Mike Pittenger, vice president of security strategy for Black Duck Software, discusses open source security, the Equifax breach, OpenSSL and Heartbleed, and why a “software parts list” will become increasing important to organisations wanting to stay secure.
Open source use dominates application development. However, with the benefits of open source use come risks, particularly when organisations do not sufficiently track and manage the open source they have in use. For hackers the return on investment for an open source vulnerability is high. A single exploit can be used to compromise hundreds of thousands of applications and web sites. When an organisation is not aware of the open source in its software, it can’t defend against attacks targeting vulnerabilities in those open source components.
1. Why is open source used so extensively? What are the benefits?
Open source software is an essential element in application development worldwide. Its benefits in reducing dev costs, promoting innovation and accelerating time to market explain why open source often comprises more than 50 per cent of an application's code.
2. Please tell us about some of the biggest open source projects.
The Open Source Rookies of the Year awards annually recognise some of the most interesting open source projects. This year of special note were Amazon’s DSSTNE (pronounced “Destiny”) project, focused on establishing the most powerful deep learning framework and recommendation engine for e-commerce and enterprise; the [Lab41] Poseidon project, which aims to revolutionise network security; and Hyperledger Sawtooth, an enterprise distributed ledger (aka blockchain) project. In terms of popularity, in 2017 we found jQuery in over half of the commercial applications we audited.
3. Why do people and organisations contribute to open source?
Most organisations and individuals contribute to open source projects that they themselves use. And their primary reason for getting involved is because they want to make the software better. In the 2017 Open Source 360° Survey conducted by Black Duck, 86 per cent of respondents said that they participate in open source in order to fix bugs or add functionality to a project.
4. How secure is open source code versus commercial code?
Open source is not less secure (or more secure) than commercial software, and by now the open source vs commercial code security debate is moot. Both are software written by humans. That means there will be coding errors that can result in security vulnerabilities. In addition, commercial software contains so much open source that it’s difficult to find an application that doesn’t include open source. There are, however, characteristics of open source that make it attractive to attackers when vulnerabilities are disclosed. Briefly, when vulnerabilities are present in widely used open source components, and exploits are publicly available, it becomes a target-rich environment. Further, hackers know that organisations do not properly track the open source they use, nor the vulnerabilities reported in those components. Unlike commercial software, open source usually does not include a support contract. That means that open source users are responsible for tracking updates for security or functionality. If you aren’t aware of vulnerabilities in the open source you use, you become an easy target for attackers.
5. How can organisations that develop using open source code, best ensure the code they use is free from known vulnerabilities?
While open source was used in over 95 per cent of the commercial applications we analysed in 2016, many organisations lack even basic documentation and enforcement of open source policies that would help them mitigate risks. Every organisation developing code is likely using open source components in that code and should adopt open source management practices where the open source they use is fully inventoried; where that open source is mapped against known security vulnerabilities; and where they are continuously monitor for new threats as long as their applications remain in service.
6. Can you talk a little about any recent high profile cybersecurity breaches that occurred through a lack of attention to open source code security?
Equifax is, of course, the latest example. Their breach was due to a vulnerability in Apache Struts, a free, open source framework for creating web applications and widely used by Fortune 100 companies to build corporate websites. Organisations like Lockheed Martin, the IRS, Citigroup, Vodafone, Virgin Atlantic, Reader’s Digest, Office Depot, and ShowTime all have developed applications using the Struts framework. What exactly happened with Equifax is still unclear, but obviously through some series of unfortunate events they neglected to patch a vulnerable version of Struts, even though a patched version of the component was released at the same time the vulnerability was reported.
Perhaps not as high-profile, but in 2017 the UK's Information Commissioner's Office (ICO) imposed a £100,000 fine on Gloucester City Council over its failure to fix a weakness in the security of its website. According to the ICO, Gloucester City Council failed to ensure software it was using was updated to fix the 'Heartbleed' bug. Although council IT staff flagged the need to patch the open source component, that patch was never applied. The vulnerability was then exploited by a hacker to access sensitive personal information.
7. How can organisations as users of software applications check for open source code elements, check for any known vulnerabilities and patches?
Twenty years ago, a software parts list would have seemed ludicrous. All software was built from scratch, and every code base was unique. Today, with thousands of new vulnerabilities disclosed in open source each year, documenting the third-party components you’re using – a “bill of materials” in the manufacturing world – is a necessity from a security standpoint. The problem of defective parts was solved over 100 years ago by the auto industry and other manufacturers. An accurate bill of materials makes life a lot simpler, and your products more reliable. Understanding what “parts” your software teams use in each application is a requirement if you intend to defend your applications against attacks.
For example, when Heartbleed was disclosed in 2014, organisations were desperately trying to figure out where they used OpenSSL (and nearly everyone was using it someplace). It took days or weeks for many organisations to find the problem applications and systems, and we’re still seeing vulnerable applications today (almost 1.5 per cent of the on-demand audits Black Duck conducted in 2016 found Heartbleed). If those organisations had had a bill of materials for every application on hand, they could have looked up OpenSSL and seen every version in their application inventory, as well as which applications used what version of OpenSSL. With that information, they could determine exploitability and patch as needed.
8. Anything else you’d like to add?
Open source is here to stay. Black Duck’s most recent research found that open source comprised over a third of the average commercial application. In other words, to eliminate open source would require those organisations to either increase their developer ranks by 50 per cent, or increase their development timeframe by a similar amount. Neither of those options are viable in today’s economy. The risks posed by vulnerabilities can be easily mitigated by simply tracking the open source used in your applications, and monitoring those projects for reported vulnerabilities.
Mike Pittenger, VP of Security Strategy at Black Duck Software
Image Credit: Wright Studio / Shutterstock