With open source software (OSS) becoming mainstream, many organisations utilise it without even being aware of its presence - and that, according to US-based Black Duck's 2017Open Source Security and Risk Analysis (OSSRA), makes them extremely vulnerable to attack.
The OSSRA looks at the state of open source security, compliance, and code-quality risk in commercial software based on data drawn from over 1 000 commercial applications audited in 2016.
The ubiquity of OSS is underscored by Forrester Research, which points out that even risk-averse governments now push open source-friendly policies. Paul Miller and Lauren E-Nelson, authors of the Forrester "Open Source Powers Enterprise Digital Transformation" report, note that one would be hard-pressed to find any Fortune 500 company that does not utilise open source as part of its IT development as well as within its broader organisational strategy.
In fact, Forrester has estimated that in application development, custom code comprises only 10% to 20% of applications.
Black Duck has found that on average, open source comprises between 23 and 46% of organisations' commercial applications. This provides opportunities for far-reaching attacks from those seeking to exploit security vulnerabilities.
With 3 623 new open source component vulnerabilities reported in 2016, Black Duck's analysis found that 67% of applications that use open source had vulnerabilities in the components used - with each app containing an average of 27 open source vulnerabilities.
High-risk vulnerabilities were identified in even the most commonly used open source components including versions of Linux Kernel, PHP, MS .NET Framework, and Ruby on Rails. Vulnerabilities were also found in Apache Tomcat and OpenSSL.
Even more concerning, perhaps, is the fact that the vulnerabilities identified had been public knowledge for over four years.
Black Duck found that 4% of the tested applications included the Poodle vulnerability; another 4% included Freak; 3.5% included Drown; and even Heartbleed, perhaps the most well-known vulnerability of all, was found in about 1.5% of the code bases analysed.
The OSSRA report notes that the tools used by organisations to detect the threats and identify coding errors that could result in security issues are not effective at identifying vulnerabilities that enter code through open source components.
"Open source is neither more nor less secure than custom code. However,
there are certain characteristics of open source that make vulnerabilities in popular components very attractive to attackers," the report states.
Open source is neither more nor less secure than custom code. However, there are certain characteristics of open source that make vulnerabilities in popular components very attractive to attackers.
Black Duck
Unlike commercial software, users of OSS are responsible for keeping track of vulnerabilities as well as fixes and updates for the open source they use.
In addition, vulnerabilities can enter code bases in a variety of ways. If organisations are not aware of all the open source in use, they can't defend themselves against common attacks targeting known vulnerabilities in those components.
"It is therefore important that organisations remember that infrastructure and language components also need to be monitored as part of a sound open source security practice," the report concluded.
Share