The management of open source libraries poses a major challenge for secure development. That's because seven in 10 applications use at least one flawed open source library, inheriting vulnerabilities that could potentially be exploited, according to a new study of more than 81,000 applications.
Developers need to not just focus on patching, but also on approaching application security in a way that is right for the frameworks with which they are working, says Chris Eng, chief research officer at Veracode.
"Open source software has a surprising variety of flaws," he says. "The attack surface of many applications is much larger than developers may expect due to the fact that open source libraries have dependencies on other libraries. Developers must be aware of this and the fact that language selection makes a difference in terms of the size of the ecosystem and in the prevalence of flaws in those ecosystems."
The report underscores that a lack of patching continues to be the No. 1 problem for application-security programs. Fixes exist for more than 90% of the vulnerabilities that have a published proof-of-concept, according to Veracode's report. Fixing such issues is critical because attackers regularly use older vulnerabilities to attack systems and applications, the US Cybersecurity and Infrastructure Security Agency said in a recent advisory.
"Open source software gives companies tremendous advantages, but there's no free lunch here, and all code must be managed to avoid your own contributions — whether open or closed source in nature — from exposing your users to vulnerabilities," Veracode stated in the report.
Overall, the research suggests that developers who know the security characteristics of the open source libraries supporting their particular language and framework will have a greater likelihood of producing secure code.
The approach each language and its core developers take to libraries can also have an impact.
PHP applications, for example, typically import a modest number of libraries but gain a significant attack surface area through this friend-of-a-friend method of importing components, which exposes vulnerabilities that might not otherwise be anticipated by developers. Combined with the finding that 27% of all PHP libraries have an exploitable flaw, the framework can be a source of hidden dangers for developers, says Veracode's Eng.
The most numerous vulnerability classes are not the ones that developers should necessarily spend the most time eradicating, according to Veracode. While 29% of all flaws are cross-site scripting vulnerabilities, only about 8% of flawed libraries have an exploitable version of the vulnerability. Two other classes of vulnerabilities from the OWASP Top 10 — insecure deserialization and broken access controls — are much more likely to be exploitable, with 30% of flawed libraries having an exploitable version of the vulnerability.
But the good news for developers is that a minor update or patch could fix more than 90% of vulnerabilities with published exploits, Eng says.
"Open source software offers a lot of advantages, and it's only growing from here," he says. "My recommendation is that developers and their organizations increase their knowledge and ability to test for flaws in the libraries they are pulling into their applications. The fixes are usually minor and can have a big impact on reducing exposure."