Security Best Practices in the Age of Open Source Code

In today’s world, the urgency to rapidly develop software results in the use of open source code. Attackers are well-aware this urgency results in poor coding practices such as inadequate version control documentation and what open source code they use. They continually monitor repositories such as Github, SourceForge, and many others to identify who has contributed code and had problems with it.

The open source code is apparent targets since there are ample ways to exploit them and has become the holy grail over the proprietary custom code. More organizations are moving to Agile development environments as a valued methodology where most software developers are trained and accustomed to open source technologies.

Open source and proprietary software both have their fair share of vulnerabilities. The majority if not all hacking tools originated from openly sourced repositories.  In a recent Forrester research analysis, open source had become the method of choice in application development where custom code comprises only 10% to 20%  of applications in use.

According to SAP, over 80% of all cyber attacks target applications rather than the network. Like electricity that follows a path of least resistance so do the hackers who determine exploits offering the best attack surface opportunities.

For instance, Heartbleed is a dangerous security flaw that exposed OpenSSL, an open source cryptographic software library used by applications globally. This vulnerability allows attackers to steal the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet.

In another example, the Equifax breach was caused by an open source Apache Struts flaw discovered two months before the attack occurred. A patch was available shortly after the discovery, but Equifax failed to apply it resulted in devastating consequences.

Common Issues

Most of the security tools deployed are based on dynamic and static analysis techniques which are effective at discovering bugs in the proprietary code but fail to identify vulnerabilities with open source components in the wild.  Most of these vulnerabilities are reported by security researchers where thousands of vulnerabilities have been disclosed by the National Vulnerability Database (NVD), just a mere handful was referenced by the common security tools used today. This is the reason open source vulnerabilities are the leading risk to application security.

What’s crucial, is manually tracking the sheer volume of open source software.  Most organizations lack visibility to all of the open source components they use. For example, with proprietary commercial software, updates and patches are pushed to the customer, while open source has a pull model. Open source requires user responsibility for keeping track of vulnerabilities and updates.

Like the Equifax breach example, an organization must be aware that a vulnerable, open source component exists in its application.  The risk is highly probable that that component will remain unpatched until a devastating incident occurs.

Vulnerability Data Repositories & Resources

Security professionals and software developers can tap into database and collaboration resources to assisted them researching known or recently discovered vulnerabilities with open source code.

The United States Computer Emergency Readiness Team (US-CERT) is a national government hub for cyber and communications information, technical expertise, and operational integration. It operates around the clock as an incident response center providing situational awareness and analysis. Other countries have formed similar CERT initiatives sharing incidences and intelligence with their counterparts globally.

The Open Web Application Security Project (OWASP) was first conceived in 2001 to develop a community of collaborators to help define security recommendations, specifications, and explanations for security vendors to base their products and for security practitioners to incorporate in their work. Over the years its influence has grown with establishing numerous global chapters, developed standards, and testing tools. Its fundamental charter is an open forum, free from corporate oversight providing unbiased information about application security.

Founded in 2002 was the Open Sourced Vulnerability Database (OSVDB), a repository where security practitioners shared information without the influence and oversight from corporate software companies. The repository shut down in 2016 yet still maintains a collaborative blog.

Originally created in 2000, The National Institute of Standards and Technology (NIST) debuted the National Vulnerability Database (NVD). This U.S. government repository consists of standards-based vulnerability management data that automates vulnerability management, security metrics, and compliance. Information stored in the NVD include security checklists, software flaws, misconfigurations, products names, and impact measurements.

Best Practices

Open Source Policies:

It is not surprising that most organizations lack this documentation enforcing oversight compliance with open source. Developers must be trained in their responsibilities to ensure security is a priority.

Comprehensive Open Source Inventory:

Cataloging and maintain a complete inventory of all open source software is crucial. This inventory must include the version in use, the repository it came from and the associated development project. Other important items the inventory must include are references to all dependencies and the libraries. Also, developers must be diligent in exercising proper inventory control within their teams.

Security Vulnerability Mapping:

Resources such as the US-CERT, NVD, OWASP, and OSVBD provide the intelligence behind vulnerabilities that are publicly disclosed. Not all vulnerabilities are reported and often lag on timeliness and accuracy. It is important to use all of the resources available.

Risk Identification and Monitoring:

Some open source has licensing obligations and can have a significant risk with intellectual property leading to costly litigation. Always investigate the software for any licensing and support requirements.  Monitoring vulnerabilities are staggering with thousands of new incidences reported every year. It is crucial to maintaining monitoring for as long as the software is in use.

Additional Risk Reduction Steps:

  • Become aware of what open source is in any purchased software.
  • Inquire if a commercial third-party library is used and if patching is providing under an SLA.
  • Find out if the developers are using static and dynamic analysis, including threat modeling to discover vulnerabilities.
  • Ask about how they monitor the software components, how they alert users to incidences, and how they provide patches and updates.
The largest security threat to organizations are software vulnerabilities, and it is an OWASP Top 10 issue. Having a proper software inventory, managing, and securing open source in applications are crucial to thwarting attackers.