Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Real-World Use, Risk of Open Source Code

Organizations are using more open source software than ever before, but managing that code remains a challenge.

Open source code is vital to software development at most organizations, but that doesn't mean that enterprises have figured out how to use open source without inadvertently introducing vulnerabilities into their code.

A new study by the Synopsys Black Duck Audit Services team found that open-source software vulnerabilities have decreased, but many organizations seem to have trouble keeping track of the patched status of their open source components. Synopsis anonymized data from more than 1,200 codebases in enterprises in 17 different industries found that more than 96% of the codebases contain open source software or libraries. 

And according to their Open Source Security and Risk Analysis report, 60% of the codebases they audited had at least one vulnerability, down from 78% in last year's study.

More than 99% of codebases with more than 1,000 files contain open source components. And within those codebases, there are an average of 298 separate open source components — up from an average of 257 in the previous research. That increase in open source component count is important given that "few companies accurately track the components they use in their code. Most lack the policies, processes, and tools to keep up with the choices made by their developers," the report said. 

Open source component use is so prevalent that, in 13 of the 17 industry sectors tracked, there were more open source than proprietary components in the code base. That's why, says Tim Mackey, principal security strategist in the Synopsys Cybersecurity Research Center (CyRC), it's encouraging that the report contains some good news: "For the first time, there was a pretty substantial decrease in the number of open source vulnerabilities in the code base," he says. 

Mackey says that the reduction comes from a combination of patched vulnerabilities in the open source code, and a greater likelihood that the patched code will be in the codebases. "The companies are having a greater awareness of what to do and how to do it," he explains. With that said, unpatched code remaining in the codebases of organizations is a significant problem.

"Even though we're seeing a decrease in vulnerabilities in the aggregate, we're still seeing a lot of things that are 'stale," Mackey says, citing an example of the oldest seen by the researchers in this years study dating from 1990. According to the report, 43% of the scanned codebases contained vulnerabilities more than 10 years old - an indication that companies are not keeping up with open-source patching.

Given the number of open source components in most codebases, simply keeping up with open source components in your software are can be a daunting task -never mind keeping up with the fork, version, and state of updates to the code. 

'Gold Image'

Ed Giaquinto, CIO at Sectigo, says it's important for open source code to be properly inventoried and maintained to avoid introducing security vulnerabilities to applications. In response to a Twitter query about how organizations deal with open source components in their code libraries, he points to his desktop systems, where, "We get notifications of all installs (above and beyond the standard approved applications) from our endpoint management system." All servers, he says, are built from approved "golden images" with any deviations approved in advance and fully documented.

He says he believes that the combination of automated process and development discipline give the company 95% awareness of vulnerabilities and risks with open source code.

The importance of automation to keep up with open source updates is echoed by Rhett Glauser, vice president of marketing at SaltStack. "Considering modern scale & complexity, humans can't effectively deliver continuous compliance alone," he wrote in a response on Twitter.

Mackey is adamant that being aware of the code in a codebase is critical for maintaining the updates and patches required for secure code. "You can't patch something that you don't know you have," he says.

Even with a reliable inventory, though, knowing whether or not the code in your codebase is the most current, reliable, version can be difficult.

"Independent of whatever software asset software you have, you need to be building the bill of materials that includes where the code came from in the first place," Mackey says. "A solution for patching something that came from one source might not work for the same item that came from a different source."

And you might not even know that an item needs to be patched if the open source world is assumed to be akin to the commercial software market, where updates are frequently pushed to the customer, and there are regular communications about updates and patches. "They need to be engaged with the communities," explains Mackey. "In the open source world, they don't know who you are without the level of engagement."

He recommends building a development strategy that includes committing time and resources to participating in the open source communities that develop the code you adopt. That engagement can help security-wise, he says. "...the transparency of mature, well-adopted OSS [open source software] can foster peer review that is tough to match in proprietary [software]."

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12936
PUBLISHED: 2019-06-23
BlueStacks App Player 2, 3, and 4 before 4.90 allows DNS Rebinding for attacks on exposed IPC functions.
CVE-2019-12937
PUBLISHED: 2019-06-23
apps/gsudo.c in gsudo in ToaruOS through 1.10.9 has a buffer overflow allowing local privilege escalation to the root user via the DISPLAY environment variable.
CVE-2019-12935
PUBLISHED: 2019-06-23
Shopware before 5.5.8 has XSS via the Query String to the backend/Login or backend/Login/load/ URI.
CVE-2019-12933
PUBLISHED: 2019-06-22
An XSS issue on the PIX-Link Repeater/Router LV-WR09 with firmware v28K.MiniRouter.20180616 allows attackers to steal credentials without being connected to the network. The attack vector is a crafted ESSID.
CVE-2019-10028
PUBLISHED: 2019-06-21
Denial of Service (DOS) in Dial Reference Source Code Used before June 18th, 2019.