Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/30/2013
11:45 PM
50%
50%

Open Source Software Libraries Get Renewed Scrutiny

The Open Web Application Security Project adds common software components to its list of threats to spur developers to look more deeply at software libraries

As companies increasingly create applications and internal tools on top of open-source building blocks, vulnerabilities in those common components are becoming a serious threat.

Yet, the lion's share of companies continue to ignore the problem, according to a report released this week. While nearly 80 percent of companies rely on open-source components for their development efforts, more than three-quarters lack any meaningful controls over the usage of such libraries and frameworks, according to the annual Open Source Software Development Survey conducted by Sonatype, a manager of a large repository of open-source components. While many companies have started to develop their own applications with security in mind, they have typically treated online components with less rigor, says Wayne Jackson, the firm's CEO.

"We have a very mature component-usage ecosystem," he says. "Companies are getting enormous benefits from the ability to leverage byte-sized innovation ... but the ecosystem to support that consumption, to bring order to all of that, is completely missing."

The Open Web Application Security Project has recognized the threat as well. For the first time since the group began compiling its OWASP Top-10 List of Web security weaknesses, the list has singled out software components with known vulnerabilities as a top threat in its 2013 list of candidates. For example, two vulnerabilities--Apache CXF Authentication Bypass and the Spring Remote Code Execution--affected components that were downloaded 22 million times in 2011, the group noted.

"Virtually every application has these issues because most development teams don’t focus on ensuring their components stay up to date," the OWASP entry reads. "In many cases, the developers don’t even know all the components they are using, never mind their versions."

[Poor communication and significant friction between developers and the software-security team is a key reason that software issues continue to go unaddressed. See Building A Detente Between Developers And Security.]

The problem will only be made worse by the growing popularity of common components and libraries. In 2012, use of components skyrocketed. From Sonatype's repository alone, some 8 billion software components were downloaded during the year, almost doubling the number of components downloaded in 2011, the firm states.

Solving the problem will be hard. Companies should not rely on the open-source project to get it right. While open-source developers like to trust in "many eyes" that peruse the code to catch most vulnerabilities, only a few projects garner enough attention for contributors to catch a good percentage of security flaws, says Chris Wysopal, chief technology officer and co-founder of application-security firm Veracode.

"The many eyes theory only works for the very largest projects," Wysopal says.

Companies should instead treat open-source components and libraries in a similar way to the firm's own code and analyze them for vulnerabilities, Wysopal adds. "If you are doing static or dynamic analysis on the code you are writing, you need to do the same thing to the open-source software that is coming into your environment," he says.

Security teams need to work with the developers to make sure that open-source policies are both enforceable and do not slow down development so much that programmers attempt to go around the policies, Sonatype's Jackson says. In the firm's study, developers listed enforcing policies, slower development and the delayed notification of vulnerabilities as the top-3 issues affecting implementation of open-source policies.

In the end, companies must be prepared to check the components themselves, rather than trust an open-source project's maintainers to find all the bugs, agrees Jacob West, chief technology officer of the Enterprise Security Products group at Hewlett-Packard.

"For the foreseeable future, the onus is on the organization to determine how much risk open-source components produce," West says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13611
PUBLISHED: 2019-07-16
An issue was discovered in python-engineio through 3.8.2. There is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers to make WebSocket connections to a server by using a victim's credentials, because the Origin header is not restricted.
CVE-2019-0234
PUBLISHED: 2019-07-15
A Reflected Cross-site Scripting (XSS) vulnerability exists in Apache Roller. Roller's Math Comment Authenticator did not property sanitize user input and could be exploited to perform Reflected Cross Site Scripting (XSS). The mitigation for this vulnerability is to upgrade to the latest version of ...
CVE-2018-7838
PUBLISHED: 2019-07-15
A CWE-119 Buffer Errors vulnerability exists in Modicon M580 CPU - BMEP582040, all versions before V2.90, and Modicon Ethernet Module BMENOC0301, all versions before V2.16, which could cause denial of service on the FTP service of the controller or the Ethernet BMENOC module when it receives a FTP C...
CVE-2019-6822
PUBLISHED: 2019-07-15
A Use After Free: CWE-416 vulnerability exists in Zelio Soft 2, V5.2 and earlier, which could cause remote code execution when opening a specially crafted Zelio Soft 2 project file.
CVE-2019-6823
PUBLISHED: 2019-07-15
A CWE-94: Code Injection vulnerability exists in ProClima (all versions prior to version 8.0.0) which could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system in all versions of ProClima prior to version 8.0.0.