vulnerabilities that we find,” said Lev Lesokhin, senior vice president at CAST.

Common issues include SQL injections, where a hacker trying to break into an application will enter a database query instead of the requested data. This technique is not new.

“But it’s still the most common way criminals get into the system,” Lesokhin said.

According to the latest Verizon Breach Report, published in April, SQL injections were used in 80% of web application attacks.

“One of the myths of open source software is that there are millions of eyeballs looking at the source code and fixing it,” he said. “But this is only true for very few open source projects. The rest – someone wrote something and made it open source.

It may have been written by an amateur, or someone who has moved on and no longer maintains the software.

But it could still be useful code that could save a business developer hours, days, or even weeks of work.

“Any component you can think of, there’s an open-source example you can reuse,” Lesokhin said.

But one company brings its code analysis technology to the source, that is, to the open source projects themselves. And since these projects are usually not well funded, the technology is freely available.

[Hadoop’s success drives efforts to make it more secure]

It’s called Coverity Scan and is provided in the cloud by San Francisco-based Coverity, Inc.. It scans software for all common types of security issues, including buffer overflows, cross-site scripting, insecure data handling, SQL injections, security misconfigurations. , and illegal memory access.

It began in 2006 as a public-private research project between Coverity and the US Department of Homeland Security, and has been used to analyze some of the most prominent C and C++ open source projects, including Linux, Apache, PHP, and PostgreSQL. Last year, Coverity Scan was extended to also include Java.

“They get the same platform as our customers, but in the cloud,” said Zack Samocha, the company’s senior product manager.

The past few months have been difficult for open source projects from a security perspective, he said.

“The Heartbleed problem was huge,” he said.

However, there was a silver lining. High-profile security issues have drawn attention to the need for better security control of open source software.

“More than 400 new projects signed up for Coverity analytics after becoming aware of this issue,” he said. “The open source community is maturing and understanding the need for these kinds of tools to succeed. They make more sure that the quality is better and the safety is better.

Coverity now analyzes more than 2,200 different open source projects, he said.

In April, Coverity published a report analyzing the code of more than 700 C and C++ projects, in addition to a sample of Java projects and anonymous enterprise projects, totaling more than 750 million lines of code. The analysis showed that, for the first time since the company began running the analyzes eight years ago, the quality of open source code exceeded proprietary code.

This may be partly due to the increased focus on fixing coding issues by open source projects themselves. Linux, for example, used Coverity scans to reduce the average time needed to fix a newly discovered flaw from 122 days to just six days.

Hedging is also used by companies internally. Its customers include major brands such as SAP, Air France, Comcast, Barclays, as well as nine of the top ten software companies and seven of the top ten aerospace companies.

“The amount of source code is rapidly increasing in size and yet we maintain consistent quality,” said Yoshinori Tsujido, personnel manager of Mitsubishi Electric Sanda Works, in a statement. “I don’t know where we would be now if we weren’t using Coverity.”

[Hackers targeting servers running Apache Struts applications, experts say]

According to IDC projections, the global software quality analytics market surpassed $500 million in 2013 and will reach $906 million in revenue by 2017, a compound annual growth rate of over by 15%.

“With the growing number of highly public failures of business-critical systems, the urgency to address software quality analysis has never been more apparent,” said the IDC analyst. Melinda Ballou in a statement. “The dire need to improve corporate and developer hygiene in this area is clear.”

Copyright © 2014 IDG Communications, Inc.


Comments are closed.