Flaws in open-source software pose big risks to companies that use it
Organizations can avoid an Equifax-type hack by taking security action now
By Melanie Grano, ThirdCertainty
A major takeaway from the Equifax debacle that hasn’t gotten enough attention is this: The massive data theft happened because of a vulnerability in an open-source component, which the credit bureau failed to lock down.
Remember Heartbleed and Shellshock, the two massive security flaws discovered in open-source internet protocols back in 2014? The waves of network attacks that preyed on those flaws showed how open-source protocols—which over the years have become so widely used in business networks—actually comprise a ripe attack vector just waiting to be exploited.
Related article: Beware of open-source vulnerabilities lurking all through your network
The hackers leveraged a vulnerability in something called Apache Struts, an open-source application framework that supports the credit bureau’s web portal. It is widely used by developers of Fortune 100 companies to build web applications. In Equifax’s case, hackers used the flaw to access and remove copies of files for over two months, between May 13 and July 30, 2017.
When it seemed like the breach couldn’t get any worse for Equifax, the company also revealed that they knew about the vulnerability and tried to patch it in March.
Vulnerabilities are common
As Jeff Williams, co-founder and CTO of Contrast Security explains, “Essentially, an attacker could send a single HTTP request—just like the ones your browser sends—except with a specially crafted header that contains the attack. Through a series of unfortunate events, the Struts framework treats this header as an expression, effectively running the attacker’s code on the server.”
Attackers were able to weaponize the vulnerability and use it to take over an entire web host with a single request. And Struts is just one in a long line of open-source vulnerabilities.
Vulnerabilities in open-source are discovered constantly. In fact, in the same week as the Equifax breach, two new Struts vulnerabilities were detected. They were both extremely serious and will require companies to update their software.
While open source is no less secure than commercial code, most companies lack the visibility into and control over the open-source code they use, according to Mike Pittenger, vice president of security strategy at Black Duck.
“Last year, Black Duck’s Center for Open Source Research & Innovation (COSRI) analyzed more than 1,000 applications that were audited as part of Merger & Acquisition transactions. The COSRI audit analysis found that while 96 percent of the applications contained open-source software, more than 60 percent of those applications contained known open-source security vulnerabilities,” he says.
Open-source flaws are open secret
Additionally, the COSRI analysis showed that 83 percent of audited applications in the retail and e-commerce industries contained high-risk known open-source vulnerabilities. On average, the open-source vulnerabilities identified in the audited applications had been publicly known for more than four years.
Even when issues are known and patches have been created, most companies are unaware that they are even using open source in the first place, let alone that there is a fix available.
Williams agrees. “Many organizations simply have not realized the importance of keeping open-source software up to date. Over the past few years, the issue has become increasingly important as the use of libraries has continued to skyrocket. There’s nothing particularly complicated about this issue. You just have to check to see if your libraries have any known vulnerabilities.”
While this sounds straightforward, Williams does highlight some issues. Namely that:
• There isn’t a good list of vulnerabilities
• It’s not easy to know what libraries you are using
• You can’t rely on the file names of libraries
• The vast majority of applications are “legacy applications” that are not under active development.
Ultimately, even Fortune 100 companies struggle to stay on top of their open-source security.
What companies can do
According to Pittenger, this starts with companies developing and implementing “automated processes to scan their applications for open source, create a library of their open-source components, and then map that open source to open-source vulnerability databases.”
Of course, this may be impractical or impossible for companies to undertake themselves. Both Contrast and Black Duck offer solutions that protect companies from these kinds of vulnerabilities and ensure the safety of open-source code.
Companies need to come to grips with open-source vulnerabilities. The choice is clear—take action against open-source vulnerabilities today or face becoming the Equifax of tomorrow.
More stories related to system security:
Visibility, monitoring of open-source code is critical to stay safe from attackers
Dormant, unsecured SSH keys leave enterprises widely exposed to attack
Security by design: Embed protection during software development