Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Real-World Use, Risk of Open Source Code

Organizations are using more open source software than ever before, but managing that code remains a challenge.

Open source code is vital to software development at most organizations, but that doesn't mean that enterprises have figured out how to use open source without inadvertently introducing vulnerabilities into their code.

A new study by the Synopsys Black Duck Audit Services team found that open-source software vulnerabilities have decreased, but many organizations seem to have trouble keeping track of the patched status of their open source components. Synopsis anonymized data from more than 1,200 codebases in enterprises in 17 different industries found that more than 96% of the codebases contain open source software or libraries. 

And according to their Open Source Security and Risk Analysis report, 60% of the codebases they audited had at least one vulnerability, down from 78% in last year's study.

More than 99% of codebases with more than 1,000 files contain open source components. And within those codebases, there are an average of 298 separate open source components — up from an average of 257 in the previous research. That increase in open source component count is important given that "few companies accurately track the components they use in their code. Most lack the policies, processes, and tools to keep up with the choices made by their developers," the report said. 

Open source component use is so prevalent that, in 13 of the 17 industry sectors tracked, there were more open source than proprietary components in the code base. That's why, says Tim Mackey, principal security strategist in the Synopsys Cybersecurity Research Center (CyRC), it's encouraging that the report contains some good news: "For the first time, there was a pretty substantial decrease in the number of open source vulnerabilities in the code base," he says. 

Mackey says that the reduction comes from a combination of patched vulnerabilities in the open source code, and a greater likelihood that the patched code will be in the codebases. "The companies are having a greater awareness of what to do and how to do it," he explains. With that said, unpatched code remaining in the codebases of organizations is a significant problem.

"Even though we're seeing a decrease in vulnerabilities in the aggregate, we're still seeing a lot of things that are 'stale," Mackey says, citing an example of the oldest seen by the researchers in this years study dating from 1990. According to the report, 43% of the scanned codebases contained vulnerabilities more than 10 years old - an indication that companies are not keeping up with open-source patching.

Given the number of open source components in most codebases, simply keeping up with open source components in your software are can be a daunting task -never mind keeping up with the fork, version, and state of updates to the code. 

'Gold Image'

Ed Giaquinto, CIO at Sectigo, says it's important for open source code to be properly inventoried and maintained to avoid introducing security vulnerabilities to applications. In response to a Twitter query about how organizations deal with open source components in their code libraries, he points to his desktop systems, where, "We get notifications of all installs (above and beyond the standard approved applications) from our endpoint management system." All servers, he says, are built from approved "golden images" with any deviations approved in advance and fully documented.

He says he believes that the combination of automated process and development discipline give the company 95% awareness of vulnerabilities and risks with open source code.

The importance of automation to keep up with open source updates is echoed by Rhett Glauser, vice president of marketing at SaltStack. "Considering modern scale & complexity, humans can't effectively deliver continuous compliance alone," he wrote in a response on Twitter.

Mackey is adamant that being aware of the code in a codebase is critical for maintaining the updates and patches required for secure code. "You can't patch something that you don't know you have," he says.

Even with a reliable inventory, though, knowing whether or not the code in your codebase is the most current, reliable, version can be difficult.

"Independent of whatever software asset software you have, you need to be building the bill of materials that includes where the code came from in the first place," Mackey says. "A solution for patching something that came from one source might not work for the same item that came from a different source."

And you might not even know that an item needs to be patched if the open source world is assumed to be akin to the commercial software market, where updates are frequently pushed to the customer, and there are regular communications about updates and patches. "They need to be engaged with the communities," explains Mackey. "In the open source world, they don't know who you are without the level of engagement."

He recommends building a development strategy that includes committing time and resources to participating in the open source communities that develop the code you adopt. That engagement can help security-wise, he says. "...the transparency of mature, well-adopted OSS [open source software] can foster peer review that is tough to match in proprietary [software]."

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10100
PUBLISHED: 2019-07-16
NASA CFITSIO prior to 3.43 is affected by: Buffer Overflow. The impact is: arbitrary code execution. The component is: over 40 source code files were changed. The attack vector is: remote unauthenticated attacker. The fixed version is: 3.43.
CVE-2019-10100
PUBLISHED: 2019-07-16
BigTree-CMS commit b2eff67e45b90ca26a62e971e8f0d5d0d70f23e6 and earlier is affected by: Improper Neutralization of Script-Related HTML Tags in a Web Page. The impact is: Any Javascript code can be executed. The component is: users management page. The attack vector is: Insert payload into users' pro...
CVE-2019-10100
PUBLISHED: 2019-07-16
PluckCMS 4.7.4 and earlier is affected by: CWE-434 Unrestricted Upload of File with Dangerous Type. The impact is: get webshell. The component is: data/inc/images.php line36. The attack vector is: modify the MIME TYPE on HTTP request to upload a php file. The fixed version is: after commit 09f0ab871...
CVE-2019-13612
PUBLISHED: 2019-07-16
MDaemon Email Server 19 skips SpamAssassin checks by default for e-mail messages larger than 2 MB (and limits checks to 10 MB even with special configuration), which is arguably inconsistent with currently popular message sizes. This might interfere with risk management for malicious e-mail, if a cu...
CVE-2019-10100
PUBLISHED: 2019-07-16
Zammad GmbH Zammad 2.3.0 and earlier is affected by: Cross Site Scripting (XSS) - CWE-80. The impact is: Execute java script code on users browser. The component is: web app. The attack vector is: the victim must open a ticket. The fixed version is: 2.3.1, 2.2.2 and 2.1.3.