Open Source Projects: Why Security Still Matters

Open source has been an integral part of the enterprise for decades. With the advent of Agile development methodologies and DevOps practices, open source has never been more important to developers creating the apps that are driving digital transformation.

But where does that leave security?

For years, open source was considered a safe security bet and immune to many of the vulnerabilities associated with Windows and other closed-source software, largely due to the open nature of the community supporting it. That way of thinking, however, needs to change.

A report published in June by security firm RiskSense found that vulnerabilities in open source software nearly doubled between 2018 and 2019, with nearly 1,000 projects posting year-over-year increases. Some of the biggest offenders include Magento, GitLab, and Jenkins.

The RiskSense reports that one reason for this increase in vulnerabilities is the growing acceptance of open source in many enterprise applications: Between 80 percent to 90 percent of software in use has some type of open-source component. This growing popularity means errors are slipping through the cracks and hackers are there to exploit them.

And while developers want to speed up application development, security is seen as cautious and risk-averse, which can cause frictions between developer and cybersecurity teams when trying to ensure that apps are ready for production and are free of potential vulnerabilities.

“When you are focused on building and shipping software, there are benefits of using open source software,” Wei Lien Dang, the co-founder and chief strategy officer at StackRox, which makes security tools for containers and Kubernetes, told Dice.

“However, organizations need to be careful that they understand how to deal with vulnerabilities and licensing issues that could create exposures,” Dang added. “Software development practices, regardless of the methodology, that borrow from open source need to account for product security. It’s not unique to DevOps—if you overlook the [open source software] patching process, you can easily put your organization at risk.”

Open Source Security Concerns

The non-profit Information Security Forum recently published a report on the growing use of open source software in the enterprise driven by the adoption of DevOps and Agile methodologies.

The study notes that, while open source software contains about the same amount of vulnerabilities as proprietary software, there are security issues to consider as well as unique challenges.

“In some organizations OSS has been inadvertently included in the IT infrastructure, or the organisation lacks a complete view of all OSS components deployed across their environment,” according to the ISF report. “If this is the case, [open source software] components may have been implemented in an uncontrolled manner and potentially left in an insecure state, outdated, unpatched and prone to vulnerability exploits. Without adequate knowledge of where and how OSS is used, organisations risk allowing vulnerabilities into their infrastructure that they are unaware of, and therefore cannot proactively address.”

One of the biggest security blunders associated with open source software happened in 2017, when Equifax’s IT and security teams did not respond to and patch a vulnerability in the Apache Struts open-source web application framework, which Chinese hackers allegedly exploited in order to gain access to the company’s network and exfiltrate data on over 145 million U.S. citizens. It was one of the largest data breaches in history.

Thomas Hatch, CTO and co-founder of automation security firm SaltStack, believes that many security and IT professionals are focused on protecting and securing high-level components and not checking to see what open source components are finding their way into enterprise applications. This leaves a security gap. 

“The duties of IT workers vary greatly from organization to organization, but a large number of organizations have very few IT resources that are focused on patching,” Hatch told Dice. “Modern IT professionals spend much more time managing high-level APIs and UIs. They need to deal with a large group of systems and services and are not as focused on the system and OSS management as they were 10 years ago. The ability to take massive amounts of free, untested, unvalidated, and not necessarily secured software off-the-shelf has created a liability deeply embedded in areas that make heavy use of open source software.”

While open source is considered a way to reduce costs, there is still a price to pay to ensure the security of applications that use this code, Wang said.

“This comes in the form of experience and/or training to ensure that OSS code is patched and secured,” Wang said. “This is one of the reasons why organizations go with commercial software or a cloud managed service. In those cases, it’s the responsibility of the software or cloud provider to make patches available. You get the added benefit of a level of outsourced support and upkeep.”

Developing Best Practices

For those organizations that want to use open source and still ensure the security of the applications, there are two core considerations to make: Having the right tooling in place to ensure protection and creating the right processes for patching.

“You need to have a way of discovering vulnerabilities, license issues and other risks associated with using open source software,” Wang said. “The methodology, Agile, DevOps or otherwise, shouldn’t make a difference. If you choose to use OSS, you need to understand the security risks and implications of doing so and be prepared to deal with it appropriately.”

Hatch, the CTO at SaltStack, has three ways that security and development teams can ensure the integrity of their applications:

Apply Patches: If the Equifax data breaches proved one thing, it’s that patching matters. In that case, the fault did not lie with Apache Struts but with Equifax not responding to the associated vulnerability alert in a timely manner, Hatch said.

Visibility: There are more rules and processes in place today for open source projects, and the most mature of these projects follow best practices for security disclosures. “When the security issues are disclosed, they are done in a way that users will be able to see exactly what the issues are and how to upgrade the software,” Hatch said.

Know What You Have: As open source has proliferated, developers have more choices than ever, which means keeping a better inventory of what components are being used in applications and knowing what bugs can affect them. “Open source allows us to have hundreds of thousands of software components to use; keeping track of them all is daunting,” Hatch said.