Flaws in open-source software pose big risks to companies that use it

Organizations can avoid an Equifax-type hack by taking security action now

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

A major take­away from the Equifax deba­cle that hasn’t got­ten enough atten­tion is this: The mas­sive data theft hap­pened because of a vul­ner­a­bil­i­ty in an open-source com­po­nent, which the cred­it bureau failed to lock down.

Remem­ber Heart­bleed and Shell­shock, the two mas­sive secu­ri­ty flaws dis­cov­ered in open-source inter­net pro­to­cols back in 2014? The waves of net­work attacks that preyed on those flaws showed how open-source protocols—which over the years have become so wide­ly used in busi­ness networks—actually com­prise a ripe attack vec­tor just wait­ing to be exploited.

Relat­ed arti­cle: Beware of open-source vul­ner­a­bil­i­ties lurk­ing all through your network

The hack­ers lever­aged a vul­ner­a­bil­i­ty in some­thing called Apache Struts, an open-source appli­ca­tion frame­work that sup­ports the cred­it bureau’s web por­tal. It is wide­ly used by devel­op­ers of For­tune 100 com­pa­nies to build web appli­ca­tions. In Equifax’s case, hack­ers used the flaw to access and remove copies of files for over two months, between May 13 and July 30, 2017.

When it seemed like the breach couldn’t get any worse for Equifax, the com­pa­ny also revealed that they knew about the vul­ner­a­bil­i­ty and tried to patch it in March.

Jeff Williams, Con­trast Secu­ri­ty co-founder and CTO

Vul­ner­a­bil­i­ties are common

As Jeff Williams, co-founder and CTO of Con­trast Secu­ri­ty explains, “Essen­tial­ly, an attack­er could send a sin­gle HTTP request—just like the ones your brows­er sends—except with a spe­cial­ly craft­ed head­er that con­tains the attack. Through a series of unfor­tu­nate events, the Struts frame­work treats this head­er as an expres­sion, effec­tive­ly run­ning the attacker’s code on the server.”

Attack­ers were able to weaponize the vul­ner­a­bil­i­ty and use it to take over an entire web host with a sin­gle request. And Struts is just one in a long line of open-source vulnerabilities.

Vul­ner­a­bil­i­ties in open-source are dis­cov­ered con­stant­ly. In fact, in the same week as the Equifax breach, two new Struts vul­ner­a­bil­i­ties were detect­ed. They were both extreme­ly seri­ous and will require com­pa­nies to update their software.

While open source is no less secure than com­mer­cial code, most com­pa­nies lack the vis­i­bil­i­ty into and con­trol over the open-source code they use, accord­ing to Mike Pit­tenger, vice pres­i­dent of secu­ri­ty strat­e­gy at Black Duck.

Mike Pit­tenger, Black Duck vice pres­i­dent of secu­ri­ty strategy

Last year, Black Duck’s Cen­ter for Open Source Research & Inno­va­tion (COSRI) ana­lyzed more than 1,000 appli­ca­tions that were audit­ed as part of Merg­er & Acqui­si­tion trans­ac­tions. The COSRI audit analy­sis found that while 96 per­cent of the appli­ca­tions con­tained open-source soft­ware, more than 60 per­cent of those appli­ca­tions con­tained known open-source secu­ri­ty vul­ner­a­bil­i­ties,” he says.

Open-source flaws are open secret

Addi­tion­al­ly, the COSRI analy­sis showed that 83 per­cent of audit­ed appli­ca­tions in the retail and e-com­merce indus­tries con­tained high-risk known open-source vul­ner­a­bil­i­ties. On aver­age, the open-source vul­ner­a­bil­i­ties iden­ti­fied in the audit­ed appli­ca­tions had been pub­licly known for more than four years.

Even when issues are known and patch­es have been cre­at­ed, most com­pa­nies are unaware that they are even using open source in the first place, let alone that there is a fix available.

Williams agrees. “Many orga­ni­za­tions sim­ply have not real­ized the impor­tance of keep­ing open-source soft­ware up to date.  Over the past few years, the issue has become increas­ing­ly impor­tant as the use of libraries has con­tin­ued to sky­rock­et. There’s noth­ing par­tic­u­lar­ly com­pli­cat­ed about this issue. You just have to check to see if your libraries have any known vulnerabilities.”

While this sounds straight­for­ward, Williams does high­light some issues. Name­ly that:

• There isn’t a good list of vulnerabilities
• It’s not easy to know what libraries you are using
• You can’t rely on the file names of libraries
• The vast major­i­ty of appli­ca­tions are “lega­cy appli­ca­tions” that are not under active development.

Ulti­mate­ly, even For­tune 100 com­pa­nies strug­gle to stay on top of their open-source security.

What com­pa­nies can do

Accord­ing to Pit­tenger, this starts with com­pa­nies devel­op­ing and imple­ment­ing “auto­mat­ed process­es to scan their appli­ca­tions for open source, cre­ate a library of their open-source com­po­nents, and then map that open source to open-source vul­ner­a­bil­i­ty databases.”

Of course, this may be imprac­ti­cal or impos­si­ble for com­pa­nies to under­take them­selves. Both Con­trast and Black Duck offer solu­tions that pro­tect com­pa­nies from these kinds of vul­ner­a­bil­i­ties and ensure the safe­ty of open-source code.

Com­pa­nies need to come to grips with open-source vul­ner­a­bil­i­ties. The choice is clear—take action against open-source vul­ner­a­bil­i­ties today or face becom­ing the Equifax of tomorrow.

More sto­ries relat­ed to sys­tem security:
Vis­i­bil­i­ty, mon­i­tor­ing of open-source code is crit­i­cal to stay safe from attackers
Dor­mant, unse­cured SSH keys leave enter­pris­es wide­ly exposed to attack
Secu­ri­ty by design: Embed pro­tec­tion dur­ing soft­ware development


Posted in Featured Story