News

1/23/2015
05:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Growing Open Source Use Heightens Enterprise Security Risks

Companies often have little clue about the extent of third-party code in the enterprise or the risks it poses, security experts say

The data breaches disclosed earlier this month at Park ‘N Fly and OneStopParking.com, two major airport parking services, highlight the continuing risk that enterprises face from using open-source software in their environments without a plan for managing it.

Both Park ‘n Fly and OneStopParking,con were victimized by a security vulnerability in the Joomla open-source content management platform for which a patch had been issued last September, but which neither company had apparently installed. As if last year’s Heartbleed, Shellshock, and POODLE flaws weren’t enough of a wake-up call already, the breaches were another reminder of how flaws in third-party software can sometimes cause major headaches for companies that are not prepared for them.

A lot of companies these days use open-source code in internal software development projects, says Bill Ledingham, chief technology officer at Black Duck Software Inc., a company that helps enterprises keep tabs on third-party code use in their software environments.

Often, large internally developed enterprise applications can include dozens of open-source software components. And some companies can have hundreds, and even thousands of applications running open-source code, he says. “There’s a tremendous change in how open source is being used these days,” by enterprise software development groups, Ledingham says.

He estimates that close to a third of all software used in enterprises, including Fortune 500 firms, is derived from open source. In some cases, like mobile, cloud, and big data applications, open source accounts for 60 to 80 percent of the total code, he says. As open source use has increased enterprise concerns have shifted dramatically from IP and licensing issues to the potential security risks caused by the trend.

Ledingham, whose firm tracks close to 1 million open source projects worldwide, says there is nothing about the code that makes it less secure than commercial software products. In fact, the communities that support some of the better-managed projects are more responsive to security threats than commercial vendors.

Even so, open-source software too has it shares of vulnerabilities that developers need to pay attention to and fix promptly to mitigate risks, he said. Of the nearly 8,000 security vulnerabilities disclosed in the national vulnerability database last year, nearly 40 percent were in open-source software, he said.

The real problem stems from the manner in which third-party code is consumed and deployed within the enterprise, he said. Companies that use open source heavily often have few measures for vetting software quality or for tracking how and where the software is used. Many install code with previously disclosed vulnerabilities in them or remain dangerously oblivious to vulnerability disclosures impacting their software.

Some large companies do have well-managed and tightly controlled processes for integrating open source software into their software development projects. For example, some have a central group of developers responsible for finding and vetting open-source code and putting it in a catalog of approved code for their organizations. But many don’t, Ledighman says.

Wayne Jackson, CEO of Sonatype Inc., likens the attitude towards open source among some companies to automakers letting assembly line workers choosing their own components for assembly. “You can imagine what a Frankenstein vehicle that would make,” says Jackson, whose company, like Black Duck, helps firms manage and secure open-source code in their software.

“The best companies have protocols for understanding what is being used. They know what is being integrated into a given piece of software and they monitor for critical vulnerability disclosures,” Jackson says.

Enterprises that do not have these processes are the ones that are most unprepared to deal with threats like those posed by Heartbleed, Shellshock, and POODLE, Jackson said.

Jackson, whose company maintains a sort of GitHub for open-source binaries, says a staggering 17.2 billion open-source components, including everything from web application and wireless frameworks, to small logging utilities, were downloaded last year around the world. That included about 82,000 organizations.

It is impossible to know how much of that software actually has found its way into enterprise projects. But it is a safe bet to assume almost all software used by companies these days has an open-source underpinning, Jackson said.

Concerns over the extent of open source use in software these days prompted lawmakers to introduce the Cyber Supply Chain Management and Transparency Act of 2014 in December. The bill would require companies supplying software products and services to the government to certify the extent of open source use and guarantee there are no known vulnerabilities in the software.

The takeaway for companies is straightforward, Jackson said. The key to using this software safely begins with just knowing what you have. “There is no magic” he says. “Just know what you are using and define, as an organization the attributes that would make a piece of open source acceptable or not acceptable,” he said.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
lythic
50%
50%
lythic,
User Rank: Apprentice
5/28/2015 | 11:53:13 AM
Re: Frankenstein
Sure, but on an active project gaping security holes will actually get fixed, which is not what we see happening at Microsoft, Sony and many others who refuse to patch things until it becomes a PR issue. When windows had a bug, the rest of us are helpless to do anything about it. When open source had a bug, you fix it and release your patch. Done. Even if your patch isn't included in the new version, you can still use your patch and make it available for others.
lythic
50%
50%
lythic,
User Rank: Apprentice
5/28/2015 | 11:45:25 AM
Re: Open source and security
Open source means that anyone can do the testing, anyone can review the code. If there's not a large and dedicated community with sufficient expertise backing the project, then you can vet, fix, modify and test it yourself.
lythic
50%
50%
lythic,
User Rank: Apprentice
5/28/2015 | 11:42:39 AM
Re: Frankenstein
Actually there are several, Google and Facebook's bug bounty programs include open source projects and then there's several independent ones such as bug bounty. Open source tools are the backbone of the internet. Apache projects, for example, are used and supported by almost every major tech company. This means most will test the tool internally before release and many have people on staff who are dedicated to that project. Patches can be reviewed by anyone and there are active discussion forums on bugs and feature requests. Apache projects are often of higher quality than commercial solutions because they are products of collaboration between several of the top tech companies. Apache Hadoop for example, was developed at yahoo, is now supported by two support companies - Hortonworks and Cloudera, and has contributiors from Intel, Facebook, Twitter, VMWare, Microsoft and LinkedIn. The patch behind heartbleed however, was written by one guy who had one person review it. Having open source is only a benefit if people actually read it.
Jon M. Kelley
50%
50%
Jon M. Kelley,
User Rank: Apprentice
1/27/2015 | 9:32:19 AM
In House Developed SW gets no eyes!
I keep seeing discussions about commercial versus open source software, but the bigger hole in delivered special purpose software is the stuff added "in house".  Once delivered, this software typically gets "no eyes" and no patches until it is proven to be successfully attacked or unusable.  Some very large corporations have a habit of assembling a product for in house use, then once accepted by the end user's management, the developers are dispersed to other tasks, and there is no maintenance planned. 

 Too often specialized software developed for government ends the same way:  no follow on after delivery.  The developers were paid to build the product, and the contract ended.  With no plans for paid maintenance, the product gets used until it does something poorly enough to inconvenience upper management.  
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/26/2015 | 9:42:13 PM
Re: WhiteSource proves that open source is safe if used responsibly
re: "It is easier to see vulnerabilities with many eyes in open source and take action on it as a community than waiting Microsoft release a fix for it."

One might think, but research does not support this proposition.  Rather, research demonstrates that the law of diminishing returns is at play when it comes to open-source security review: that there is a maximum number of meaningfully "useful" reviewers, typically between two and four.  See, e.g., Robert L. Glass, Facts and Fallacies of Software Engineering.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/26/2015 | 9:36:44 PM
Re: Frankenstein
The other issue is that many of the big boys -- Microsoft, Google, etc. -- have bug bounty programs.  No such program exists for open source.

Maybe it doesn't need to (after all, Apple typically offers nothing or next to nothing), in terms of hard cash, but certainly some greater incentive would be of great help.  After all, most contributors to open source prefer to stick to features because features are often more interesting and fun.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/26/2015 | 4:38:06 PM
Re: blast from the past
Agree. As I mentioned in my other post, there is no hard link between open source and security but there are advantages and disadvantages when it comes to using open source and dealing with security. If you use open source and you are no paying for support then you need to be very carefully getting all the patches in place on time, nobody else will do it for you, and this increase risk level in my view.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/26/2015 | 4:31:57 PM
Re: Frankenstein
I agree with this too. At the same time we know hackers have advantage too when the see vulnerabilities in open source, it is easier to attack open source code base.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/26/2015 | 4:29:52 PM
Re: WhiteSource proves that open source is safe if used responsibly
I would agree with them. It is easier to see vulnerabilities with many eyes in open source and take action on it as a community than waiting Microsoft release a fix for it.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/26/2015 | 4:26:26 PM
Open source and security
 

I would like to make a point that there is no an hard link between open source and security. Some open source systems are quite secure some are not. The same goes with the closed system, Windows is a closed system and that is where we see security issues more than other systems. 
Page 1 / 2   >   >>
Mobile Malware Incidents Hit 100% of Businesses
Dawn Kawamoto, Associate Editor, Dark Reading,  11/17/2017
3 Ways to Retain Security Operations Staff
Oliver Rochford, Vice President of Security Evangelism at DFLabs,  11/20/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
[Strategic Security Report] Cloud Security's Changing Landscape
[Strategic Security Report] Cloud Security's Changing Landscape
Cloud services are increasingly becoming the platform for mission-critical apps and data. Heres how enterprises are adapting their security strategies!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.