With more than 4,000 security vulnerabilities reported each year – nearly half of them in open source software – it is imperative to know your code. Enterprises need to continuously monitor open source inventory, detect known vulnerabilities and receive alerts as new vulnerabilities that may impact the business are discovered.
Less than half of the respondents to the Black Duck Software “2015 Future of Open Source” survey reported having adequate policies and procedures in place to assure a secure open source selection and approval process. Without this, enterprises cannot truly know their code and lack the necessary visibility and control of open source to secure and manage their environments.
Black Duck Software conducts nearly 1,000 on-demand code scans each year and every scan identifies open source software that the organization did not know it was using. In this slideshow, Black Duck has identified five tips enterprises should consider when trying to keep open source code safe.
Securing Open Source Code
Click through for five tips enterprises should consider when trying to keep open source code safe, as identified by Black Duck Software.
Bust the GHOSTs
“GHOST” is a known open source security vulnerability that was found in a key component of Linux systems – the Linux GNU C Library that is used by all Linux programs. It was found in a function used to convert Internet host names to Internet addresses. If an attacker found vulnerable software and a way to transfer a properly crafted host name up to this function, the attacker could, in theory, take control of the system. The vulnerability affected almost all major Linux distributions.
There are lots of potential GHOSTs in open source software, and the way to bust them is to have a repeatable, automated process to detect known vulnerabilities in your code base before they wreak havoc. That havoc can take the form of lost data, compromised customer information, business disruption, brand damage and costly remediation. Armed with information about where known vulnerabilities are located, remediation efforts can be accelerated and GHOSTs busted before they can scare anyone.
Beware of Sleeper Cells
Open source makes its way into code bases in a variety of ways – in supply chain code, in proprietary code, in outsourced code, in reused code, in third-party code and in legacy code. Most companies, by their own admission, lack adequate policies and procedures to assure a secure open source selection and approval process.
Without the ability to automatically identify and inventory open source and then have access to a database matching to detect known security vulnerabilities, companies are in the dark about potential enemies lurking within. The undetected known security vulnerabilities are “sleeper cells” waiting to be exploited and there is no shortage of “bad guys” happy to oblige.
Kill the Contagion
While security researchers work hard to ferret out vulnerabilities ahead of the black hats, the majority of open source developers are not security experts. Many open source code vulnerabilities arise from misconfiguration by end users. The security landscape is full of traps at many levels.
With modern code bases comprising tens of millions of lines of code, automation is key to realizing the benefits of open source hygiene. While human oversight is necessary and helpful in identifying vulnerabilities, effective hygiene comes from orchestrating automated scanning with build engines and continuous integration platforms. With a comprehensive bill of materials (BOM) for an organization’s open source code, you can then perform automated scans to supply critical information about security vulnerabilities, licensing conflicts, and version deprecation and proliferation.
Many organizations use static analysis security testing (SAST) and dynamic analysis security testing (DAST) for monitoring, but while these tools are excellent for finding bugs in code written by internal developers, they are not effective in detecting known open source vulnerabilities in application code. In fact, open source vulnerabilities are far too complex to be found by these automated tools.
Humans can help provide protection from the “zombie” vulnerabilities. In theory, many eyes look at open source code as it’s developed, integrated, and deployed; however, in practice, “many eyes” are not always enough. What’s missing is ongoing curation. Developers and end users take for granted the security of many projects, but the reality is that too few people maintain piles of code that may be months or even years overdue for security review.
Beware ‘The Grim Breachers’
They can kill your brand and deplete your cash. One way to keep “The Grim Breachers” at bay is to know your code. Only by having visibility into the open source code in your applications and containers can you have the control you need to secure and manage that code. It seems straightforward, but 99 percent of Black Duck on-demand scan audits find unknown open source. And the “2015 Future of Open Source” survey showed that more than 55 percent of companies lack policies for open source use; more than 50 percent were unhappy with visibility into security vulnerabilities and only 16 percent have automated code approval process.
Although 95 percent of organizations rely on open source for at least some part of their operations, most companies don’t have accurate information about the open source they’re using, nor if their open source has any known security vulnerabilities. What’s required is automation for visibility and control, identifying and mapping inventory to all known open source security vulnerabilities, providing comprehensive license compliance information, and issuing alerts if any new known vulnerabilities are found. It’s important to know your code.