Blog & Tools

Interesting report explores risks of open source software

Open Source Code Cybersecurity

The need for businesses to closely monitor and effectively manage the software applications that they use became quite evident in 2017, after the massive and widely publicized data breach at Equifax.

For some reason, the consumer credit reporting service had not promptly patched a known security vulnerability in a web portal. That ended up giving hackers convenient access to the personal data of tens of millions U.S. consumers.

However, it’s been Jon Scarbrough, director of IT at SDN Communications, who has really brought my attention to the widespread security vulnerabilities in software, particularly those in applications built with open-source coding. He stresses the need for businesses to closely screen their software providers and monitor software coding on an ongoing basis to become quickly aware of newly reported vulnerabilities so that needed updates can be applied.

Scarbrough – like others in leadership positions at SDN – believes the company, as a regional leader in providing cybersecurity services to businesses, has a duty as well as an interest to help keep the commercial public informed about cyber risks.

Recently, Scarbrough brought my attention to the Black Duck by Synopsys Open Source Security and Risk Analysis report for 2018. I’m not a techie, so I usually have to read reports like that a couple of times to appreciate the content. However, the Black Duck report captured my attention quickly.

Open source software is a type of software that is released under licenses to anyone who wants to use it. The coding is no secret. It can be reviewed by those who understand that type of thing and built upon. In contrast, the source code for closed or private software is typically a proprietary secret not openly shared with the public.

Open source code isn’t considered any less secure than private code. As noted in the Black Duck report, using open source software in applications can help companies save time and money as well as improve software. But unlike commercial code, where updates are sent to users, users of open source software have to keep track of reported vulnerabilities and updates on their own. As the Equifax case demonstrates, that’s a duty that might get delayed.

Related blog: Businesses should closely screen software-service providers

Meantime, the proliferation of open source coding and cybercrime is multiplying risks.

“As systems become increasingly connected, additional security exposures are created. More connections mean more pathways and back doors that could be exploited by a hacker—especially when a system’s own designers are not aware that those pathways and back doors even exist, as is often the case with use of vulnerable open source components,” the Black Duck report states.

Two brief sections in the 14-page report discuss risks in internet-connected devices ranging from car washes to autonomous vehicles and medical devices such as pacemakers. That’s the kind of high-tech information that could make a good plot in a book and movie.

Some of the numbers in the report are startling. For example, in 2017 Black Duck On-Demand audits found open source components in 96 percent of applications scanned, and 78 percent of the codebases examined had at least one vulnerability. The average was 64 vulnerabilities per codebase.

Couple those numbers with the realities that the use of open source software is growing and most cyberattacks occur at the application level, and the need for caution in public-facing applications becomes abundantly clear.

As Scarbrough urges, businesses need to closely examine their vendors and the software-based services that they provide. They also need to monitor themselves. Do vendors and the company make use of automated testing processes to identify and repair vulnerabilities?

“It’s like anything in life. You’ve got to execute due diligence,” Scarbrough said.

SDN produces its own quarterly Cyber Threat Landscape Report. Request the latest report and subscribe to receive those in the future. The next installment will be released in July. Just use the button below.