Open source software is very popular and makes up a significant portion of business applications. According to Synopsys, 99% of commercial databases contain at least one open source component, and nearly 75% of these codebases contain open source security vulnerabilities.
One of the major reasons why companies and developers choose to work with open source software is that it saves them from having to develop these base capabilities themselves.
Oh, and open source software is free!
Despite its advantages, open source software tends to have vulnerabilities that might impact your data and organization. In order to give you an overview of how open source security risks can impact your business, we have listed the top three open source security risks and ways to address them.
Before we dive into the article, let’s take a look at what exactly open source vulnerabilities are.
What Are Open Source Vulnerabilities?
Open source vulnerabilities are basically security risks in open source software. These are weak or vulnerable code that allows attackers to conduct malicious attacks or perform unintended actions that are not authorized.
In some cases, open source vulnerabilities can lead to cyberattacks like denial of service (DoS). It can also cause major breaches during which an attacker might get unauthorized access to sensitive information of an organization.
There are a lot of security concerns when it comes to open source software. For instance, OpenSSL is an encryption library responsible for managing highly sensitive data transmission functions by a wide variety of internet-connected software including the software that runs some of the most popular email, messaging, and web services.
You remember “Heartbleed”? Yes, that caused quite a stir! Yes, that was a critical open source vulnerability in a SSH library.
Similarly, another popular open source vulnerability was found in 2014 in Bash shell, the default command processor on many Linux distributions. It had an arbitrary command execution vulnerability that could be exploited remotely via server-side CGI scripts on web servers, and other mechanisms. This open source vulnerability is popularly known as “Shellshock.”
What are the Top 3 Open Source Security Risks?
Now that you have a fair idea about what open source security risks are, let’s explore the top three open source security risks that exist today and how you can mitigate these risks.
Software Security Risks
Open source vulnerabilities, once discovered, can be a tempting target for attackers to exploit them.
Typically, these open source vulnerabilities and the details about how to carry out the exploit are made publicly available. This enables hackers to gain all the necessary information they need to carry out an attack. Combine this with the widespread use of open source software, and you can imagine the havoc it creates when an open source vulnerability is found.
One of the major challenges organizations face while addressing open source vulnerabilities is that tracking them and their fixes aren’t as easy as one might assume.
Since these open source vulnerabilities are published across a wide variety of platforms, it becomes difficult to track them. Also, locating the updated version, patch, or fix to address the security risk is a time-consuming and expensive process.
Once an open source vulnerability and its path of exploitation are published, it’s just a matter of time until attackers exploit them and hack into your organization. It is imperative that businesses integrate necessary tools and processes to quickly address open source vulnerabilities.
Publicity of Exploits
Open source vulnerabilities are made publicly available on platforms like the National Vulnerability Database (NVD), which is accessible by anyone.
A famous example of attacks due to publicly available open source vulnerabilities was the major Equifax breach in 2017 where the credit reporting company had leaked personal information of 143 million people. This attack took place because Equifax was using a version of the open source Apache Struts framework that had high-risk vulnerabilities, and attackers used that vulnerability to their advantage.
Such attacks on open source software not only cause data leakage or loss but also impact a company’s market reputation, valuation, and customer relationships. This, in turn, can impact your customer churn rate, retention rate, sales, and revenue. Dealing with the impact of a breach caused due to open source vulnerabilities can be a lengthy, and painful process.
Licensing Compliance Risks
Open source software comes with a license that allows the source code to be used, modified, or shared under defined guidelines. However, the problem with these licenses is that most of them don’t meet the stringent OSI and SPDX definitions of open source.
In addition to that, single proprietary applications often include several open source components, and these projects are released under various license types, such as GPL, Apache License, or MIT License.
Organizations are required to comply with each individual open source license, which can be quite overwhelming. Especially with the rapid development and release cycle businesses follow along with the fact that there are nearly 200+ open source license types that exist today.
A study of 1,253 applications found that about 67% of codebases had license conflicts and 33% of codebases had unlicensed software. Non-compliance with licenses can put enterprises at the risk of legal action, impacting your operations, and financial security.
How Can You Beat These Open Source Security Risks?
Next, let’s take a closer look at the solutions to these open source security risks.
Build a Security-First Culture
Too often, developers choose to work with open source components based on the functionality and programming language they need. While functionality is important, other criteria should also be included.
For instance, each individual component of a project may offer functionality, without the need to integrate the entire project codebase. This helps limit the number of open source software and helps simplify integration, remove security risks, and reduce source code complexity as well in non-required components.
Open source software is just as likely to have security risks as any other software, so it’s necessary that each component you choose to work with offers functionality and is secure.
In addition to this, open source projects are usually focused on delivering new updates with new features for end users. Due to time and budget constraints, enterprises pay less attention to security and are more inclined to release the update as quickly as possible.
However, companies should maintain a balance between the new releases while ensuring that the design, implementation, and code is secure.
One of the most important things you can do is to inventory what open source software you use and track vulnerabilities that are associated with these libraries.
Embrace Automation and Scanning for Vulnerabilities in Open Source Software
Finding and fixing vulnerabilities in open source software is a big challenge in itself. Companies need to find a way to detect all security vulnerabilities in the open source code in their environments, update the list regularly, drive developers away from old, insecure software components, and finally deploy patches whenever security vulnerabilities are found.
One way to help combat this is to incorporate automated tools that help you continuously track your open source usage and identify security weaknesses, vulnerabilities, fixes, and updates.
Automation tools for open source software help identify which packages are being used in which projects, what security vulnerabilities they contain, and how they can be fixed. These tools often come with alerting features as well. If a vulnerability is discovered, notifications are sent to the concerned development and security team to alert them about the newly found security risks.
Integrating automation to scan security vulnerabilities in open source software is especially important for large organizations, since it can be difficult to track and identify vulnerabilities in all of their source code that is in use.
Most enterprises are not even aware of their full inventory of applications they have, which makes them more vulnerable to cyberattacks due to unidentified vulnerabilities in the source code. A report says nearly 88% of the codebases have open source components with no development activity at all in the last two years.
Cross-Train Your Staff
It’s not always easy or even possible to hire professionals who are experts in both development and security. It is, however, possible to train your teams so that they can approach the issues from both ends. While it isn’t always easy to hold regular cybersecurity awareness training for different teams, it’s critical for the overall security of your projects.
Enterprises should ensure that their developers have a general understanding of cybersecurity, as well as the latest trends and updates. Your developers should be able to identify common security issues that arise in open source code, if not fix them.
Similarly, the security team should be involved in the development process from the early stages. Rather than making security an after-thought, it should be a priority from the very beginning of a project.
Just as you analyze and track your development process, you should proactively monitor your security efforts as well. Taking a proactive approach can go a long way in being prepared to handle open source security risks.
Final Thoughts
Open source is an excellent model that can be found in many of today’s projects. However, to ensure secure open source code, you need to acknowledge the security risks that come with open source software. You have to make sure that each of your open source components is delivering value to the project and are secure.
Cypress Data Defense helps companies run security audits and strengthen the overall security of their projects by recommending the best security practices.
This post was originally published at CypressDataDefense.com.
Oldest comments (1)
Great article, Joy! I'm starting to work on automated vulnerabilities scanning in our CI/CD pipeline. The detection with the software of the leading vendors seems pretty good already, but I want to go one step further: whenever a vulnerability is found in an open source dependency I want to upgrade the dependency automatically (e.g. in package.json or pom.xml), check if the build and tests run successfully and open a PR. So that a developer (or maintainer) can release a fixed version with just one click.
Do you have a tool recommendation for that matter?
Just one more thing regarding your article. I don't understand the following part:
My impression is that open source software licenses are highly standardised, more than 90% of it meet the OSI and SPDX definitions - which is pretty easy, since all of the popular licenses are approved open source licenses by both of them: Apache License, BSD (the new one and the old one), GPL, LGPL, MIT, Mozilla. The full lists of OSI and SPDX are much longer. SPDX even contains the "Beerware License". 🤣