Open source component vulnerabilities have been a hot topic in the security industry as well as in the media. It used to be the main concern in software development was making sure you testing throughout the SDLC. While this is still a crucial part of making sure your software is secure, component security has grown in importance. As Tim Jarrett, Director of product management at Veracode explained “Software development has changed a lot over past 10 years.” Software today is mostly assembled rather than composed. Veracode’s data shows that between 80 and 90 percent of an application is made up of someone else’s code. And when there is a vulnerability in one of these components it ends up spreading to all the applications which contain that component. No wonder we are seeing such widespread proliferation of vulnerabilities and seeing major breaches.
During his talk at the RSA Conference, Tim Jarrett focused on the core reasons for open source component risk and where it comes from. He said that when we talk about open source components the discussion generally centers on time to value as the reason developers integrate components into their code. Jarrett pointed out that this point is valid but disregards the other main reason developers use open source components – to create high quality code. If someone else has already thought of the problem you are trying to solve, and found a functional way to solve it, why would you start from scratch?
Why then, do developers integrate vulnerable components into their code if quality is such an important consideration? Often it is not a conscience decision. For example, they may use one of the thousands of components that has the vulnerable Apache Commons Collection component without even knowing that components is a part of the code. We need more visibility into the bill of materials, not just for our own software, but for the components we are using as well.
Jarrett, closed out his presentation by pointing out that everyone’s code has vulnerabilities. If the code we are producing ourselves can have security defects, what makes use think the code we get from others is any better, or more secure? It is a great question that all developers should ask as they integrate components. It shouldn’t stop them from using components – there are many positive reasons to use an open source component. He does advise developers to make sure they are using the most recent version of a component, and for security professionals to keep a bill of materials so they can patch when new vulnerabilities are found.