Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

10/22/2014
03:55 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Open-Source Software Brings Bugs To Web Applications

An average of eight severe security flaws from open-source and third-party code can be found in each web application, according to new findings from Veracode.

If the Heartbleed and Shellshock vulnerability scares didn't drive home the increasing risk that open-source software poses to today's applications, consider this: Open-source and third-party code brings an average of 24 known security bugs to every web application, according to new data.

Open-source and third-party software components also introduced an average of eight "very high severity" or "high severity" security flaws to applications, according to Veracode, which today released findings from an analysis it conducted of more than 5,300 enterprise web applications uploaded to its code-scanning service over the past two months.

"The use of open source has increased heavily over time. Enterprises have become more comfortable using it," says Chris Wysopal, CTO at Veracode. "At the same time, the researcher community and attacker communities have woken up to this, too… That's why you're seeing Heartbleed and Shellshock, because people are looking at it and scrutinizing it. In the last year or two, all that code has been reviewed and made better. But it's probably only going to get worse" as researchers find more bugs and attackers start using them.

Dennis Chu, senior product manager at Coverity, which discovered 688 OWASP Top 10 security issues in 37 open-source projects it recently studied, says open-source bugs are often the cause of stealthy attacks. "A lot of times open-source bugs manifest themselves in very invisible security breaches."

It's not that open-source and third-party code is necessarily inherently more or less secure than commercial software, security experts say. Some open-source projects have been strapped for resources to keep the code clean -- leading to problems like Heartbleed, for instance -- but the real issue now is that more enterprises use open-source code, and researchers, as well as attackers, are taking notice.

John Pironti, president of IP Architects, says open-source code can be yet another attack surface for the bad guys. Businesses that decide to use open-source code should "understand the weaknesses that could potentially be there and how it could affect in the future weaknesses you don't know about of your systems and your data," he told Dark Reading in a video interview this month.

Any sensitive or classified data may not be a good fit for an open source library, he said. "If everybody can see the code, then if a motivated attacker wants to come and find you [via that code], they have the ability and intelligence to find ways to exploit that easier than if it's closed code."

"We're trying to reduce the surface area the adversary has to attack you," Pironti said. "And the more they know about you, the more opportunities they can use to go after you."

Veracode found that remote code execution bugs were the most prominent type of flaw in the open-source components it studied in enterprise web applications. Why the large number of bugs in these enterprise applications? Wysopal says open-source code flaws are a "blind spot" in enterprise applications. The good news is that attackers traditionally go for the low-hanging fruit, he says, but that could change, given the wider adoption of open-source libraries.

In its research, Veracode used its new cloud-based software composition analysis service, which spots vulnerable components in applications and identifies where those components are used in various applications and systems.

Wysopal says the company had been working on the new service when Heartbleed hit and took it for a spin then. "Heartbleed was the perfect example of a commonly used open-source component that had vulnerabilities." Veracode found that its customers on average had at least one application vulnerable to Heartbleed when the flaw was revealed. "That surprised me. That seemed to be heavy usage" of the vulnerable version of OpenSSL.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RonR595
50%
50%
RonR595,
User Rank: Strategist
10/28/2014 | 11:30:40 AM
Re: Security is a Mindset, Not a License
Christian, there are actually studies that verified your gut feeling, and have shown that the number of bugs and security vulnerabilities are substantially the same in FOSS and proprietary code.
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
10/25/2014 | 3:26:36 AM
Security is a Mindset, Not a License
I've been buried in Free and Open Source Software (FOSS) since the 1990s.  My day job typically was full of proprietary, heavily licensed and dongled software.  In getting to know FOSS project members, and rubbing shoulders with commercial software programmers, I quickly learned that security, secure coding, and just an overall sense of keeping the end user's data safe from prying eyes had nothing to do with the license on the code, but mostly the mentality of the coder and/or project manager behind the code.  Trend out 1,000 proprietary apps and 1,000 FOSS apps and I think the story on vulnerabilities and exploits will level out between the two.  The Center for Internet Security and OWASP are excellent resources for the casual software project team member to become familiar with and take a cue from.  While everyone else is arguing over whether FOSS or locked down apps are more secure, you can start coding securely from the ground up and demonstrate a little more respect for your end users than the next app, whatever its license may be.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
10/23/2014 | 6:50:57 PM
Re: open source funding
Agreed. The legal status of code doesn't reflect the quality of the code.
AnonymousMan
100%
0%
AnonymousMan,
User Rank: Moderator
10/23/2014 | 12:55:43 PM
Re: Undermines an open source article of faith
fair enough, I personally don't agree that open source is more or less secure either. The same technical complexities exist and same flawed humans are writing the code either way. But, it's also worth pointing out that product abandonment is bigger problem for closed source IMHO. Companies abandon products in favor of some shiny new object all the time. At least with open source, you have the option of fixing a vulnerability yourself (e.g. struts framework vulnerabilities).
RonR595
100%
0%
RonR595,
User Rank: Strategist
10/23/2014 | 11:39:14 AM
Different viewpoint: managing security of open source is actually EASIER than your own code
 

 Let me start with a disclaimer: I am co-founder and chairman of WhiteSource.

 First, I think everyone would agree that open source is the single most important catalyst to software development these days. With open source, product developers can focus on their own contributoin, and can use good and well tested open source for all the rest.

 Second, all the evidence is that open source code is of same quality as tested commercial code. (there are numbers to support that). That means it has bugs and it has security vulnerabilities, but no more nor less than commercial code. Within a given product, NEW code is most likely more buggy and more vulnerable (on average) than the open source components in same product.

 Third, in most cases, open source communities are extremely fast in fixing bugs and especially security vulnerabilities. In fact, a lot faster than most commercial vendors.

 So if you are an R&D executive in a software development company, you shall pay a lot more attention to the code that your developers produce, and then to third party components. With regard to open source components, you should simply follow the CVEs to know if any of the components you use is affected by a known vulnerability, and then follow and update/patch with the new version that fixes the issues, which will likely be available a lot faster than you can imagine.

 Having said that, open source code shall be managed (and not just for security), just like you do for your own code or third party. At WhiteSource we try to make such management effortless and easy to use by anyone.

 Hope that helps to reduce some of the hype and negative press that open source has received recently. If you think of it, you will also reach the conclusion that its quite the other way around.

 
David F. Carr
100%
0%
David F. Carr,
User Rank: Strategist
10/23/2014 | 11:20:23 AM
Undermines an open source article of faith
Open source is supposed to be more secure because there are more eyes on it, scrutinizing it for flaws. What this really points out is that this proposition can't be taken as an article of faith. Very broadly implemented open source software, backed by an active community of developers, may in fact be rock solid -- provided that it's patched and updated whenever security bugs are detected. But if an open source library gets embedded in a product and forgotten about, if the open source community behind it loses interest or gets distracted by some shiny, new object, it can easily drift away from that ideal.

Buyer beware! Even when what you're "buying" is free and open.
Jimmy.N
50%
50%
Jimmy.N,
User Rank: Apprentice
10/23/2014 | 9:23:17 AM
Re: open source funding

This is an incredibly screwed perspective. All code will have bugs, vulnerabilities and issues. This difference is that open-source is   . . . . OPEN SOURCE, and open to everyone. The point is you have 10's of thousands of people around the world looking at the code and finding ways to improve it. With this comes the ability to also utilize it's weaknesses for nefarious purposes. Closed source will still have bad things in it, but just harder to find and sometimes patched before anyone knows about it. Is that better than knowing? Maybe if you feel ignorance is bliss, but as a Security Analyst, I just don't drink that kool-aid.

AnonymousMan
50%
50%
AnonymousMan,
User Rank: Moderator
10/23/2014 | 9:05:51 AM
Re: Pending Review
This really isn't about open source IMHO; it's about using 3rd party components.  What veracode didn't tell us is what those vulnerabilities were.  Was it outdated libraries or vulnerabilities in current versions? Both are a problem IME, but they mean different things to decision makers. Also, suggesting that using a 3rd party library or component increases risk probably isn't true on the whole if the alternative is to roll your own code. 
bpaddock0
100%
0%
bpaddock0,
User Rank: Apprentice
10/23/2014 | 8:17:38 AM
Proposing Secruity by obscurity as the solution?
"If everybody can see the code, then if a motivated attacker wants to come and find you [via that code], they have the ability and intelligence to find ways to exploit that easier than if it's closed code."

They are proposing security by obscurity as the solution?  The Bad Guys/Gals can't see the source code for what is not open-source so it is more secure?  Not likely.

I do understand their point that if you can see the open-source source code then it is certainly easier to look for ways to exploit problems.



Methods for Secure Coding are known, and have been known for years.

Yet few organizations commercial or not take the time to learn and use them.

 
Thomas Claburn
100%
0%
Thomas Claburn,
User Rank: Ninja
10/22/2014 | 6:27:44 PM
open source funding
maybe it's time for a "tragedy of the commons" fund to secure important open source projects.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: A GONG is as good as a cyber attack.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20803
PUBLISHED: 2020-11-23
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which loop indefinitely in mathematics processing while retaining locks. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.5; v3.6 versions prior to 3.6.10; v3.4...
CVE-2019-14586
PUBLISHED: 2020-11-23
Use after free vulnerability in EDK II may allow an authenticated user to potentially enable escalation of privilege, information disclosure and/or denial of service via adjacent access.
CVE-2019-14587
PUBLISHED: 2020-11-23
Logic issue EDK II may allow an unauthenticated user to potentially enable denial of service via adjacent access.
CVE-2020-0569
PUBLISHED: 2020-11-23
Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.
CVE-2020-12351
PUBLISHED: 2020-11-23
Improper input validation in BlueZ may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.