September 29, 2020
Cyber Security

Managing Vulnerability in Open Source Software Components With DevSecOps

Managing Vulnerability in Open Source Software Components With DevSecOps

Andrii Lysyuk
Author: Andriy Lysyuk, Head of Cyber Security at Ciklum. 
Master of Science, Applied Physics, 20+ years of experience in IT and Information Security. Prior to Ciklum he worked as Information Security Consultant in EY Global Delivery Center and IBM Global Delivery Center. He has CISSP and CISA certifications. Andriy has experience in Information Security Management, Application Security, Network Security, Incident management.

Open source software offers developers and organizations incredible access to a wide variety of high-quality components. Crowdsourced to developers who possess a devoted interest in creating, maintaining, and overseeing software projects large and small, open source software makes it easy to use or integrate powerful solutions that are trusted and vetted by a global community. 

It’s been estimated that 78% of all companies rely on open source solutions. More than 39% of companies across the world entrust open source software to power digital transformations, allowing for a seamless and cost-effective implementation of forward-leaning technologies. 

But despite the power and convenience offered by open source solutions, fully relying on software developed by the community at large — some of whom can choose to remain anonymous — can present an organization with a considerable number of risks. Without proper strategies to implement and maintain open source solutions at the corporate level, organizations may find themselves vulnerable to malicious or unmaintained software that could jeopardize the security and integrity of any network or system. 

What are open source vulnerabilities?

Open source vulnerabilities are software errors that leave systems open to a potential attack. Often the result of poorly written code, open source vulnerabilities make it possible for bad actors to exploit and manipulate coding errors to infiltrate computer systems, steal personal information, and impose countless types of damage throughout networks and devices.  

The nature of open source software presents a particular security challenge when it comes to managing vulnerabilities. Much like the vulnerabilities found in professionally developed proprietary software, gaps in software coding allow skillful hackers to find their way into a compromised piece of software. Open source software, however, is developed in an open process, allowing anyone to modify, repair, and maintain code as they see fit, giving hackers easy access to manipulate code maliciously. Even without a malicious intent, some bugs can be introduced during code commits by developers and due to the distributed nature of code management they can be not noticed for a long time. An example of this case is Heartbleed vulnerability in OpenSSL, introduced in 2011 and discovered in 2014.

Among commercial applications, 96% contain open source components, 67% of which contain known vulnerabilities. One of the most recent and well-known security breaches based on open source software occurred at Equifax, which ran an outdated version of Apache Struts that contributed to a major cybersecurity incident impacting up to 143 million consumers in the United States. Considering that the vast majority of businesses depend on some form of open source software, defending against open source vulnerabilities is crucial to protecting users and data around the globe. 

What are today’s top open source risks and vulnerabilities?

Software vulnerabilities can come at any time, allowing hackers to capitalize on an undiscovered exploit at a moment’s notice. But many of the risks posed by open source software are timeless, resulting from laziness, mismanagement, and general disregard for the importance of proper software maintenance. 

One of the open source risks, which is also inherent in commercial software, is the public nature of information about open source software vulnerabilities. Projects such as the NVD (National Vulnerability Database), a U.S. government-run repository of available open source exploits, exists to inform developers and organizations of known software vulnerabilities. For open source projects, however, the disclosure of vulnerabilities by the researchers is done relatively quicker. 

Public services such as NVD can present a double-edged sword, broadcasting open source solutions that have potential security holes to legitimate developers and nefarious actors alike. Hackers can glean information about open source solutions that are attractive targets and identify organizations that continue to rely on unpatched, outdated, or otherwise vulnerable software. 

Developer malpractice can also lead to vulnerabilities in open source. Rather than properly calling the open source code in an application, lazy or rushed developers often choose to copy-and-paste code directly from the source. Copying code verbatim can create serious room for security risks, leaving an application with a forked set of software instructions that are not overseen by the open source community. Not only can this turn an open source solution into a poorly maintained proprietary piece of code, but it can also create long-term software licensing issues. 

Finally, operational issues can contribute to the overall risk profile of open source software. Because open source software can be frequently updated with bug fixes, new features, or security patches, developers implementing open source solutions must remain vigilant to ensure that the latest software releases are being implemented at every inflection point. Without a strategy to regularly assess open source components to ensure they are up-to-date, organizations risk remaining vulnerable even when developers are abiding by good coding hygiene. 

How DevSecOps Helps Manage Open Source Vulnerabilities

DevOps is a popular strategy among organizations seeking to streamline software development and operations, creating a structure that quickly delivers high-quality software with a high degree of collaboration and accountability. DevSecOps is a logical extension of DevOps principles, incorporating security principles throughout the entire DevOps model.

For organizations tasked with managing open source vulnerabilities, DevSecOps presents a powerful opportunity to improve open source code management using inherent principles of security. Security automation, a complementary extension of automation seen throughout continuous integration and continuous development DevOps environments, can help ensure that application source code is automatically checked for vulnerabilities.

Integrating software composition analysis tools into the development workflow can also help ensure that software components are being built with strong security in mind. By ensuring that open source components pass key security checks, organizations can protect themselves against dangerous vulnerabilities and developer oversights. 

Because the collaborative nature of DevOps is also present in DevSecOps, organizations can also expect better communication between developers and security teams. Rather than placing aside security to a separate topic, teams can work together to include open source solutions that are secure, trusted, and efficient. 

Ways to Better Implement DevSecOps in Open Source Code

DevSecOps makes it easy to incorporate a high degree of security into open source code. By entrusting developers and security professionals to collaborate at a high level, all code can be frequently assessed for vulnerabilities before, during, and after creation. 

This collaborative relationship can serve as a check against developer mistakes, intentional or unintentional, ensuring that open source code is up-to-date, has defence-in-depth security controls and is unlikely to have security vulnerabilities. Incorporating a high degree of security automation also makes it easy for code to be assessed automatically, reducing the amount of effort required by developers and security professionals to deliver secure solutions. 

Considering that the vast majority of organizations heavily rely on open source software, adhering to principles of DevSecOps is a sound strategy for any company seeking to improve its data security footprint. By treating security just as important as any other component of software development, organizations and users alike can continue to enjoy the benefits of open source solutions without having to worry about unexpected security issues falling through the cracks. 

Check out our DevSecOps services page to learn how Ciklum can help you develop your product more securely.