Open Source Software and the Threats That Come with It!
In the past five years, the growth and adoption of open-source technology have stepped into full stride and has penetrated all aspects of software development. Open source software helps companies and organisations significantly reduce software development cycles making it more cost-effective for the delivery of commercial applications. Leveraging open source is now a proven way of launching products faster but it is crucial for you to understand that defects do exist in open source code and what these potential risks could be to your company. Whether you’re a developer, a QA personnel or a manager, you need to clearly understand the implications of using open source with regards to code quality and vulnerabilities.
We can define open-source as the software for which the original source code is made freely available and may be modified and redistributed within the constraints of the original licence agreement. For most developers, open-source has unparalleled design advantages due to the nature of its collaborative development by software developers from all over the world. Why wouldn’t you want to use great code written by great developers?
There are many other benefits, but one of them that really resonates with our own approach to software development is that open source promotes modular programming. With the help of open-source components, we can quickly build new applications like building a house with building blocks and allowing us to focus on innovation. The advantages of community developed code in of itself is that it is self-perpetuating. As the code gets better more people want to contribute and use it. This has led to what we call the “open-source boom” era.
The security and compliance risks of using open-source software.
Naturally, when working with sophisticated code bases which can be difficult to evaluate and have intricate dependencies, it’s inevitable that you will face security risks without taking proper care to avoid them. We believe these risks come from one of two areas, defects and non-compliance, which result in vulnerabilities in the code.
As we specialise in the area of code analysis, I’ll focus on this topic. Open-source software may contain security defects which hackers can easily exploit for malicious purposes. The Common Weakness Enumeration (CWE) high risk vulnerabilities not only warn developers to pay attention to the insecure code but also reveals these obvious targets to hackers. It’s increasingly common for high risk vulnerabilities to be exposed in open source software where even widely used OpenSSL and Strusts2 have not been spared. A good example is the OpenSSL’s security hole Heartbleed which sends a heartbeat packet to the server. If the payload_length is higher than Heartbeat Message, data overflow will occur in the response packet returned by the server, resulting in the leakage of private user data. People were still using the old version of OpenSSL library without being aware that there was a bug even though it had been already reported on CWE.
So how do you minimise the risks when using open-source software?
A Gartner survey revealed that more than 90% of the respondents rely on open-source software. However, many of these companies do so arbitrarily and without proper knowledge of it. Sometimes, managers are not aware of which open-source software their team uses, and developers can’t list all the open-source software, versions, and licenses used. This can result in quality problems or security defects. Here are some guidelines to help you mitigate these risks.
1. Set up a policy to manage any open-source software used by your company which includes open-source licence management. The challenge lies in where open source is not only introduced into your applications by your own developers but also by third party vendors or outsourced development teams who bring them in, indirectly, through third party dependent libraries, sometimes without informing you. Demanding transparency of all open-source code used is an essential step for securing your software applications.
2. Include in your policy the need to track updates of all open source components you use. In addition, you must regularly pay close attention to the disclosure of vulnerabilities in trusted sources such as CWE. Unlike commercial software, open-source software does not push updates and patches to you. The aforementioned Heartbleed bug could have been avoided by many companies if they had such policies in place.
3. Conduct regular code audits of your software applications whilst implementing them using Static Application Security Testing (SAST). Compared with dynamic security testing and penetration testing, static code analysis is used earlier in the SDLC for delivering high quality and secure code. As more and more organisations outsource software development, it becomes difficult for them to evaluate the quality of the delivered code which may contain hidden defects that can cause potential risks in the future. SAST tools for analysing code becomes an objective way of assessing the quality of code delivered by third parties which include open-source software.
4. Last but not least, it is essential to cultivate a ‘quality first’ mindset. Never ignore the risks in open-source or partner code. With quality at the forefront of developers’ thinking, the use of static code analysis becomes a normal practice allowing you to identify risks and mitigate them early on. At Xcalibyte, we teach our clients the philosophy of quality first and security by design.
The importance of open-source in China has never been so high as it is today. Developers all over the nation regularly take advantage of the “open-source boom” and have achieved success through the use of flexible and innovative agile methods. An indicator of the importance can be seen by GitHub, which has over 40 million users, seeking to expand its business directly into China due to the demand for a China-based open source community. This is a move that has been welcomed by the Chinese government. With the development of industry and the expansion of overseas markets, we must ensure we deliver high-quality, safe and industry compliant products.
While organizations enjoy the competitive benefits that open-source has brought, it is crucial that we mitigate the risks and act ahead of them by incorporating automated tools such as Xcalscan, which continuously analyses code and detects defects allowing them to be fixed early. As a long-time developer, in my humble opinion, the use of static code analysis tools will gradually become the norm. They are the most effective tools for code audit and security assessment. The introduction of static code analysis tools to SDLC or DevOps has gradually become the standard for software companies around the world and plays an increasingly important role in securing yourself from the threats that come from open-source.
Johanna is a senior technical support engineer in the Xcalibyte Sales and Service Department. She’s responsible for industry solutions and customer support services.