We recently held a Virtual Summit centered on the topic of open source library use and risk. Mark Curphey, Veracode’s VP of Strategy, gave the keynote address on trends in this space. Curphey, who is also the founder of OWASP and previously CEO of SourceClear (recently acquired by Veracode), believes that we are at a fundamental turning point in application security. He sees this shift stemming from three major trends:
1. The cloud: Using the cloud will fundamentally change the way we think about security.
2 The use of open source: Similarly to the cloud, the shift to open source both creates greater security risks, but also an opportunity to change and improve security. When everyone is re-using one central resource, if we focus on securing that one resource – we have a big opportunity to change the security landscape.
3. DevOps: This model’s focus on automation and continuous delivery will shift the way we think about security and how to embed it into developers’ processes.
In terms of open source, Curphey emphasized that there are changing trends in both its production and consumption. In terms of consumption, you would be hard pressed to find a company that isn’t building its products and services on open source code. He cited SourceClear data that up to 95 percent of their customers’ code bases are open source. In addition, we’ve seen an uptick in the number of open source libraries being created, and they’re also being distributed much more quickly, and in increasingly smaller chunks. This growth in number and pace ultimately means that it’s harder to scrutinize what’s safe and what’s not. At the same time, the pace of development is increasing as well, meaning that any security checks that slow or interrupt developer workflows won’t be effective. AppSec today needs to be frictionless and easy, which in large part means automated.
The above trends are changing the AppSec game and require a mindset shift. It’s no longer enough to focus only on your first-party code – making sure developers understand how to code securely and are scanning their code. This focus would leave a gaping hole in your security coverage. You also need to think about the open source libraries developers are pulling into their code. We need to shift our security thinking to accommodate this new reality, but we also shouldn’t be afraid of it – open source is now the key to innovation, and there are effective ways to use it securely. And it will take a significant shift. For instance, much of the current AppSec landscape is built around public CVEs. But that list was created before DevOps, and before the explosion in open source. In today’s world, waiting for a vulnerability to be added to a public list is simply unfeasible. We need to think differently.
Just as we have to change our AppSec mindset, we need to be aware of the changing attacker mindset as well. The proliferation of open source has changed the economics of cybercrime for attackers. Rather than having to attack every app, they can create one attack that leads to many breaches. Curphey points out that not only are open source libraries increasingly targeted by cyberattackers, but that attackers have begun creating malicious open source code that organizations are unknowingly incorporating into their code bases. And we are starting to see ransomware used in this scenario.
The way forward: focus on prioritizing
In the good news column, using a vulnerable library doesn’t necessarily make you vulnerable. Curphey points out that prioritization is key to getting open source security right. In many cases, when developers pull in an open source library, they are only using one small piece of it – one method or function. So even if the library is tagged as being vulnerable, your data might not be passing through the vulnerable part, or the method or function you are using might not be vulnerable. In this new landscape, security teams need to help development teams both determine acceptable risk and prioritize remediation and/or mitigation. A software composition analysis tool that can deliver this information in any automated way is a key part of effectively reducing open source library risk.
Listen to Mark Curphey’s complete talk, and the other sessions on the topic, in the recording of our recent Virtual Summit, The Open Source Library Conundrum: Managing Your Risk.