Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:25 PM
Connect Directly

Growing Open Source Use Heightens Enterprise Security Risks

Companies often have little clue about the extent of third-party code in the enterprise or the risks it poses, security experts say

The data breaches disclosed earlier this month at Park ‘N Fly and OneStopParking.com, two major airport parking services, highlight the continuing risk that enterprises face from using open-source software in their environments without a plan for managing it.

Both Park ‘n Fly and OneStopParking,con were victimized by a security vulnerability in the Joomla open-source content management platform for which a patch had been issued last September, but which neither company had apparently installed. As if last year’s Heartbleed, Shellshock, and POODLE flaws weren’t enough of a wake-up call already, the breaches were another reminder of how flaws in third-party software can sometimes cause major headaches for companies that are not prepared for them.

A lot of companies these days use open-source code in internal software development projects, says Bill Ledingham, chief technology officer at Black Duck Software Inc., a company that helps enterprises keep tabs on third-party code use in their software environments.

Often, large internally developed enterprise applications can include dozens of open-source software components. And some companies can have hundreds, and even thousands of applications running open-source code, he says. “There’s a tremendous change in how open source is being used these days,” by enterprise software development groups, Ledingham says.

He estimates that close to a third of all software used in enterprises, including Fortune 500 firms, is derived from open source. In some cases, like mobile, cloud, and big data applications, open source accounts for 60 to 80 percent of the total code, he says. As open source use has increased enterprise concerns have shifted dramatically from IP and licensing issues to the potential security risks caused by the trend.

Ledingham, whose firm tracks close to 1 million open source projects worldwide, says there is nothing about the code that makes it less secure than commercial software products. In fact, the communities that support some of the better-managed projects are more responsive to security threats than commercial vendors.

Even so, open-source software too has it shares of vulnerabilities that developers need to pay attention to and fix promptly to mitigate risks, he said. Of the nearly 8,000 security vulnerabilities disclosed in the national vulnerability database last year, nearly 40 percent were in open-source software, he said.

The real problem stems from the manner in which third-party code is consumed and deployed within the enterprise, he said. Companies that use open source heavily often have few measures for vetting software quality or for tracking how and where the software is used. Many install code with previously disclosed vulnerabilities in them or remain dangerously oblivious to vulnerability disclosures impacting their software.

Some large companies do have well-managed and tightly controlled processes for integrating open source software into their software development projects. For example, some have a central group of developers responsible for finding and vetting open-source code and putting it in a catalog of approved code for their organizations. But many don’t, Ledighman says.

Wayne Jackson, CEO of Sonatype Inc., likens the attitude towards open source among some companies to automakers letting assembly line workers choosing their own components for assembly. “You can imagine what a Frankenstein vehicle that would make,” says Jackson, whose company, like Black Duck, helps firms manage and secure open-source code in their software.

“The best companies have protocols for understanding what is being used. They know what is being integrated into a given piece of software and they monitor for critical vulnerability disclosures,” Jackson says.

Enterprises that do not have these processes are the ones that are most unprepared to deal with threats like those posed by Heartbleed, Shellshock, and POODLE, Jackson said.

Jackson, whose company maintains a sort of GitHub for open-source binaries, says a staggering 17.2 billion open-source components, including everything from web application and wireless frameworks, to small logging utilities, were downloaded last year around the world. That included about 82,000 organizations.

It is impossible to know how much of that software actually has found its way into enterprise projects. But it is a safe bet to assume almost all software used by companies these days has an open-source underpinning, Jackson said.

Concerns over the extent of open source use in software these days prompted lawmakers to introduce the Cyber Supply Chain Management and Transparency Act of 2014 in December. The bill would require companies supplying software products and services to the government to certify the extent of open source use and guarantee there are no known vulnerabilities in the software.

The takeaway for companies is straightforward, Jackson said. The key to using this software safely begins with just knowing what you have. “There is no magic” he says. “Just know what you are using and define, as an organization the attributes that would make a piece of open source acceptable or not acceptable,” he said.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Apprentice
1/26/2015 | 9:13:48 AM
WhiteSource proves that open source is safe if used responsibly
WhiteSource has been helping companies of all sizes to responsibly and effortlessly manage the open source components they use.

We've been doing it since 2011 and for all programming languages, we are in a unique position to look at real data from a large number of commercial projects.

Our research shows that if managed properly - ie updated when new security vulnerabilities are disclosed or when new versions are available - 98% of the projects that contain faulty open source components would not contain them. 

So the problem is not open source but how it is used.
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
1/25/2015 | 8:25:25 PM
Hah!  I <3 the Frankenstein analogy!

This is the folly of Linus's Law -- i.e., "Given enough eyeballs, all bugs are shallow."

Akamai's CSO, Andy Ellis, put it best at a cybersecurity conference I attended a couple months back: "The Florida Everglades happen to be shallow as well.  It's still a swamp!"
User Rank: Apprentice
1/25/2015 | 1:58:41 PM
blast from the past
Wow it's like this article was caught in a time warp and just appeared 10-15 years after it was written and somehow got published. So the parking websites were hacked because they were using open source software?!?! I love this line "victimized by a security vulnerability in the Joomla open-source content management platform for which a patch had been issued last September, but which neither company had apparently installed."

They were victimized because they didn't patch software. It has nothing to do with the source code being open or closed. It could have been unpatched IIS or anything else. Hello, 1998 called and they would like their tech story back.
<<   <   Page 2 / 2
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Take me to your BISO 
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-10
JPA Server in HAPI FHIR before 5.4.0 allows a user to deny service (e.g., disable access to the database after the attack stops) via history requests. This occurs because of a SELECT COUNT statement that requires a full index scan, with an accompanying large amount of server resources if there are m...
PUBLISHED: 2021-05-10
Cross Site Scripting (XSS) in Hotels_Server v1.0 allows remote attackers to execute arbitrary code by injecting crafted commands the data fields in the component &quot;/controller/publishHotel.php&quot;.
PUBLISHED: 2021-05-10
An exploitable SQL injection vulnerability exists in &acirc;&euro;&tilde;manageServiceStocks.jsp&acirc;&euro;&trade; page of OpenClinic GA 5.173.3. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
PUBLISHED: 2021-05-10
An out-of-bounds write vulnerability exists in the import_stl.cc:import_stl() functionality of Openscad openscad-2020.12-RC2. A specially crafted STL file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.
PUBLISHED: 2021-05-10
OpenAPI Generator allows generation of API client libraries (SDK generation), server stubs, documentation and configuration automatically given an OpenAPI Spec. Using `File.createTempFile` in JDK will result in creating and using insecure temporary files that can leave application and system data vu...