Visibility, monitoring of open-source code is critical to stay safe from attackers
To maintain security, vigilance by businesses must be timely and constant
By Mike PIttenger, Special to ThirdCertainty
There are obvious benefits to using open-source software. And there also are many challenges.
For one thing, poor open-source code management can cause the targeted company in a merger and acquisition deal to suffer. In Black Duck Software’s experience, 95 percent of the targets we audit in M&A deals have unreported open-source code. This issue can derail plans that the acquiring company had for the target company’s software. It can lead to a purchase price reduction or even a termination of the deal.
Another key risk stems from not being aware of open-source security vulnerabilities. Of 200 commercial applications recently audited by Black Duck, through our 2016 Open Source Security Audits (OSSA), 67 percent contained known vulnerabilities in open-source components, most of which had remained unpatched for more than five years. In fact, more than 4,000 new open-source vulnerabilities are revealed every year.
Related coverage: Open-source vulnerabilities threaten SMBs
If you don’t have visibility into the open source you use, you’re providing adversaries with a simple path to attack your application. You simply cannot ignore open-source security management without putting your organization at risk of a security exploit.
Black Duck maintains the world’s largest database of open-source project and vulnerability information, called the Black Duck KnowledgeBase to benefit the open-source community with additional open-source research and innovation initiatives.
In mid-2016, Black Duck created the Center for Open Source Research and Innovation (COSRI), creating and staffing an applied-research and innovation group in Vancouver, British Columbia, and a separate open-source research group in Northern Ireland. The core of COSRI is formed by the Black Duck KnowledgeBase team, their OSSA work, and by Black Duck’s Open Hub, an online community and public directory of free and open source software.
Attentiveness is key
The open-source community is very quick to respond to discoveries of vulnerabilities and, in most cases, a fix is released the same day as the vulnerability details are published. The real issue is the need for businesses to have timely and continual insight into the open-source code they’re using in order to keep it secure for both themselves and their customers.
Static, dynamic, and run-time application security testing tools are all essential for finding application vulnerabilities in custom code. But alone they may provide an incomplete picture of risk, which is why earlier this year Hewlett Packard Enterprise and IBM both extended their secure development and security testing solutions to include open-source scanning alongside application security testing.
It’s critical to use security testing tools to gain visibility into and identify vulnerabilities in your proprietary code. Of equal importance is the need to understand the open-source components in your applications, and have continuous insight into any risk that may be introduced by those components. Without that visibility into open source as well as proprietary code, organizations risk exposing their applications to attack.
More stories related to software security:
$81 million cyber heist offers lessons for financial institutions
A case for making software more hack-resistant from the start
To get ahead of threat curve, boost security during software development