Visibility, monitoring of open-source code is critical to stay safe from attackers

To maintain security, vigilance by businesses must be timely and constant

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

There are obvi­ous ben­e­fits to using open-source soft­ware. And there also are many challenges.

Ed note_Black Duck_Mike PittengerFor one thing, poor open-source code man­age­ment can cause the tar­get­ed com­pa­ny in a merg­er and acqui­si­tion deal to suf­fer. In Black Duck Soft­ware’s expe­ri­ence, 95 per­cent of the tar­gets we audit in M&A deals have unre­port­ed open-source code. This issue can derail plans that the acquir­ing com­pa­ny had for the tar­get company’s soft­ware. It can lead to a pur­chase price reduc­tion or even a ter­mi­na­tion of the deal.

Anoth­er key risk stems from not being aware of open-source secu­ri­ty vul­ner­a­bil­i­ties. Of 200 com­mer­cial appli­ca­tions recent­ly audit­ed by Black Duck, through our 2016 Open Source Secu­ri­ty Audits (OSSA), 67 per­cent con­tained known vul­ner­a­bil­i­ties in open-source com­po­nents, most of which had remained unpatched for more than five years. In fact, more than 4,000 new open-source vul­ner­a­bil­i­ties are revealed every year.

Relat­ed cov­er­age: Open-source vul­ner­a­bil­i­ties threat­en SMBs

If you don’t have vis­i­bil­i­ty into the open source you use, you’re pro­vid­ing adver­saries with a sim­ple path to attack your appli­ca­tion. You sim­ply can­not ignore open-source secu­ri­ty man­age­ment with­out putting your orga­ni­za­tion at risk of a secu­ri­ty exploit.

Black Duck main­tains the world’s largest data­base of open-source project and vul­ner­a­bil­i­ty infor­ma­tion, called the Black Duck Knowl­edge­Base to ben­e­fit the open-source com­mu­ni­ty with addi­tion­al open-source research and inno­va­tion initiatives.

In mid-2016, Black Duck cre­at­ed the Cen­ter for Open Source Research and Inno­va­tion (COSRI), cre­at­ing and staffing an applied-research and inno­va­tion group in Van­cou­ver, British Colum­bia, and a sep­a­rate open-source research group in North­ern Ire­land. The core of COSRI is formed by the Black Duck Knowl­edge­Base team, their OSSA work, and by Black Duck’s Open Hub, an online com­mu­ni­ty and pub­lic direc­to­ry of free and open source software.

Atten­tive­ness is key

The open-source com­mu­ni­ty is very quick to respond to dis­cov­er­ies of vul­ner­a­bil­i­ties and, in most cas­es, a fix is released the same day as the vul­ner­a­bil­i­ty details are pub­lished. The real issue is the need for busi­ness­es to have time­ly and con­tin­u­al insight into the open-source code they’re using in order to keep it secure for both them­selves and their customers.

Sta­t­ic, dynam­ic, and run-time appli­ca­tion secu­ri­ty test­ing tools are all essen­tial for find­ing appli­ca­tion vul­ner­a­bil­i­ties in cus­tom code. But alone they may pro­vide an incom­plete pic­ture of risk, which is why ear­li­er this year Hewlett Packard Enter­prise and IBM both extend­ed their secure devel­op­ment and secu­ri­ty test­ing solu­tions to include open-source scan­ning along­side appli­ca­tion secu­ri­ty testing.

It’s crit­i­cal to use secu­ri­ty test­ing tools to gain vis­i­bil­i­ty into and iden­ti­fy vul­ner­a­bil­i­ties in your pro­pri­etary code. Of equal impor­tance is the need to under­stand the open-source com­po­nents in your appli­ca­tions, and have con­tin­u­ous insight into any risk that may be intro­duced by those com­po­nents. With­out that vis­i­bil­i­ty into open source as well as pro­pri­etary code, orga­ni­za­tions risk expos­ing their appli­ca­tions to attack.

More sto­ries relat­ed to soft­ware security:
$81 mil­lion cyber heist offers lessons for finan­cial institutions
A case for mak­ing soft­ware more hack-resis­tant from the start
To get ahead of threat curve, boost secu­ri­ty dur­ing soft­ware development