Nov 5

 

A few words about Open Source Security…

When most software developers think about open source software (OSS), they think of reusable, well-tested, widely available, and mostly, free to use software for almost any purpose.  After all, why re-invent the wheel?  While most of this is true, many people are now aware that there are some important risks and obligations that go along with using OSS.

You may have heard about the issues with certain OSS licenses, such as GPL, and the risk to your intellectual property.  This is still a concern, but there is a much larger threat that is now top of mind for most engineers and companies:  The risk of OSS security vulnerabilities.  This is not a new problem, in fact it has been around for many years.  With the recent security breach at Equifax and the resulting loss of huge amounts of highly sensitive data, potentially affecting millions of people, this is a problem that is now being recognized as critical to address by virtually all organizations.

What if you already have a tool that parses your source code and finds vulnerabilities?  That’s a good first step, but scanning the huge amounts of open source you are likely using is unnecessary and inefficient.  Fortunately most vulnerabilities in widely used OSS are already known and are catalogued in the National Vulnerability Database, which contains a list of Common Vulnerabilities and Exposures (CVE).  The CVE describes the vulnerability and also lets you know if it is fixed in a later version of the OSS component.  So all you need is an accurate list of OSS components and versions and you can easily find any known vulnerabilities in the open source you are using.

So what happened with Equifax?  They use the Apache Struts open source package as part of their platform, and Struts has a known vulnerability in an older version.  A newer version of Struts which fixed the problem had been available for months, so Equifax could have easily prevented the breach before it ever occurred if they knew about the risk and had taken action in time.  It was as simple as knowing what OSS they were using and updating a component with a newer version already released.

Auditing your code to find OSS vulnerabilities is not a complete solution to cyber security, but it is a very important part of an overall strategy to protect your products and cloud based services from being hacked, and in turn protect your business and reputation as well.

Jeff Shapiro