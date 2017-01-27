Zero-day vulnerabilities continue to haunt security practitioners. One root of the zero-day problem that isn't going away is the ever-growing widespread use of open source code.

That's why many folks want to know what is trending with zero-day vulnerabilities, and what are the best practices for mitigating risks in open source code.

Cybersecurity Ventures recently released a new Zero Day Report that provides zero-day vulnerability trends, statistics, best practices, and resources for CISOs and IT security teams.

The report highlights some alarming statistics, including:

The application attack surface is growing by 111 billion new lines of software code every year.

There will be open source code in 99% of mission critical apps.

Mike Cotton, vice president of research and development at Digital Defense, said, “Widespread use of open source code can be problematic from a security standpoint. More enterprise products continue to embrace open source as a means of shrinking marketing cycle and getting product to market."

Because a block of code can be a component in software written for many kinds of devices, Cotton said, "A zero-day flaw found in such a component can be multiplied many times. You’ll typically see a slew of vulnerabilities come out on all sorts of appliances and platforms.”

The pressure to get to market has given rise to the new trend toward integrating more and more libraries into enterprise products, but each one of those libraries represents a potential vulnerability.

Cotton said, "There was more native code development before, but the upside of using open source is the code quality is higher. The down side is when somebody finds a flaw, it’s now 16 products are vulnerable."

What often happens in open source components and enterprise products is that developers put the library stock into the product line but don’t harden it. Cotton said, "If they put them into a hardened configuration they’d be OK."

So, what do enterprises need to do to address these vulnerabilities? "Every line of code is an attack system. This library does these 25 things, but we only need these two," said Cotton. "Let’s make sure only what is used is actually exposed to the running code."

Another issue that contributes to the zero-day flaws is that companies are using two or three solutions in the same product. "They might use two to three databases or SML parsers, but it's better to centralize and settle on one platform or one component that can take care of all their needs," Cotton said.

Strong protection comes down to choosing the right tools for the job. "SQL light weight components with less lines of code and fewer features related to your task," said Cotton.

The trend toward virtualization has also lowered the bar for an attacker to go ahead and take a look under the hood at some of these products. "You can download a virtual machine. There is a lot of low-hanging fruit in the enterprise appliance space," said Cotton.

That one is really on the vendors themselves. "They need to be cognizant of the fact that people can do this and make sure they have gone through a robust security evaluation process first," said Cotton.

