News
1/23/2015
05:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Growing Open Source Use Heightens Enterprise Security Risks

Companies often have little clue about the extent of third-party code in the enterprise or the risks it poses, security experts say

The data breaches disclosed earlier this month at Park ‘N Fly and OneStopParking.com, two major airport parking services, highlight the continuing risk that enterprises face from using open-source software in their environments without a plan for managing it.

Both Park ‘n Fly and OneStopParking,con were victimized by a security vulnerability in the Joomla open-source content management platform for which a patch had been issued last September, but which neither company had apparently installed. As if last year’s Heartbleed, Shellshock, and POODLE flaws weren’t enough of a wake-up call already, the breaches were another reminder of how flaws in third-party software can sometimes cause major headaches for companies that are not prepared for them.

A lot of companies these days use open-source code in internal software development projects, says Bill Ledingham, chief technology officer at Black Duck Software Inc., a company that helps enterprises keep tabs on third-party code use in their software environments.

Often, large internally developed enterprise applications can include dozens of open-source software components. And some companies can have hundreds, and even thousands of applications running open-source code, he says. “There’s a tremendous change in how open source is being used these days,” by enterprise software development groups, Ledingham says.

He estimates that close to a third of all software used in enterprises, including Fortune 500 firms, is derived from open source. In some cases, like mobile, cloud, and big data applications, open source accounts for 60 to 80 percent of the total code, he says. As open source use has increased enterprise concerns have shifted dramatically from IP and licensing issues to the potential security risks caused by the trend.

Ledingham, whose firm tracks close to 1 million open source projects worldwide, says there is nothing about the code that makes it less secure than commercial software products. In fact, the communities that support some of the better-managed projects are more responsive to security threats than commercial vendors.

Even so, open-source software too has it shares of vulnerabilities that developers need to pay attention to and fix promptly to mitigate risks, he said. Of the nearly 8,000 security vulnerabilities disclosed in the national vulnerability database last year, nearly 40 percent were in open-source software, he said.

The real problem stems from the manner in which third-party code is consumed and deployed within the enterprise, he said. Companies that use open source heavily often have few measures for vetting software quality or for tracking how and where the software is used. Many install code with previously disclosed vulnerabilities in them or remain dangerously oblivious to vulnerability disclosures impacting their software.

Some large companies do have well-managed and tightly controlled processes for integrating open source software into their software development projects. For example, some have a central group of developers responsible for finding and vetting open-source code and putting it in a catalog of approved code for their organizations. But many don’t, Ledighman says.

Wayne Jackson, CEO of Sonatype Inc., likens the attitude towards open source among some companies to automakers letting assembly line workers choosing their own components for assembly. “You can imagine what a Frankenstein vehicle that would make,” says Jackson, whose company, like Black Duck, helps firms manage and secure open-source code in their software.

“The best companies have protocols for understanding what is being used. They know what is being integrated into a given piece of software and they monitor for critical vulnerability disclosures,” Jackson says.

Enterprises that do not have these processes are the ones that are most unprepared to deal with threats like those posed by Heartbleed, Shellshock, and POODLE, Jackson said.

Jackson, whose company maintains a sort of GitHub for open-source binaries, says a staggering 17.2 billion open-source components, including everything from web application and wireless frameworks, to small logging utilities, were downloaded last year around the world. That included about 82,000 organizations.

It is impossible to know how much of that software actually has found its way into enterprise projects. But it is a safe bet to assume almost all software used by companies these days has an open-source underpinning, Jackson said.

Concerns over the extent of open source use in software these days prompted lawmakers to introduce the Cyber Supply Chain Management and Transparency Act of 2014 in December. The bill would require companies supplying software products and services to the government to certify the extent of open source use and guarantee there are no known vulnerabilities in the software.

The takeaway for companies is straightforward, Jackson said. The key to using this software safely begins with just knowing what you have. “There is no magic” he says. “Just know what you are using and define, as an organization the attributes that would make a piece of open source acceptable or not acceptable,” he said.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
lythic
50%
50%
lythic,
User Rank: Apprentice
5/28/2015 | 11:53:13 AM
Re: Frankenstein
Sure, but on an active project gaping security holes will actually get fixed, which is not what we see happening at Microsoft, Sony and many others who refuse to patch things until it becomes a PR issue. When windows had a bug, the rest of us are helpless to do anything about it. When open source had a bug, you fix it and release your patch. Done. Even if your patch isn't included in the new version, you can still use your patch and make it available for others.
lythic
50%
50%
lythic,
User Rank: Apprentice
5/28/2015 | 11:45:25 AM
Re: Open source and security
Open source means that anyone can do the testing, anyone can review the code. If there's not a large and dedicated community with sufficient expertise backing the project, then you can vet, fix, modify and test it yourself.
lythic
50%
50%
lythic,
User Rank: Apprentice
5/28/2015 | 11:42:39 AM
Re: Frankenstein
Actually there are several, Google and Facebook's bug bounty programs include open source projects and then there's several independent ones such as bug bounty. Open source tools are the backbone of the internet. Apache projects, for example, are used and supported by almost every major tech company. This means most will test the tool internally before release and many have people on staff who are dedicated to that project. Patches can be reviewed by anyone and there are active discussion forums on bugs and feature requests. Apache projects are often of higher quality than commercial solutions because they are products of collaboration between several of the top tech companies. Apache Hadoop for example, was developed at yahoo, is now supported by two support companies - Hortonworks and Cloudera, and has contributiors from Intel, Facebook, Twitter, VMWare, Microsoft and LinkedIn. The patch behind heartbleed however, was written by one guy who had one person review it. Having open source is only a benefit if people actually read it.
Jon M. Kelley
50%
50%
Jon M. Kelley,
User Rank: Apprentice
1/27/2015 | 9:32:19 AM
In House Developed SW gets no eyes!
I keep seeing discussions about commercial versus open source software, but the bigger hole in delivered special purpose software is the stuff added "in house".  Once delivered, this software typically gets "no eyes" and no patches until it is proven to be successfully attacked or unusable.  Some very large corporations have a habit of assembling a product for in house use, then once accepted by the end user's management, the developers are dispersed to other tasks, and there is no maintenance planned. 

 Too often specialized software developed for government ends the same way:  no follow on after delivery.  The developers were paid to build the product, and the contract ended.  With no plans for paid maintenance, the product gets used until it does something poorly enough to inconvenience upper management.  
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/26/2015 | 9:42:13 PM
Re: WhiteSource proves that open source is safe if used responsibly
re: "It is easier to see vulnerabilities with many eyes in open source and take action on it as a community than waiting Microsoft release a fix for it."

One might think, but research does not support this proposition.  Rather, research demonstrates that the law of diminishing returns is at play when it comes to open-source security review: that there is a maximum number of meaningfully "useful" reviewers, typically between two and four.  See, e.g., Robert L. Glass, Facts and Fallacies of Software Engineering.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/26/2015 | 9:36:44 PM
Re: Frankenstein
The other issue is that many of the big boys -- Microsoft, Google, etc. -- have bug bounty programs.  No such program exists for open source.

Maybe it doesn't need to (after all, Apple typically offers nothing or next to nothing), in terms of hard cash, but certainly some greater incentive would be of great help.  After all, most contributors to open source prefer to stick to features because features are often more interesting and fun.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/26/2015 | 4:38:06 PM
Re: blast from the past
Agree. As I mentioned in my other post, there is no hard link between open source and security but there are advantages and disadvantages when it comes to using open source and dealing with security. If you use open source and you are no paying for support then you need to be very carefully getting all the patches in place on time, nobody else will do it for you, and this increase risk level in my view.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/26/2015 | 4:31:57 PM
Re: Frankenstein
I agree with this too. At the same time we know hackers have advantage too when the see vulnerabilities in open source, it is easier to attack open source code base.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/26/2015 | 4:29:52 PM
Re: WhiteSource proves that open source is safe if used responsibly
I would agree with them. It is easier to see vulnerabilities with many eyes in open source and take action on it as a community than waiting Microsoft release a fix for it.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/26/2015 | 4:26:26 PM
Open source and security
 

I would like to make a point that there is no an hard link between open source and security. Some open source systems are quite secure some are not. The same goes with the closed system, Windows is a closed system and that is where we see security issues more than other systems. 
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.