You might have heard of open source software before, but you probably haven’t considered how prevalent it is. Android, for example, which is still the most widespread mobile operating system despite the popularity of iOS – is actually based on the original open source operating system, Linux. When you browse the Internet, it has about a 45% chance that the website you are visiting is hosted on a web server running Apache, another open source application.
When the software is released as open source, it means that the original author intends to give the code to the tech community as free to use, study, and improve. This is because the amount of collaboration these projects can foster drives some of the greatest advancements in technology and makes the software more accessible to people who can’t afford the license fees.
Businesses also benefit from the ease of use of open source code in everything from setting up their IT infrastructure to laying the groundwork for the applications they develop for their customers. The reality is that very few developers start their code from scratch; instead, they borrow components from open source libraries.
According to a recent survey conducted by Vanson Bourne on our behalf at CA Veracode, 93% of organizations use third-party components in their code, from commercial or open source libraries. Many common functions and components have already been written in these libraries which can be used directly in the developing application without modification. This gives developers more time to refine the custom aspects of code that will be the heart of business innovation, allowing them to spend less time worrying about things that are already working well enough.
A worm in your apple
The benefits of open source code can be so enticing that businesses can overlook the risks of using pieces of public and unverified software in their applications. Open source code vulnerabilities are prized by hackers simply because of the prevalence of their use. Once a hacker discovers a vulnerability in a widely used open source package or library, they can potentially exploit thousands of systems running that code, amplifying the vulnerability’s impact to many degrees.
The most famous example is a vulnerability dubbed Heartbleed that was disclosed in 2014. It took advantage of a flaw in an open source program called OpenSSL that computers used to communicate secretly and affected. about 17% of all web servers at that time. Persistent instances of Heartbleed still affect servers, with up to 200,000 still vulnerable.
This is not to discourage the use of open source code. Businesses and developers just can’t code without it. Rather, it is important to draw attention to the risks. This is not just a developer issue, but an issue that requires the attention of business leaders, as there are serious risks associated with severe vulnerabilities in software.
The vulnerabilities exploited by attackers lead to breaches that can lead to brand damage, lost revenue, and alienated customers. As more and more companies are made aware of the risks of vulnerabilities in their code, they increasingly demand certain levels of security from all members of their supply chain, even going so far as to perform In-depth code reviews for all vendors and partners to identify vulnerabilities that could open. them at risk.
Mergers and acquisitions are also affected because having a vulnerability or poor security posture can weaken negotiating positions. These costs can add up quickly, so businesses need to be proactive to avoid them in the first place. The first step in solving this problem is to quantify the cost in order to realize the returns they will gain if the processes to find and fix these vulnerabilities are implemented. Inevitably, they will find that the cost of fixing a data breach far outweighs the cost of increased investment in code integrity.
Open source risk and reward
Once a business understands what’s at stake, it can allocate the appropriate resources to mitigate the risks of open source components. According to the Vanson Bourne survey, among companies that currently use third-party components in their applications, only half update these components when a new security vulnerability is announced. If the elements that make up the application are not secure individually, they will not be secure as a whole, no matter how many security solutions are applied after the fact.
To proactively address this issue, companies should implement processes to track which open source components they use and how to fix them if necessary. The disclosed vulnerabilities are easily referenced in the National Vulnerability Database (NVD) and developers can research open source components used in their code. However, not all vulnerabilities are reported to NVD, which means they contain missing or incomplete information. Software teams cannot rely solely on NVD to keep up with new disclosures. Heartbleed affected software for two years before it was discovered and patched, so it’s important to have an active inventory of all open source components used and a robust process to patch them if necessary.
Open source code is a powerful catalyst for businesses, making it easy to focus on business benefit priorities rather than security implications when applications are developed for release. Open source software comes with risks, but with the right knowledge and technology, security can be built in early in the software development lifecycle to mitigate the risk of breach. The good news is that the community spirit of the open source movement means that many people make sure it works in the safest way possible, because at the end of the day, strong security starts with secure code.