Get a Jump on Reducing Your Open Source Software Security Risks

shutterstock 396994285

By taking the right precautionary steps, organizations can leverage open source software to rapidly develop applications – without compromising security.

Open source software offers many benefits to development teams looking to rapidly develop applications in order to stay ahead in competitive markets. The advantages to leveraging open source libraries range from greater overall cost savings to more flexibility in development. It is no surprise then that both traditional and agile development-driven teams frequently incorporate pre-built, reusable open source libraries into their applications.

However, the use of open source libraries can also pose significant risks to an organization’s security program. Although there is one theory that open source libraries are more secure since they have far more eyes reviewing the code, it’s not a guarantee that any real security checks or tests occur – there is no party responsible for doing so. Most open source libraries are not subject to the same level of scrutiny as software that is developed in-house and sold to customers. It can be difficult for enterprises with many code repositories to even identify how many open source libraries are actually being used, let alone which ones also contain vulnerabilities. Lastly, there is the added business risk of accidently pulling in licenses through open source libraries, which could cause large financial and legal problems.

In fact, according to an IDG/Veracode Application Security survey, nearly all organizations (99%) run into roadblocks when trying to assess the security status of applications and software that they hadn’t developed in-house, including the use of open source code (41%).

The threat landscape

Unfortunately, open source vulnerabilities can expose an organization to serious threats that ultimately lead to either comprising corporate and customer data or putting the availability of applications at risk. Consider, for example, the well-known security bug Heartbleed. It introduced a serious vulnerability into the OpenSSL cryptographic library, enabling hackers to trick vulnerable web servers into sending sensitive information, including usernames and passwords. As the need for faster software delivery increases, so will the use of open source libraries, and the proliferation of potential vulnerabilities.

Indeed, Veracode’s State of Software Security report reveals that 88% of Java applications contain at least one open source-based vulnerability.

Yet forbidding developers from using open source libraries entirely is simply not an option given the demand for high-speed development cycles. In fact, the use of secure open source libraries should be encouraged, and developers should be given the tools they need to protect the applications they are writing. So how can organizations protect themselves from vulnerabilities in open source code that they don’t have control over?

Here are three steps organizations can take to minimize these security risks while still reaping the business benefits of open source.

1. Take inventory

To outpace hackers, organizations must be ready to apply vendor patches to infrastructure in record time. However, a lack of visibility into open source library use can significantly stall these efforts.

Fortunately, a software composition analysis (SCA) tool can help by building an inventory of an organization’s open source libraries. The first step is just knowing what you have and use. Upon learning of a vulnerability, IT teams can quickly identify which applications are vulnerable, and discover whether the latest version of an open source library actually addresses the problem. Organizations can also blacklist certain components, leading to an automatic policy audit fail for any application that uses them.

2. Lend a helping hand

Given its ability to accelerate delivery of digital innovation, open source software is hugely popular among developers. It’s up to the security team to enable developers to build secure applications at record speed, by providing them the tools to monitor, identify, and secure open source libraries in their applications. It’s not enough to have policies in place, without the tools to make developers successful. A combination of secure code training, awareness of the dangers that can be present in open source libraries, and the tools to successfully deliver secure applications is critical to a company’s AppSec program.

3. Build a toolkit

It takes more than single tool to minimize the application security risks in an organization. Security teams must deliver a comprehensive, end-to-end solution that covers both first-party code, as well as third-party code (open source libraries). These tools must fit into the way developers work, rather than the other way around. It’s important to conduct security testing throughout the entire software development lifecycle, starting in the developers’ IDE and going all the way to the production environment. It’s also critical to have an entire program that enables developers and operations to use and respond to these tools. Without a program and education in place, adoption and utilization will stall. These tools should address, at a minimum, the areas of:

  • Static analysis security testing (SAST) for first-party code
  • Dynamic analysis security testing (DAST) for code in production
  • Software composition analysis (SCA) for open source libraries
  • Secure coding education and testing for development environments
  • Manual penetration testing for human-based security elements

Together, these tools can find and fix vulnerabilities faster and more affordably while maximizing the benefits of open source software.

With CA Veracode Verified, enterprises can identify those vulnerabilities lurking in open source libraries before hackers strike. Find out more at Verified.