The modern risks of open-source code

Published: February 1st, 2021

- SD Times

The amount of open-source code being used in modern applications has exploded. According to multiple surveys, a large majority of enterprises are reporting that open-source components and third-party libraries are being implanted into their applications, both internal and outward-facing. Developers acknowledge that utilizing open source allows them to both speed up software development and focus more on unique code attributes instead of recreating what’s already been successfully established.

But the question of whether or not open source is as secure as proprietary code has come to the fore with this uptake in usage. In its defense, open source is vulnerable to hackers because they can see the code, but because of the large number of contributors to many open-source projects, more people can quickly respond to vulnerabilities in the code and remediate them when discovered.

Or Chen, director of R&D and manager of the software composition analysis (SCA) group at software security solutions provider Checkmarx, said open-source developers have a higher awareness than they did before about security and vulnerabilities, but many don’t follow enterprise standards of secure coding practices.

Among those standards, he said, are ensuring code is being reviewed throughout all software development stages, that there are gatekeepers to the repository, and that you notify your customers and consumers about newly discovered vulnerabilities. Most importantly, he noted, are ensuring the developers using open source in their applications understand the components, who the maintainers of that code are, and that repositories are being scanned on an ongoing basis.

“Developers should continue to upgrade their packages even if there is no new vulnerability or new functionality they need. Just make sure you’re up to date,” Chen said. “It will make your life easier when you have to update it because of a vulnerability.”

Another key standard developers using open source should follow is scanning the repositories with security tools similar to how they’re already using static code analysis. But in this case, software composition analysis is also needed to quickly scan your codebase to detect open-source libraries including direct and transitive dependencies, identify the specific versions in use, and identify any associated vulnerabilities and licenses risks you need to know about. The ideal scenario is finding a solution that offers both static and open-source scanning capabilities so developers can take a one-stop-shop approach.

Chen did note that there are differences between using open-source components or frameworks that are backed by organizations such as the Linux Foundation or commercial providers of open source such as Red Hat and many others, vs. using open source built by a small community of developers who may not have enterprise standards in place.

Vulnerabilities could be found in those smaller projects, yet it might take a longer time to remediate the vulnerability because there might not be anyone checking the board for newly discovered issues, and the community supporting the project might not have strong practices in place for remediation, he said.

Modern security risks
The big frameworks, web servers, and languages such as React, Angular, Django, and Spring are backed by big vendors who use industry standards. But small packages that Chen said are used for specific needs such as a math calculation or connection to a database, may not have that same kind of backing. “I do see, based on our customer usage, that every big enterprise might find itself with an open-source component developed by [small communities], and those packages might have been abandoned and no longer being maintained.

“So, when you find a security vulnerability in a smaller package, there may not be anyone available to immediately resolve it,” he continued. “This is part of what we call the modern risks of open source and the technical debt one may inherit from packages that are no longer being supported by the community. This liability also increases risk beyond just vulnerabilities and licenses issues.”

Currently, hackers look for packages that are not backed by Linux and all of those big vendors, but they’re popular. In this case, hackers often try to open the pull requests, inject some kind of malicious code inside that no one will notice, and a company might find itself with a Bitcoin miner in production, for example,” Chen explained. “As this ecosystem evolves, we’re starting to see increasingly sophisticated and modern risks in open-source areas.”

Another big risk to companies comes from legacy projects that might use outdated open-source packages. In those, he said, there might not be the kind of governance and monitoring of what gets in and what gets out of those packages.

Further, there are some vulnerabilities that are not exploitable right now but in the next version of the application, new attacks might evolve that can exploit those vulnerabilities within methods and functions. “My recommendation there is to keep your code as clean as possible and as safe as possible all the times. Don’t leave any vulnerabilities inside.”

“In legacy projects,” he said, “trying to have all dependencies upgraded to the latest ones is going to be an almost impossible mission. Upgrading them is no small effort, but by doing triage on the most exploitable vulnerabilities, and focusing on the packages you’re using the most, will make that task less ominous.”

Newer environments are a challenge
Chen pointed out that organizations experiencing an uptick in digital transformation are working with microservices and are consuming a lot of open source to help them bootstrap their efforts to get their projects production-ready as quickly as possible. The lack of best practices in some of these cases, he said, will hurt them in the long run. “Hackers are creating all kinds of fake packages, typosquatting packages on bogus sites, or just injecting vulnerable code into existing packages. In addition, hackers often use open source for their own financial advantage, so when you run your application in production, they just want you to run their Bitcoin miner.”

Finally, hackers are now looking to detect repositories on GitHub that don’t have any kind of security gate, he said, so hackers are “just free to put whatever they want inside it, and just wait for someone to consume it.”

Bottom line
At the end of the day, open source is here to stay. It brings immense benefits to developers in enabling them to build applications faster and at-scale. However, as malicious actors increasingly target these components to access sensitive and valuable data, leveraging SCA solutions that not only detect vulnerabilities earlier in development cycles, but also help prioritize and remediate issues more effectively and efficiently, are essential. Only then will developers be able to reap the true benefits of open source in a secure manner.

Content provided by SD Times and Checkmarx

Article Tags

Checkmarx, security, software test, software vulnerability

About SD Times

View all posts by SD Times

Cookie	Duration	Description
cf_use_ob	past	Cloudflare sets this cookie to improve page load times and to disallow any security restrictions based on the visitor's IP address.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
JSESSIONID	session	The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application.
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__atuvc	1 year 1 month	AddThis sets this cookie to ensure that the updated count is seen when one shares a page and returns to it, before the share count cache is updated.
__atuvs	30 minutes	AddThis sets this cookie to ensure that the updated count is seen when one shares a page and returns to it, before the share count cache is updated.
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.

Cookie	Duration	Description
__gads	1 year 24 days	The __gads cookie, set by Google, is stored under DoubleClick domain and tracks the number of times users see an advert, measures the success of the campaign and calculates its revenue. This cookie can only be read from the domain they are set on and will not track any data while browsing through other sites.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_S6PB8V57DG	2 years	This cookie is installed by Google Analytics.
_gat_gtag_UA_846073_1	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_jsuid	1 year	This cookie contains random number which is generated when a visitor visits the website for the first time. This cookie is used to identify the new visitors to the website.
at-rand	never	AddThis sets this cookie to track page visits, sources of traffic and share counts.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
iutk	5 months 27 days	This cookie is used by Issuu analytic system to gather information regarding visitor activity on Issuu products.
uvc	1 year 1 month	Set by addthis.com to determine the usage of addthis.com service.
vuid	2 years	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.
WMF-Last-Access	1 month 14 hours 26 minutes	This cookie is used to calculate unique devices accessing the website.

Cookie	Duration	Description
__Host-GAPS	2 years	This cookie allows the website to identify a user and provide enhanced functionality and personalisation.
_pxhd	session	Used by Zoominfo to enhance customer data.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
loc	1 year 1 month	AddThis sets this geolocation cookie to help understand the location of users who share the information.
mc	1 year 1 month	Quantserve sets the mc cookie to anonymously track user behaviour on the website.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
__gpi	1 year 24 days	No description
__Secure-YEC	1 year 1 month	No description
_heatmaps_g2g_100754890	10 minutes	No description
_techvalidate_session	session	No description
cf_7166_id	20 years	No description
cf_7166_person_last_update	session	No description
f5avraaaaaaaaaaaaaaaa_session_	session	No description available.
GoogleAdServingTest	session	No description
Gyazo_cfwoker	7 years 2 months 17 days 7 hours	No description
incap_ses_451_2783402	session	No description
incap_ses_769_2783402	session	No description
loglevel	never	No description available.
m	2 years	No description available.
nlbi_2783402	session	No description
prism_252377639	1 month	No description
TS011605d9	session	No description
ustream-guest	session	No description available.
visid_incap_2783402	1 year	No description
xtc	1 year 1 month	No description

AI

AI and Software Development

Observability

Guide to Observability

CI/CD

A guide to CI/CD

Cloud Native

Cloud Native Content

Data

A Guide to Data

Test

Automation

Mobile

Mobile Testing

API

Sponsored by Parasoft

Performance

Load & Performance Testing

DevSecOps

A Guide to DevSecOps

Enterprise Security

A Guide to Security

Supply Chain Security

Supply Chain Security

Dev Manager

Dev Managers Content

Agile

A Guide To Agile

Value Stream

A Guide To Value Stream

Productivity

A Guide To Productivity

DevOps

DevOps Content

Microservices

A Guide to MicroServices

AI

AI and Software Development

Value Stream Management

A Guide To Value Stream

The modern risks of open-source code

Article Tags

Subscribe to SDTimes

About SD Times

Related Articles

Red Hat Trusted Software Supply Chain gets updated with three new offerings

Report: Java is the language that’s most prone to third-party vulnerabilities

Implement a good secrets management practice to reduce your security risk

Synopsys hopes to mitigate upstream risks in software supply chains with new SCA tool