Nearly a decade ago, Marc Andreessen wrote in the Wall Street Journal how software was “eating the world.” And in this age of digital transformation, that’s most certainly true. Software is now everywhere and consists of everything. Today, enterprises build more customer-facing and software-driven services than ever before. Software bots are automating manual processes, and software plays an increasingly central role in every machine and device we use.
It can also be said that open-source software has been eating its share of the world, too. Today, open-source software is a cornerstone of enterprise software. Consider IBM’s recent $32 billion acquisition of Red Hat, or the success of initial public offerings, such as Elastic and MongoDB. Today, open-source software is found in virtually all enterprises, and enterprise software depends on open source and open source libraries.
This has a profound impact on security, and it has been an increasing challenge for enterprises. One that enterprises have yet to get under control. Last year, Black Duck by Synopsys released its Open Source Security and Risk Analysis (OSSRA), which it produces annually. The analysis examined data (anonymized) from 1,200 commercial codebases, including open-source software and libraries. The study found potentially 60% of all enterprise codebases contained at least one open-source related vulnerability.
Perhaps the most famous example is the Equifax breach. In 2017, the consumer credit rating provider suffered an incident that affected nearly everyone in the United States with a credit report (143 million consumers), mostly in the United States, who had their personal information, including Social Security and drivers’ license numbers exposed. The culprit? As detailed by most technical press at the time, including this reporting from TechCrunch, the company failed to patch an open-source Apache Struts vulnerability that had known as vulnerable, and a fix available, for months.
Of course, Equifax is by far, not the only company to fall short. In April 2018, security firm Flashpoint uncovered how e-commerce websites, relying on the widely deployed open-source Magento e-commerce platform, were being targeted with brute-force password attacks to gain access to the administration dashboards to steal credit card malware. The attackers were also installing cryptocurrency mining malware, something very popular at the time.
“Researchers at Flashpoint are aware of the compromise of at least 1,000 Magento admin panels and said that interest in the platform has continued unabated on entry-level and top-tier Deep & Dark Web forums since 2016. Attackers have also demonstrated continued interest in other popular e-commerce-processing content management systems such as Powerfront CMS and OpenCart,” Flashpoint researchers wrote at the time.
But it’s not just big open-source platforms such as Apache Struts and Magento that are the challenge with enterprise open source security. Consider Linux.
While Linux is a tiny percentage of the desktop operating system market, it is the operating system of choice for everything from IoT devices to the vast majority of web servers.
With the rise of agile development methodologies and DevOps management practices, enterprise teams have turned to more open source development environments and the associated libraries. Recently, software security firm Veracode released its report, where the vendor analyzed the open-source libraries and reports on 351,000 unique external libraries from 85,000 applications.
Of course, these are not components that enterprise developers code themselves, but instead rely upon to build their applications and systems. Many times, developers may not even know what open-source libraries on which they are dependent. But when these libraries become system and application dependencies (and vulnerabilities are identified) there can be considerable risk introduced into the enterprise.
The excellent news Veracode found is that such flaws can be patched. The study found that 96% of broken authentication flaws can also be fixed with a patch and the same true for 90% of cross-site scripting vulnerabilities. Also, 90% of broken access control vulnerabilities can be remedied with a patch.
The open-source security challenge has been ongoing. Back in 2016, Sonatype released its State of the Software Supply Chain Report. In an interview, a director at Sonatype said at the time that what initially surprised him about the report was how prevalent open source components are in modern software. “Another thing that surprised me was the lack of visibility and control that security, legal, and architecture teams have over their consumption of open source components. I think the last thing that surprised me were that some of the public open-source repositories are mutable in that they allow changing of the bits for a specifically versioned and published component or that they allow the removal of published artifacts. Those were the three big surprises for me,” he said.
Mayhew then also cited the importance of open-source software security. “Open source components are everywhere, across all languages. Ecosystems that house open-source components sometimes have very little control over the software within their own repositories. If you were building a swing-set for your kids, would you want the generic bolts from the Dollar Store or would you want a higher-grade bolt from the hardware store,” he said.
Mayhew was right then, and he’s just as right today.
What should security teams do to secure their open-source software, including libraries? It’s mostly making sure the basics are covered, including assessing and cataloging what open source software and libraries are in place and track their versions and make sure they are patched and up to date.
Of course, the news with open source and security isn’t all bad: open source software can be secured, especially if the community is dedicated to finding and fixing software flaws in a timely fashion.