Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Real-World Use, Risk of Open Source Code

Organizations are using more open source software than ever before, but managing that code remains a challenge.

Open source code is vital to software development at most organizations, but that doesn't mean that enterprises have figured out how to use open source without inadvertently introducing vulnerabilities into their code.

A new study by the Synopsys Black Duck Audit Services team found that open-source software vulnerabilities have decreased, but many organizations seem to have trouble keeping track of the patched status of their open source components. Synopsis anonymized data from more than 1,200 codebases in enterprises in 17 different industries found that more than 96% of the codebases contain open source software or libraries. 

And according to their Open Source Security and Risk Analysis report, 60% of the codebases they audited had at least one vulnerability, down from 78% in last year's study.

More than 99% of codebases with more than 1,000 files contain open source components. And within those codebases, there are an average of 298 separate open source components — up from an average of 257 in the previous research. That increase in open source component count is important given that "few companies accurately track the components they use in their code. Most lack the policies, processes, and tools to keep up with the choices made by their developers," the report said. 

Open source component use is so prevalent that, in 13 of the 17 industry sectors tracked, there were more open source than proprietary components in the code base. That's why, says Tim Mackey, principal security strategist in the Synopsys Cybersecurity Research Center (CyRC), it's encouraging that the report contains some good news: "For the first time, there was a pretty substantial decrease in the number of open source vulnerabilities in the code base," he says. 

Mackey says that the reduction comes from a combination of patched vulnerabilities in the open source code, and a greater likelihood that the patched code will be in the codebases. "The companies are having a greater awareness of what to do and how to do it," he explains. With that said, unpatched code remaining in the codebases of organizations is a significant problem.

"Even though we're seeing a decrease in vulnerabilities in the aggregate, we're still seeing a lot of things that are 'stale," Mackey says, citing an example of the oldest seen by the researchers in this years study dating from 1990. According to the report, 43% of the scanned codebases contained vulnerabilities more than 10 years old - an indication that companies are not keeping up with open-source patching.

Given the number of open source components in most codebases, simply keeping up with open source components in your software are can be a daunting task -never mind keeping up with the fork, version, and state of updates to the code. 

'Gold Image'

Ed Giaquinto, CIO at Sectigo, says it's important for open source code to be properly inventoried and maintained to avoid introducing security vulnerabilities to applications. In response to a Twitter query about how organizations deal with open source components in their code libraries, he points to his desktop systems, where, "We get notifications of all installs (above and beyond the standard approved applications) from our endpoint management system." All servers, he says, are built from approved "golden images" with any deviations approved in advance and fully documented.

He says he believes that the combination of automated process and development discipline give the company 95% awareness of vulnerabilities and risks with open source code.

The importance of automation to keep up with open source updates is echoed by Rhett Glauser, vice president of marketing at SaltStack. "Considering modern scale & complexity, humans can't effectively deliver continuous compliance alone," he wrote in a response on Twitter.

Mackey is adamant that being aware of the code in a codebase is critical for maintaining the updates and patches required for secure code. "You can't patch something that you don't know you have," he says.

Even with a reliable inventory, though, knowing whether or not the code in your codebase is the most current, reliable, version can be difficult.

"Independent of whatever software asset software you have, you need to be building the bill of materials that includes where the code came from in the first place," Mackey says. "A solution for patching something that came from one source might not work for the same item that came from a different source."

And you might not even know that an item needs to be patched if the open source world is assumed to be akin to the commercial software market, where updates are frequently pushed to the customer, and there are regular communications about updates and patches. "They need to be engaged with the communities," explains Mackey. "In the open source world, they don't know who you are without the level of engagement."

He recommends building a development strategy that includes committing time and resources to participating in the open source communities that develop the code you adopt. That engagement can help security-wise, he says. "...the transparency of mature, well-adopted OSS [open source software] can foster peer review that is tough to match in proprietary [software]."

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Windows 10 Migration: Getting It Right
Kevin Alexandra, Principal Solutions Engineer at BeyondTrust,  5/15/2019
Baltimore Ransomware Attack Takes Strange Twist
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/14/2019
When Older Windows Systems Won't Die
Kelly Sheridan, Staff Editor, Dark Reading,  5/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12184
PUBLISHED: 2019-05-19
There is XSS in browser/components/MarkdownPreview.js in BoostIO Boostnote 0.11.15 via a label named flowchart, sequence, gallery, or chart, as demonstrated by a crafted SRC attribute of an IFRAME element, a different vulnerability than CVE-2019-12136.
CVE-2019-12173
PUBLISHED: 2019-05-18
MacDown 0.7.1 (870) allows remote code execution via a file:\\\ URI, with a .app pathname, in the HREF attribute of an A element. This is different from CVE-2019-12138.
CVE-2019-12172
PUBLISHED: 2019-05-17
Typora 0.9.9.21.1 (1913) allows arbitrary code execution via a modified file: URL syntax in the HREF attribute of an AREA element, as demonstrated by file:\\\ on macOS or Linux, or file://C| on Windows. This is different from CVE-2019-12137.
CVE-2019-12168
PUBLISHED: 2019-05-17
Four-Faith Wireless Mobile Router F3x24 v1.0 devices allow remote code execution via the Command Shell (aka Administration > Commands) screen.
CVE-2019-12170
PUBLISHED: 2019-05-17
ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) component. This may result in remote command execution. An attacker can use the instructor account to fully compromise the system using a crafted backup ZIP archive. This will allow for PH...