Open source software is an integral part of modern development workflow. Startups and even Enterprise-level developers rely on open source components. This is because a majority of the IT platforms have moved to Agile development, where reusable open source software components are the norm. Why build something that’s already there, right? But what about the risks?
Guest post by Limor Wainstein.
Limor is a technical writer and editor at Agile SEO, a boutique digital marketing agency focused on technology and SaaS markets. She has over 10 years' experience writing technical articles and documentation for various audiences, including technical on-site content, software documentation, and dev guides. She specializes in big data analytics, computer/network security, middleware, software development and APIs.
There is no doubt that open source software has multiple benefits to offer, however, OSS comes with its own share of risks that you should know about. For instance, the level of security often differs in an open source software component and the software developed with the help of that component which potentially leads to security breaches.
In an analysis done a year ago on thousands of enterprise applications, it was found that around 24 types of known vulnerabilities were introduced by OSS to the web applications. Further, it was also found that these known vulnerabilities are quite capable of placing the enterprise security at risk with some known attack such as Denial-Of-Service (DOS) and malware injections. This article will discuss different ways, which will help to mitigate different types of risk raised by the open source components.
Build a Security First Culture
A security first culture can definitely help in mitigating the risks raised by the vulnerabilities brought in by the open source software components. Creating a security-first culture isn’t just about implementing security on specific components, but instead, you should try to implement security into everything from planning, development, testing, and production.
Apart from that, organizations have to implement the best security practices and use industry standards wherever possible. Most of the time, the selected security implementation or flawed security implementations make the organizations vulnerable to attacks.
A good example is the recent Equifax breach that exposed sensitive data of a million account holders which could have been avoided by installing the patches for Adobe Struts. In fact, these patches were available two months before the breach. Hence, a security first culture would have definitely prevented this vulnerability as security measures would have significantly reduced the probability of this happening.
Furthermore, security features should be discussed right from the beginning of the software lifecycle, rather than at the post-developmental stage. Organizations should also proactively trace the vulnerabilities in the open source software components with the help of the free tools available in the market. There are many free and paid tools that help you run deep scans of open source software. It is always good to be proactive, rather than being late.
Monitor the dependencies used by your application
It is always a good idea to discover any new vulnerability that exists in the dependencies used by various applications. The easiest way to do this is through constant monitoring. The libraries can contain both known vulnerabilities and unknown vulnerabilities.
A vulnerability disclosure can help in tracing the possible security flaws that already exist in an application’s dependencies. As a part of this measure, whenever a vulnerability is discovered, it needs to be reported. Then, the dependency needs to be tested against the reported vulnerability, and a fix is applied.
Enterprises, developers, and individuals need to keep track of newly disclosed vulnerabilities for their application. As part of this measure, all the applications which are relying on a dependency need to be tested against the new-found vulnerability. This is an effective way of mitigating the risk.
Use the right tools to find the vulnerabilities
Vulnerability detection could be extremely easy if an organization is using the right kind of tools. This is more important for a web application's security, as they are more prone to different types of vulnerabilities. One such tool is Grabber, which can detect multiple types of security vulnerabilities such as Cross Site Scripting, SQL Injection, Ajax testing etc. It can test the application and detect the exact location where the vulnerability exists. Even though the tool is simple to use, it is quite slow in comparison to other security tools.
Zed Attack Proxy (ZAP) is another tool which is used for security testing of web applications. ZAP can detect a wide range of vulnerabilities that might exist in a web application. It has got an inbuilt automatic scanner with powerful spiders. It has WebSocket support and can intercept proxy.
Get a feed of the vulnerability notifications
Getting a feed of the vulnerability issues as notifications can help you monitor the known vulnerabilities better. There are multiple types of commercial tools that perform software composition analysis and have an inbuilt database of vulnerabilities. This database is constantly updated if connected to the internet or it can be manually updated.
Organizations can purchase the license of the vulnerability database as well, in case it is not available within the tool. With the help of the integrated database within the SCA tools, we can get a constant feed of vulnerability notifications. Alternatively, you can use an API service to cross-check your dependencies against a public vulnerability database. The API will generate a notification whenever a vulnerability is disclosed in one of your dependencies.
Adopting automation at an early stage could be extremely helpful in mitigating the risks developed by the vulnerabilities. Most of the organizations are opting for automation of the organization's IT process to effectively tackle security issues. Everything from creating builds to running security checks can be completely automated. These automated systems can scan for the latest updates that are available for fixing the application vulnerabilities.
This can definitely prevent a security breach scenario like Equifax. Automated systems can do real-time monitoring, and can proactively detect any form of a security breach at an earlier stage. At the same time, it can ensure that the systems are updated periodically, with the necessary patches in order to prevent any form of security breaches.