Are We Eating From the Dirty Fork?

Are We Eating From the Dirty Fork?

Mark Curphey By Mark Curphey
October 19, 2017

Earlier this week, SourceClear researchers wrote a technical analysis showing how they used our Security Graph Language (SGL) to uncover 23 vulnerabilities in GlassFish Open Source Edition. And while I’m certainly proud of our ability to find vulnerabilities that no one else sees, there is a much bigger issue here affecting how we think about and manage open source.

Are We Eating From the Dirty Fork?

In a nutshell, like many open source projects, GlassFish previously forked into a commercial and an open source version. During our analysis we found that the open source version retained many vulnerabilities that had been fixed in the commercial version. The problem is that the GlassFish Open Source Edition continues to be the Java EE Reference Implementation. This means when developers go to pull open-source code for new projects, they are likely pulling from the dirtier fork...vulnerability-speaking.

The underlying issue is that while everyone likes to pull from open source, far fewer expend the effort to fix and maintain it. People fix their own code, but those fixes don’t necessarily make it back to the community. And while this is disappointing, it certainly shouldn’t be a surprise. With only so many hours in the day, we all naturally focus on our most pressing personal projects. It’s fundamental. It’s not something that is limited GlassFish - it’s the nature of open source. Apache Struts provides provides a common example, but the same pattern is true across other projects such as Apache Spark, Apache Ranger and Apache Hive.

Taking Back Control

Hoping that a stranger does the right thing is a pretty poor plan for security. In fact the polar opposite might be a better plan, but we’ll save that discussion for another day. If we know that we need open source, but also know that we can’t implicitly trust it, what do we do? Obviously, we have to take responsibility ourselves. But how do we analyze millions/billions of lines of code without losing the time-to-market advantages of using open source in the first place?

This is precisely where the Security Graph Language comes into play. SGL gets the analyst out of digging through infinite lines of code and writing specific signatures, and instead allows us to focus on the fundamental pattern that bugs and vulnerabilities share in common. Find the underlying pattern, and immediately see all the other places where the pattern repeats. This allows the community to work at a massive scale and find problems that would never be seen via traditional means. By providing real tools to find open source problems and share fixes, we can not only secure our own projects, but keep the open source fork clean as well.

Mark Curphey, Vice President, Strategy
Mark Curphey is the Vice President of Strategy at Veracode. Mark is the founder and CEO of SourceClear, a software composition analysis solution designed for DevSecOps, which was acquired by CA Technologies in 2018. In 2001, he founded the Open Web Application Security Project (OWASP), a non-profit organization known for its Top 10 list of Most Critical Web Application Security Risks.
Mark moved to the U.S. in 2000 to join Internet Security Systems (acquired by IBM), and later held roles including director of information security at Charles Schwab, vice president of professional services at Foundstone (acquired by McAfee), and principal group program manager, developer division, at Microsoft.
Born in the UK, Mark received his B.Eng, Mechanical Engineering from the University of Brighton, and his Masters in Information Security from Royal Holloway, University of London. In his spare time, he enjoys traveling, and cycling.