Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:25 PM
Connect Directly

Growing Open Source Use Heightens Enterprise Security Risks

Companies often have little clue about the extent of third-party code in the enterprise or the risks it poses, security experts say

The data breaches disclosed earlier this month at Park ‘N Fly and OneStopParking.com, two major airport parking services, highlight the continuing risk that enterprises face from using open-source software in their environments without a plan for managing it.

Both Park ‘n Fly and OneStopParking,con were victimized by a security vulnerability in the Joomla open-source content management platform for which a patch had been issued last September, but which neither company had apparently installed. As if last year’s Heartbleed, Shellshock, and POODLE flaws weren’t enough of a wake-up call already, the breaches were another reminder of how flaws in third-party software can sometimes cause major headaches for companies that are not prepared for them.

A lot of companies these days use open-source code in internal software development projects, says Bill Ledingham, chief technology officer at Black Duck Software Inc., a company that helps enterprises keep tabs on third-party code use in their software environments.

Often, large internally developed enterprise applications can include dozens of open-source software components. And some companies can have hundreds, and even thousands of applications running open-source code, he says. “There’s a tremendous change in how open source is being used these days,” by enterprise software development groups, Ledingham says.

He estimates that close to a third of all software used in enterprises, including Fortune 500 firms, is derived from open source. In some cases, like mobile, cloud, and big data applications, open source accounts for 60 to 80 percent of the total code, he says. As open source use has increased enterprise concerns have shifted dramatically from IP and licensing issues to the potential security risks caused by the trend.

Ledingham, whose firm tracks close to 1 million open source projects worldwide, says there is nothing about the code that makes it less secure than commercial software products. In fact, the communities that support some of the better-managed projects are more responsive to security threats than commercial vendors.

Even so, open-source software too has it shares of vulnerabilities that developers need to pay attention to and fix promptly to mitigate risks, he said. Of the nearly 8,000 security vulnerabilities disclosed in the national vulnerability database last year, nearly 40 percent were in open-source software, he said.

The real problem stems from the manner in which third-party code is consumed and deployed within the enterprise, he said. Companies that use open source heavily often have few measures for vetting software quality or for tracking how and where the software is used. Many install code with previously disclosed vulnerabilities in them or remain dangerously oblivious to vulnerability disclosures impacting their software.

Some large companies do have well-managed and tightly controlled processes for integrating open source software into their software development projects. For example, some have a central group of developers responsible for finding and vetting open-source code and putting it in a catalog of approved code for their organizations. But many don’t, Ledighman says.

Wayne Jackson, CEO of Sonatype Inc., likens the attitude towards open source among some companies to automakers letting assembly line workers choosing their own components for assembly. “You can imagine what a Frankenstein vehicle that would make,” says Jackson, whose company, like Black Duck, helps firms manage and secure open-source code in their software.

“The best companies have protocols for understanding what is being used. They know what is being integrated into a given piece of software and they monitor for critical vulnerability disclosures,” Jackson says.

Enterprises that do not have these processes are the ones that are most unprepared to deal with threats like those posed by Heartbleed, Shellshock, and POODLE, Jackson said.

Jackson, whose company maintains a sort of GitHub for open-source binaries, says a staggering 17.2 billion open-source components, including everything from web application and wireless frameworks, to small logging utilities, were downloaded last year around the world. That included about 82,000 organizations.

It is impossible to know how much of that software actually has found its way into enterprise projects. But it is a safe bet to assume almost all software used by companies these days has an open-source underpinning, Jackson said.

Concerns over the extent of open source use in software these days prompted lawmakers to introduce the Cyber Supply Chain Management and Transparency Act of 2014 in December. The bill would require companies supplying software products and services to the government to certify the extent of open source use and guarantee there are no known vulnerabilities in the software.

The takeaway for companies is straightforward, Jackson said. The key to using this software safely begins with just knowing what you have. “There is no magic” he says. “Just know what you are using and define, as an organization the attributes that would make a piece of open source acceptable or not acceptable,” he said.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Apprentice
1/26/2015 | 9:13:48 AM
WhiteSource proves that open source is safe if used responsibly
WhiteSource has been helping companies of all sizes to responsibly and effortlessly manage the open source components they use.

We've been doing it since 2011 and for all programming languages, we are in a unique position to look at real data from a large number of commercial projects.

Our research shows that if managed properly - ie updated when new security vulnerabilities are disclosed or when new versions are available - 98% of the projects that contain faulty open source components would not contain them. 

So the problem is not open source but how it is used.
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
1/25/2015 | 8:25:25 PM
Hah!  I <3 the Frankenstein analogy!

This is the folly of Linus's Law -- i.e., "Given enough eyeballs, all bugs are shallow."

Akamai's CSO, Andy Ellis, put it best at a cybersecurity conference I attended a couple months back: "The Florida Everglades happen to be shallow as well.  It's still a swamp!"
User Rank: Apprentice
1/25/2015 | 1:58:41 PM
blast from the past
Wow it's like this article was caught in a time warp and just appeared 10-15 years after it was written and somehow got published. So the parking websites were hacked because they were using open source software?!?! I love this line "victimized by a security vulnerability in the Joomla open-source content management platform for which a patch had been issued last September, but which neither company had apparently installed."

They were victimized because they didn't patch software. It has nothing to do with the source code being open or closed. It could have been unpatched IIS or anything else. Hello, 1998 called and they would like their tech story back.
<<   <   Page 2 / 2
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-20
The Quiz And Survey Master &Atilde;&cent;&acirc;&sbquo;&not;&acirc;&euro;&oelig; Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.