OSS and third-party security risk: Lessons for IoT businesses

Although the news coverage about the Equifax breach focused on the consumer impact, the Apache Struts vulnerability raises questions about Open Source Software (OSS) and third-party security for businesses, especially Internet of Things (IoT) organisations.  With today’s emphasis on data interoperability to create smart factories and implement Industry 4.0, IoT company security breaches open up the risk of exposing key product information, business intelligence and more.

OSS and third-party use: What IoT companies don’t know can hurt

As IoT software use inside hardware continues to grow, that also means an increasing use of OSS and other third-party software.  For example, the Apache Struts 2 that impacted Equifax is a common OSS component in commercial and in-house systems to transfer and serve up data. 

While it’s likely that IoT companies monitor for breaches at some level across the organisation, there’s deeper exposure today with OSS and third-party software within products.  However, most organisations don’t analyse their specific third-party use.  Research indicates that actual use is typically 20 times larger than suspected.  Plus, the average software product includes up to at least 50 per cent of OSS.

A 2017 survey of 400 IoT and software companies, Open Source Risk – Fact or Fiction?, shed additional light on this important topic.  The survey uncovered:

·         Only 37 per cent said their companies had open source acquisition or usage policies in place.  43 per cent said they didn’t.  And 19 per cent didn’t know.
·         39 per cent of respondents said that either no one within their company is responsible for open source compliance – or they do not know who is

This data illustrates an operational gap for IoT companies—no infrastructure is in place to know the scope of OSS use, monitor for risks and close any potential breaches.  With the growing need for intelligence to support smart factories, IoT businesses are exposed to risks at many levels.

How lack of structure caused deeper Equifax issues

As software use increases for IoT companies, the Equifax breach offers important lessons.  What could Equifax have avoided through a procedure that forced fast action?  The OSS community announced the suspected vulnerability on March 7 along with a patch to apply for protection (very typical, 81 per cent of vulnerabilities and patches were announced at the same time in 2016 Flexera Vulnerability Review 2017).  However, the patch was not applied immediately and the hack was not uncovered until July.  The result—143 million consumers exposed, lawsuits and a significant negative impact on reputation.

OSS security challenges deeper for IoT companies

To avoid the same experience as Equifax, IoT companies need to require software controls.  While OSS wins are still big—flexibility, speed, capacity and upgrades, they require new internal processes to protect security.  It’s a multi-level analysis for IoT companies but a critical component of product planning in shifting from selling physical devices to adding software services as part of product offerings.

The process begins by implementing protection mechanisms at all stages of the software development cycle, and a realisation that decisions made during coding have a bigger organisational impact.

·         During requirements and user interface definition: identifying which features require OSS or third-party use
·         During coding: creating a process with checks and balances on risks and compliance before adding OSS or third-party code
·         During patch management: carefully auditing any OSS or third-party code that offers a quick fix for an issue

The development process is a great start.  Protection also needs to extend into an organisation-wide strategy.

Developing smart OSS protection as an organisation

Using OSS offers great benefits—faster time to market, time savings.  By taking some key steps, IoT organisations can continue to experience these benefits while protecting the company.

Analyse the software component of your products

Historically, hardware has been the focal point for IoT companies.  As more and more software runs behind the scenes, it’s time to analyse what’s there, its source and what’s needed to manage it.  An audit is a great place to start.

Create training on OSS use and management

OSS use is often behind the scenes.  Since it offers benefits and risks, key stakeholders in your organisation should become familiar with the frequency of use and the compliance needed to protect the company.  In addition, development teams, which may have a culture of quickly grabbing available code to meet launch dates, also need education on possible risks and the importance of a disciplined process for using OSS.  Finally, everyone should be aligned and committed to a formal OSS methodology.

Managing OSS use crosses many areas of the organisation.  Engineering opens the door for code entering the company.  Legal protects the company reputation, seeking to avoid the risks of lawsuits, FTC probes and government intervention.  IT focuses on security and prevention.  Management controls the level of company investment and time.  When these key stakeholders join forces, the company gains a powerful compliance team, often called an Open Source Review Board (OSRB).

Define a formal OSS security strategy and process

Certainly, discussion about creating an OSS process is important.  To truly gain the impact needed, it’s time to document the procedures that everyone will follow, including:

·         Review the code you are using.  Check what’s being used at multiple stages and different code levels, including penetration tests.
·         Ask your outsourced partners to follow the audit process and document compliance
·         Define detailed audit trails to make it easy to find vulnerabilities and fix them

Explore software composition analysis (SCA) technology

Most OSS breaches attack the application layer of software, which means the typical intrusion detection, firewalls, Web-based authentication and identity management systems don't meet protection needs.  Scanning technology, specifically targeted at OSS use, identifies which source libraries are being used, what hidden third-party libraries are coming in that may pose risk and how much stolen or copied code has crept in without proper attribution.

Don’t be next — plan, scan and protect

Equifax is only the first company to experience the impact of the latest OSS vulnerability.  With proactive planning, IoT companies can learn from what occurred and experience the wins of OSS with minimal risk.

Jeff Luszcz, VP of Product Management, Flexera Software
Image Credit: ESB Professional / Shutterstock