Using open source code speeds up development cycles and reduces cost. But it comes with risks – open source code doesn’t get the same level of scrutiny as your internally-developed software. And when a vulnerability is identified, it can be difficult and costly to pinpoint all your applications that use a risky component.
Even if you do know which applications have vulnerable components, updating them requires development teams to recompile the application. This can delay remediation, compounding the risk vulnerabilities will be exploited.
Although industry regulations such as OWASP, PCI and FS-ISAC now require explicit policies and controls to govern the use of components, many organizations struggle to effectively execute on these policies. Veracode analysis has found that 44 percent of applications have a critical vulnerability in an open source component.
Case Study in Open Source Risk: Apache Struts 2
Vulnerabilities in open source libraries can be widespread across many applications and websites. When a vulnerability in OpenSSL known as Heartbleed affected large swaths of the internet in 2014, businesses were left scrambling to deal with vulnerable web applications and the potential for exposure of sensitive data like passwords.
The critical vulnerability discovered in the Apache Struts 2 library in March 2017 demonstrates the persistence of the open source problem. Only a few days after the vulnerability was disclosed, cybercriminals began exploiting it to attack vulnerable web applications. In one case, the website of Canada’s tax agency was shut down for several days after attackers exploited the “Struts-Shock” vulnerability to gain unfettered access to the web server, putting taxpayers at risk of identity theft and fraud.
It’s inevitable that more open source vulnerabilities like this will be exposed – and exploited. So how can you reap the benefits of developing applications using open source components, without dire consequences of the associated risks?
Control Risk With Software Composition Analysis
Controlling open source risk requires a solution to quickly identify applications with vulnerable versions of components, enabling you to triage and remediate impacted applications. Furthermore, this solution should be part of an application security testing platform that can identify the components you use with a single scan.
The Veracode Application Security Platform analyzes your open source components to find vulnerabilities with the same scan you’ve already set up for static binary scanning – without having to rescan the applications. As a result, you’ll reduce integration points, get broader visibility across your application landscape, and assess your entire application against one policy, summarized in a single report.
Veracode Software Composition Analysis enables you to tackle open source risk in a systematic way.
Five Ways to Manage Open Source Risk With Software Composition Analysis
1. Identify open source components and vulnerabilities in all your applications
When a big vulnerability is disclosed, Veracode helps you quickly identify which of your applications are vulnerable. You can manually blacklist certain components, leading to an automatic policy audit fail for any application that uses it.
2. Manage your remediation and mitigation workflow
Veracode helps you manage the workflow for remediation and mitigations. Once Veracode Software Composition Analysis identifies a vulnerable open source component, the dashboard tells you whether the latest version of the component addresses it. Your developers can access educational resources to help them address the security issue.
3. Get one-on-one remediation coaching for software developers
When vulnerability descriptions and on-demand educational resources are not enough, developers can schedule a call with a Veracode secure development expert who will walk them through options for remediating or mitigating the vulnerability.
4. Identify and remediate vulnerabilities to comply with industry regulations
Veracode Software Composition Analysis helps you to comply with industry regulations and security frameworks – including PCI-DSS, OWASP Top 10, FS-ISAC, NIST, and HITRUST – that require you to fix known vulnerabilities in your applications.
5. Use a scalable SaaS solution that integrates with your SDLC
Security works best when it’s part of how people do their jobs. Veracode Software Composition Analysis is accessible from the Veracode Application Security Platform, enabling you to integrate application security testing throughout the software development lifecycle. Our SaaS-based platform reduces your operational overhead and is highly scalable to meet your demands at peak times.