As the use of open source code in development projects continues to grow exponentially, software development teams must take great pains to address open source risk.
Open source libraries can deliver tremendous benefits to development teams. Developers today face overwhelming pressure to push out more software in shorter timeframes. Open source libraries can help by providing pre-built pieces of code that deliver specific functionality without having to build it from scratch. Consequently, 90% of the code in many applications today may originate from open source libraries.
The inevitable existence of vulnerabilities in these libraries leads to significant open source risk. Many development teams make the mistake of believing that open source code is inherently safe – or at least safer – because the code has been developed and used by numerous people who would have previously identified problems in the software. But in reality, applications built with open source code contain an average of seven vulnerabilities – and 44% of those programs contain critical vulnerabilities that can lead to major breaches. And with no one in charge of ensuring that vulnerabilities in open source code are published, fixed or patched, open source risk continues to plague development teams worldwide – only about one-third of teams regularly perform vulnerability testing to secure open source code.
The causes of open source risk
There are two principal causes of risk in open source libraries:
- Vulnerabilities. These may include known vulnerabilities; vulnerabilities inherited from other libraries; vulnerabilities that have been fixed but reappear because of library versioning; and zero-days and half-days vulnerabilities about which little is known, making it possible for criminals to exploit them more easily.
- Malware. Sophisticated attackers are now using simple techniques to create libraries that appear to be innocent but actually contain malicious code or are updated with malicious code at a later time. Open source libraries containing malware can quickly lead to the compromise of a web application and are frequently used in ransomware attacks.
Ways to mitigate open source risk
To protect against vulnerabilities and malware in open source code, every company must take four specific steps.
- Create and enforce security policies. Companies must have policies that govern how developers access and use open source libraries.
- Understand what open source libraries are being used and where the vulnerabilities are. Companies can most easily accomplish this through specialized static analysis (see below).
- Update vulnerable libraries. Cooperation between app security teams and development teams is critical here, as updates to libraries can sometimes break applications. Libraries may not need to be updated if developers aren’t using the vulnerable parts of the code.
- Mitigate malware. The most effective a way to stop malware is to create warnings for developers who are accessing vulnerable libraries, and to create enforcement rules on Continuous Integration servers that will fail the build if vulnerable parts of libraries with high open source risk are used within the code.
Addressing open source risk with specialized static analysis scanning
To find and fix vulnerabilities and eradicate malware, companies must continually scan code as changes occur. The most effective scanning approach is to use static analysis and a list of all open source code being used within an application, which enables security teams to identify and scan those parts which may contain vulnerabilities. Scanning is most effective when integrated into the build environment as part of the Continuous Integration System. Not only is this where code is built, it’s where open source libraries are pulled into a project – scanning prior to this stage may miss significant chunks of open source code. Additionally, Continuous Integration servers have the functionality to fail a build when necessary, helping to prevent bad code from being shipped and reducing open source risk for companies and customers.
Mitigating open source risk with Veracode
Veracode provides a platform with holistic, scalable solutions to manage security risk – including open source risk – across the entire application portfolio. Offering a centralized and comprehensive suite of cloud-based services, Veracode enables security testing to be integrated throughout the entire SDLC. Veracode Software Composition Analysis (SCA) and SourceClear, a 2018 acquisition that will eventually be integrated with SCA. These solutions enable automated specialized static analysis in Continuous Integration while streamlining testing by determining whether applications are actually using the parts of an open source library that are vulnerable.
Learn more about solving open source risk with Veracode SCA and SourceClear.