If the Heartbleed and Shellshock vulnerability scares didn't drive home the increasing risk that open-source software poses to today's applications, consider this: Open-source and third-party code brings an average of 24 known security bugs to every web application, according to new data.
Open-source and third-party software components also introduced an average of eight "very high severity" or "high severity" security flaws to applications, according to Veracode, which today released findings from an analysis it conducted of more than 5,300 enterprise web applications uploaded to its code-scanning service over the past two months.
"The use of open source has increased heavily over time. Enterprises have become more comfortable using it," says Chris Wysopal, CTO at Veracode. "At the same time, the researcher community and attacker communities have woken up to this, too… That's why you're seeing Heartbleed and Shellshock, because people are looking at it and scrutinizing it. In the last year or two, all that code has been reviewed and made better. But it's probably only going to get worse" as researchers find more bugs and attackers start using them.
Dennis Chu, senior product manager at Coverity, which discovered 688 OWASP Top 10 security issues in 37 open-source projects it recently studied, says open-source bugs are often the cause of stealthy attacks. "A lot of times open-source bugs manifest themselves in very invisible security breaches."
It's not that open-source and third-party code is necessarily inherently more or less secure than commercial software, security experts say. Some open-source projects have been strapped for resources to keep the code clean -- leading to problems like Heartbleed, for instance -- but the real issue now is that more enterprises use open-source code, and researchers, as well as attackers, are taking notice.
John Pironti, president of IP Architects, says open-source code can be yet another attack surface for the bad guys. Businesses that decide to use open-source code should "understand the weaknesses that could potentially be there and how it could affect in the future weaknesses you don't know about of your systems and your data," he told Dark Reading in a video interview this month.
Any sensitive or classified data may not be a good fit for an open source library, he said. "If everybody can see the code, then if a motivated attacker wants to come and find you [via that code], they have the ability and intelligence to find ways to exploit that easier than if it's closed code."
"We're trying to reduce the surface area the adversary has to attack you," Pironti said. "And the more they know about you, the more opportunities they can use to go after you."
Veracode found that remote code execution bugs were the most prominent type of flaw in the open-source components it studied in enterprise web applications. Why the large number of bugs in these enterprise applications? Wysopal says open-source code flaws are a "blind spot" in enterprise applications. The good news is that attackers traditionally go for the low-hanging fruit, he says, but that could change, given the wider adoption of open-source libraries.
In its research, Veracode used its new cloud-based software composition analysis service, which spots vulnerable components in applications and identifies where those components are used in various applications and systems.
Wysopal says the company had been working on the new service when Heartbleed hit and took it for a spin then. "Heartbleed was the perfect example of a commonly used open-source component that had vulnerabilities." Veracode found that its customers on average had at least one application vulnerable to Heartbleed when the flaw was revealed. "That surprised me. That seemed to be heavy usage" of the vulnerable version of OpenSSL.