Open Source Security Issues You Should Be Aware Of

Open source software forms a part of virtually all organizations’ software, and while there is nothing inherently insecure about using free code in applications, there are open source security issues that need to be considered and addressed. In this article, we detail open source security issues associated with libraries, frameworks, and processes you need to be aware of and may need to address.

Open Source is Everywhere

Just a few years ago, it was relatively rare for companies to incorporate open source code into software products, but times have certainly changed. Business applications need to be developed quickly to remain competitive and it is simply not feasible to develop each application from scratch. It is also unnecessary when perfectly good code is available for free that provides the required functionality.

Today, across all industry sectors, 98% of businesses have incorporated open source software components into their applications and products, and open source makes up 75% of organizations’ codebases. While it is cost-effective to use open source code, it is not without risk.

Open Source Security Issues You Should be Aware Of

Incorporating third-party code into a business application can introduce vulnerabilities. The vulnerabilities could potentially be identified and exploited by cyber threat actors to steal sensitive data or conduct cyberattacks that could cripple a business. The use of open source software also has the potential to expose businesses to legal risk. With that in mind, we have listed four open source security issues you need to be aware of.

Open Source Vulnerabilities are in the Public Domain

Vulnerabilities can be found in virtually all software, regardless of whether it is proprietary or open source. However, the very nature of open source means vulnerabilities are in the public domain. Everyone has access to open source code, which means good and bad actors can discover vulnerabilities. When vulnerabilities are identified, they are generally made available to the open source community quickly and are promptly added to the National Vulnerability Database (NVD). Proof-of-concept exploits are often published, which could be weaponized and used to attack companies that fail to update their software promptly.

While hackers could check the source code to identify vulnerabilities they can exploit, it is far easier to just check the NVD and target companies that are slow to update their open source components. Hackers pay particular attention to vulnerabilities in open source components as they know many companies are slow to update them.

One of the most striking examples of an open source security issue being exploited was the Equifax breach in 2017. Hackers determined Equifax was using a vulnerable version of the Apache Struts open source code and exploited the vulnerability to steal the personal data of 143 million individuals.

Open Source Code Quality Issues

When developing software from scratch, there are often quality control processes in place to ensure best practices have been followed and all proprietary code is of high quality. There is a tendency for developers to assume open source code has been checked by the open source community, and less effort goes into quality control. Just because code is available to the community does not mean checks have been performed. The failure to perform checks on the quality of open source components can place the security of an entire application at risk.

Open Source Code can Quickly Become Out of Date

Open source libraries are constantly evolving and while they may be initially secure, they do not always remain that way. In 2021, Veracode conducted 13 million scans of 86,000 repositories containing 301,000 unique libraries and found the majority contained at least one security flaw. 79% of the time, developers were found never to update open source libraries that have been incorporated into their codebases. The study is backed up by the Synopsys Cybersecurity Research Center (CRC). Audits conducted using its vulnerability scanning solutions found 84% of commercial codebases contained at least one vulnerability, and 60% of the vulnerabilities were rated high-risk and could be remotely exploited by cyber actors. CRC also found 91% of codebases included open source dependencies that had seen no development activity for two years, and 85% had out-of-date dependencies. On average, the dependencies were 4 years out of date.

Compliance Risks

Open source software can be used freely used, but some open source projects can only be used under license. There are more than 200 different license types and the terms of those licenses can be confusing, especially when multiple open source components are used. Keeping track of licensing and ensuring compliance can be a major headache. The CRC analysis found 65% of audited codebases had licensing conflicts, and 26% of codebases were using open source components with no license or customized license, which places companies at risk of litigation. Further, it is now increasingly common for lawsuits to be filed over open source license violations.

Management of Open Source Security Issues

It is imperative to be aware of the above open source security issues and to take steps to reduce risk. Open source code is incredibly useful but best practices need to be followed and risk needs to be managed effectively. By being proactive and addressing these risks, costly data breaches, destructive cyberattacks, and lawsuits can be avoided.

It is vital to maintain an inventory of all open source components, as it is easy to forget where open source components have been incorporated. All open source components will need to be updated when vulnerabilities are identified and new versions are released. Without a comprehensive and accurate inventory, this will be impossible.

Addressing the above open source security issues can be difficult and time-consuming, so automation is key. Take advantage of software composition analysis tools, as they can be used to track open source code, they continuously scan for security vulnerabilities, and automate the arduous process of identifying potential licensing issues to reduce legal risk.