Open Source Security Management
Developers often use open source code in their applications to speed up application development. There is no need to reinvent the wheel. If code is available that serves a particular purpose it makes sense to use it. However, opting to use open source components is not without risk, and without effective open source security management, applications and data could be put at risk.
Vulnerabilities can exist in any code. After all, code is code regardless of whether it is public or private. When vulnerabilities exist in proprietary code, they generally remain hidden until they are identified by the developer or security researchers – or hackers who have been probing for vulnerabilities.
When flaws of interest are identified by hackers, especially those that allow privilege escalation, information disclosure, or remote code execution, exploits may be developed and will continue to be used until the malicious activity is discovered. Since the source code is proprietary, the discovery of exploited zero-day vulnerabilities is largely reliant on security researchers investigating the closed source software or the developer conducting code reviews. Zero-day flaws could be exploited for months or years before the activity is discovered.
With open source, the code is public; and due to bug bounty programs often associated with open source software many eyes will likely be examining the code and looking for vulnerabilities. As with flaws in proprietary code, exploits may be developed although flaws do tend to be addressed quickly in open source code as there is generally an active community of users. A vulnerability in a popular open source project could affect several thousand software solutions that have incorporated the vulnerable section of code, but with effective open source security management, vulnerabilities can be identified and addressed before the flaws can be exploited.
Identifying Vulnerabilities in Open Source Code
Vulnerabilities can exist in proprietary and open source code; however, with open source, vulnerabilities are more likely to be found quickly since the code is available for all to review. Generally speaking, that code is regularly reviewed by developers and security researchers and when flaws are identified they are reported to the project owner, and fixes are often developed by the user community. Finding vulnerabilities in millions and millions of lines of code is a time-consuming process. Hackers will generally not invest the time looking for flaws, but they will take advantage of vulnerabilities that have already been discovered and made public, especially when proof-of-concept exploits exist in the public domain.
When vulnerabilities are identified in proprietary software, they are added to the National Vulnerability Database (NVD) along with information on how the flaws can be exploited. With open source, the distributed nature of the project means those vulnerabilities will not always be listed in a single place. The problem for developers that have incorporated open source components into their applications is they will need to ensure components identified as vulnerable are securely updated to the latest version, which means developers need to be constantly monitoring for updates to the open source code.
Identifying all vulnerabilities in open source components can be a major challenge, especially if developers do not have full visibility into the components that have been incorporated into their applications. Since between 60% and 80% of code in modern applications is open source, it is easy for open source code sections to be overlooked.
Open Source Security Management
Open source security management is about continuously monitoring for vulnerabilities in open source code and ensuring those vulnerabilities are rapidly addressed. Keeping track of a small batch of open source code and applying updates is not a major task as manual checks can be performed and updates applied periodically. However, if a large percentage of the code is open source, open source security management can be a major headache. Fortunately, there are vulnerability management tools that can be used to automate the process.
Many tools are available for automating software testing to identify coding and design flaws that could cause performance issues, and penetration testing tools that can identify exposed interfaces and flaws that could be exploited remotely to access applications and data, but these tools will not identify vulnerabilities in open source code.
To identify vulnerabilities in open source code it is necessary to conduct a Software Composition Analysis (SCA). SCA tools can be used to scan applications for open source components and provide visibility into the open source code that has been used in an application.
Modern applications have a high percentage of open source components and full visibility into those components is essential. SCA tools can identify licensing issues with open source code, allowing organizations to avoid compliance problems. SCA tools also automate the process of identifying vulnerabilities in open source components and are therefore invaluable tools for open source security management.
Several commercially available SCA tools can be used for open source security management by development teams. These tools will identify and prioritize issues that need to be addressed and, in some cases, may also be able to automatically remediate issues as they are identified.
Since these open source security management tools draw data from a variety of sources, they can be used to identify vulnerabilities in open source components even before flaws have been added to the NVD, which means action can often be taken to address vulnerabilities before hackers scan for vulnerabilities to exploit.
Provided these tools are used, open source code can be used with confidence and will accelerate application development. However, if open source security management is not effective, vulnerabilities are likely to be introduced in open source components that could easily be exploited and it is likely to only be a matter of time before a malicious actor does just that.