Cybersecurity Snapshots #12 -
Open Source Code: Is It Secure?
Many organizations are adopting the use of open source code to help them develop commercial applications faster. A third of the average commercial application code base is comprised from open source code. Since many organizations rely on producing software fast, researchers believe it is not viable for organizations to eliminate the use of open source code when developing software. Researchers at Black Duck, a company that focuses on software composition analysis, discovered that 96 percent of commercial applications now use open source components. The average commercial application has 147 different open source components, and 67 percent of these used components with known vulnerabilities. Since more organizations are using open source code, how secure is it to employ it in order to build software?
Clearly, there are advantages in using open source software. It reduces the time it takes to create commercial applications. Many companies are comfortable using major open source projects if they have large groups maintaining them. Since so many are using the same code components, it might be easier for vulnerabilities to be caught and addressed. Another advantage to using open source code is that companies can open the code and fix it immediately if there is a problem. If a company uses code that is licensed under proprietary agreements, then they generally have to wait for vendors to respond before they fix the code.
There are also some disadvantages to using open source software. New vulnerabilities are constantly being found in open source code, and many projects have no mechanisms in place for finding and fixing problems. According to a recent Snyk survey of open source maintainers, 44 percent have never had a security audit, and only 17 percent said that they had a high level of security know-how. There's also no standard way of documenting security on open source projects. In the top 400,000 public repositories on GitHub, only 2.4 percent had security documentation in place. If the open source code provider fixes a problem, there is often isn't a mechanism to find and notify all of the users of the old code. The open source community isn't tracking the use of their components. According to the Snyk survey, 88 percent of open source code maintainers add security-related announcements to the release notes, and 34 percent of them claim to deprecate the older, insecure version. A quarter of the open source code maintainers said that they make no effort to notify users of vulnerabilities, and only 10 percent file a CVE (Common Vulnerabilities and Exposures).
The giant Equifax breach involved a vulnerability in the Apache Struts open source software. A patch came out a couple of months before the breach occurred, and while Equifax was aware of the patch, the company was unable to make the fixes in time. During the data breach, 143 million users were affected. The information the adversaries may have obtained included names, social security numbers, birthdates, and home addresses.
Researchers at Veracode found that only 28 percent of organizations do any regular analysis to find out what components are built into their applications. As the use of open source code grows, the risk surface expands. Many organizations using open source do not scan their code for potential security weaknesses, although there are resources to scan the open source codes for defects before companies employ it to create their software. Synopsys provides a free service called Coverity Scan to do just this. So far, the tool has been used by organizations to analyze about 750 million lines of open source code, and the tool identified 1.1 million defects, of which 650,000 had already been addressed. Integrating open source vulnerability scans into the development process is very important as the use of open source code and software becomes adopted more widely, and since it can be difficult to track down all the code that is in use. Organizations should make sure to scan the open source code for vulnerabilities before they use it to create their commercial software.
The use of open source code saves time and money, which means organizations will most likely continue employing it as the base of their software. Its popularity will most likely increase in the future as well. It is critical that the code be scanned for vulnerabilities before it is used to create commercial applications, as it would tremendously decrease the risk of using open source code.