Open source: it's not the code, it's people

Fred Bals Sr, Content Strategist, Black Duck by Synopsys

The need for open source security management became front-page news last year thanks to a major data breach at one of the world’s largest credit reporting agencies, Equifax. 

Equifax maintains a vast amount of sensitive personal and financial information for residents of North America and the United Kingdom. It also used Apache Struts in its online disputes portal web application, and for reasons still unclear, a vulnerable version of Struts in that portal was not fixed, even though Equifax was aware of the need to patch. 

The 2017 Equifax breach ended up compromising the personal information of over 148 million U.S. consumers, nearly 700,000 U.K. residents, and more than 19,000 Canadian customers.

The vulnerability’s disclosure in March 2017 and the news about the Equifax breach in September seemed to have little effect on prompting other organisations to investigate their applications for the Struts vulnerability. 

OF the codebases audited for the 2018 Open Source Security and Risk Analysis (OSSRA) report,  8% were found to contain Apache Struts, and of those, a third contained the Struts vulnerability that resulted in the Equifax breach.

That’s just one of the findings from the anonymised data of over 1,100 commercial codebases of 500+ customers audited in 2017 by the Black Duck by Synopsys On-Demand team. The OSSRA report is designed to provide an in-depth look at the state of open source security, license compliance, and code-quality risk in commercial software.

Probably the biggest takeaway from this year’s OSSRA report is that many companies are doing a poor job of keeping the open source components in their software patched and up-to-date.

Open source is pervasive. So are unpatched open source vulnerabilities

Open source is pervasive in every codebase in applications used across a variety of industries. Business sectors represented in the OSSRA report include the automotive, big data, cybersecurity, enterprise software, financial services, healthcare, Internet of Things (IoT), manufacturing, and mobile app markets. The OSSRA study found open source components in 96% of the applications scanned last year, with an average of 257 open source components per codebase.

Seventy-eight per cent of the codebases examined contained at least one unpatched vulnerability, with an average of 64 known vulnerabilities per codebase. In the Internet of Things, where 77% of the code was found to be open source, the audits found an average of 677 vulnerabilities per application. 

Seventeen per cent of the audited codebases contained a named vulnerability, such as Heartbleed, Drown, or Poodle. Poodle was found in 8% of the codebases scanned, Freak and Drown were found in 5% and – discouragingly – Heartbleed was found in 4% of the scanned codebases, even after several well-publicised exploits.

Over four years after its disclosure, a number of organisations are still vulnerable to exploitation because of the Heartbleed bug, a critical security flaw that can expose secure communications. 

In one example that demonstrates the consequences of not patching software, a six-figure fine was issued in 2017 to Gloucester City Council because the council failed to ensure open source software it was using was updated to fix the Heartbleed vulnerability. An attacker was able to download over 30,000 emails from a senior officer’s mailbox containing financial and sensitive personal information on past and current employees.

The lesson to be learned is that every organisation should include open source identification and management in its application security program, especially with the General Data Protection Regulation (GDPR) now in effect. GDPR mandates that all companies processing and holding the personal data of European citizens must protect that information – regardless of where it is sent, processed, or stored – and proof of protection must be verified. In addition to examining custom source code for vulnerabilities, ensure that the open source you use is not introducing hidden security vulnerabilities that could place your organisation in GDPR violation. 

You can’t 'fire and forget' with open source

Open source is not less secure than proprietary code. But neither is it more secure. All software has vulnerabilities, whether proprietary or open source. The open source community does an exemplary job of discovering and reporting vulnerabilities (over 4,800 reported in 2017 alone), as well as issuing patches, usually at the same time as the public disclosure. But an alarming number of companies simply aren’t applying patches.

Unlike commercial software, where updates are automatically pushed to users, open source has a pull support model—you are responsible for keeping track of both vulnerabilities and fixes and updates for the open source you use. If you don’t have processes and policies in place for open source management—especially for identifying and patching known vulnerabilities in open source components—you’re not doing your job. 

You can read the full 2018 Open Source Security and Risk Analysis report here.