Everyone uses open source. It’s found in around 95 per cent of applications and it’s easy to understand why. Open source’s value in reducing development costs, in freeing internal developers to work on higher-order tasks, and in accelerating time to market is undeniable.
The rapid adoption of open source has outpaced the implementation of effective open source management and security practices. In the annual ‘Future of Open Source Survey’ conducted earlier this year by Black Duck, nearly half of respondents said they had no formal processes to track their open source, and half reported that no one has responsibility for identifying known vulnerabilities and tracking remediation.
The flip side of the open source coin is that if you’re using open source, the chances are good that you’re also including vulnerabilities known to the world at large. Since 2014, the National Vulnerability Database (NVD) has reported over 8,000 new vulnerabilities in open source software.
Vulnerabilities in open source are particularly attractive to attackers. The ubiquity of the affected components, the public disclosure of vulnerabilities (often with sample exploits) and access to the source code make the attacker’s job simpler.
In addition, without a traditional support model, users are typically unaware of new updates and vulnerabilities in the open source they’re using. Putting on my prognosticators’ hat, here are some events around open source and open source security that I wouldn’t be surprised to see in the coming year.
1. 2017 will be the year of the open source unicorn
By 2016, open source had become the standard for infrastructure software. MySQL was acquired by Sun for $1 billion in 2008 and Red Hat now boasts a $14 billion valuation – both companies open source-based.
Three of today’s top five most popular database management systems are open source: MySQL, PostgreSQL and MongoDB. We’re seeing a new generation of open source companies in SaaS, custom development, database management, and services/support.
Keep your eyes on open source market leaders such as Cloudera (provides Apache Hadoop-based software, and services), MongoDB (an open source cross-platform document-oriented database program); Elastic (runs the open source project Elasticsearch); Datastax (provides support for the Apache Cassandra database), and Mirantis (provides technology to build and run open source cloud infrastructures) as possible 2017 unicorns.
2. The number of cyber attacks based on known open source vulnerabilities will increase by 20 per cent
Organisations of all sizes and types are expanding their use of cloud and mobile applications, which rely heavily on open source components, and live outside the company firewall.
Hackers have learned that applications are the weak spot in most organisations’ cyber security defenses, and widely available open source vulnerability exploits have a high ROI, allowing them to compromise thousands of sites, applications, and IoT devices with minimal effort.
3. In 2017 we will continue to see high-profile, high-impact attacks based on open source vulnerabilities disclosed years previously
While the recent Mirai DD0oS attacks were due to design issues in IoT devices, vulnerabilities in the code could produce the same results. And, as we saw in the Panama Papers breach, vulnerable versions of open source can make attacks simple. The older the vulnerability, the more likely an exploit exists and is well known.
Black Duck’s The State of Open Source Security in Commercial Applications found that the average age of an open source vulnerability in commercial applications is more than five years. The Linux kernel vulnerability discovered August 16 (CVE-2016-5195) had been in the Linux code base since 2012.
Most organisations don’t know about the open source vulnerabilities in their code because they don’t track the open source components they use, and don’t actively monitor open source vulnerability information.
4. Due to growing customer demand for better application security, we will see more of an emphasis on open source security in 2017.
Two years ago, many security professionals incorrectly believed that static and dynamic analysis would find known vulnerabilities in open source components. In 2016, we saw heavy hitters such as IBM and HPE respond to customer demand for open source vulnerability management solutions by developing strategic partnerships extending their existing AppSec solutions into open source security management. We can expect this trend to continue in 2017 as more organisations recognise the missing pieces in their application security strategy.
5. In 2017, the open source software community will benefit from the government policies of making code open-sourced
In August 2016, the U.S. Government established a program (‘The People’s Code’) requiring agencies to release at least 20 per cent of new custom-developed code as open source. The policy emphasises that they must release the code in a manner that fosters communities around shared challenges; improves the ability of the open source community to provide feedback on, and make contributions to, the source code; and encourages Federal employees and contractors to contribute back to the broader open source community by making contributions to existing open source projects.
6. 2017 will see the first auto manufacturer recall based on an open source vulnerability
A typical new car in 2016 has well over 100 million lines of code. Automobiles are becoming increasingly intelligent, automated, and most importantly, internet-connected. This will exacerbate a problem that already exists —carmakers don't know exactly what software is inside the vehicles they manufacture (most of the software that binds sensors and other car hardware together comes from third-parties).
That software almost certainly contains open source components with security vulnerabilities. Vulnerabilities in open source are particularly attractive to attackers, providing a target-rich environment that may have disastrous implications to a moving vehicle.
7. At least one major M&A deal will be put in jeopardy because of a discovered security breach
As the Yahoo data breach demonstrated, any M&A transaction can be hindered by software security issues, especially when for more and more companies the software their business. Even though open source is an essential element in nearly every piece of software today, most companies are blind to possible security issues in the open source components contained in their code – issues which often remain undiscovered until a code audit is performed.
Preparing for Open Source Vulnerability Management in 2017
Simply put, open source is the way applications are developed today, open source is here to stay, and the movement towards open source will only grow larger as we enter 2017.
But lack of insight into and management of the open source they’re using will also continue to trouble companies with new security breaches and cyber attacks almost certain in the year ahead.
To conclude, I’d recommend all companies involved with internal/external software development: 1) create open source usage policies including license obligations and acceptable security risk; 2) enforce those policies and track their open source usage, preferably through an automated means; and 3) continuously monitor for new vulnerabilities through public sources such as the NVD.
Mike Pittenger, the vice president of security strategy at Black Duck Software
Image source: Shutterstock/Imilian