In the case of Salt, the vulnerabilities were actively exploited within days of it being patched, before several prominent users of the tool noticed the issue and installed the fix. Real life examples include typosquatting Python libraries stealing SSH and GPG keys and critical vulnerabilities found in SaltStack’s open-source event-based IT automation and configuration management tool Salt.
Without knowing that a down-stream open source library is vulnerable or has a fix available, vulnerabilities may remain lurking in code for years, waiting for hackers to exploit. This is not limited to the vulnerabilities themselves, 90% of which are fixed in a timely manner. The main culprit in security breaches lies in the difficulty of tracking hundreds of dependencies used by open source libraries developers rely on. Add to that the fact that 7 in 10 applications have a security flaw in an open source library, while attacks targeting open source components have risen by 430%. In 2019, 968 new vulnerabilities were assigned a CVE (Common Vulnerabilities and Exposures) designation, up from 421 in 2018 – a 224% increase year over year. Why is open source security important now more than ever?Īs use of open source libraries spread, the number of vulnerabilities discovered has grown significantly. Beyond exploits in the code itself, there are other risks of forked repositories with intentionally vulnerable code masquerading as the original repository, as well as abandoned repository take-overs. How often the code is audited for vulnerabilities is a complete unknown and almost certainly not a part of any formal process.ĭependencies in an open source library may integrate code from other open source libraries which themselves may be vulnerable. In addition, they are often maintained by a single developer or a small team of “volunteer” developers (if not abandoned altogether ). Unlike open source libraries maintained by internet giants, most open source libraries targeting specific features may not be designed with security in mind.
Why are open source libraries particularly vulnerable to cyber attacks?
Scan for license compliance issues, verifying open source licenses are compatible with the project’s license and suggesting alternatives whenever required.Review code, both manually and by using automated workflows.Detect and block attacks from within the application itself through runtime application self-protection ( RASP).Analyse runtime usage, tracking potential OSS vulnerabilities by measuring the application’s behavior.Reduce use of multiple libraries that offer similar functionality by standardizing the libraries available to developers on a project.Track library dependencies required for OSS code integration to ensure no code of unknown origin is introduced into the project by a dependency.Limit exposure by prioritizing OSS libraries which pose the least risk.
Create a Software Bill of Materials (SBOM), a list of OSS components and libraries integrated into the end product.The role of DevSecOps includes a number of functions and tasks that covers both pre and post development stages: As a result, the need to proactively monitor projects for continuous integration (CI) and continuous delivery (CD) through DevSecOps (development security operations) has become vitally important. More and more software companies integrate open source into their code. Moreover, with the transparency of open code comes the risk of many eyes looking for vulnerabilities to exploit (and potentially weaponize).
FOSS is rarely well documented or tested.
However, nothing in life is perfect, and open source solutions are no exception. Not to mention the added value of fewer and faster bug fixes, open standards and of course – community support.
What you do not want is to waste time re-inventing the wheel by writing your own implementation of code that others have previously released as open source. Lets face it, when developing software you want to keep costs down and deliver fast. What is open source code security (and whose job is it anyway)? There are also risks to open source code, with security and compliance being two of the top factors. The reasons are clear – it’s cost effective, it offers quick feature integration, ease of access and is often maintained by others. And it’s only becoming more common as over 90% of developers acknowledge using open source in their development pipeline.