HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Open Source Security Management

Open source code is extensively used by developers to accelerate software development and shorten time-to-market. While there are many advantages that can be gained from the use of open source code, there are also security risks. Consequently, effective open source security management is vital.

Open source code is software code in the public domain that can be used, shared, and modified by anyone. When code has already been written to perform a specific function, and the code has been put in the public domain, it makes sense to use that code rather than write code from scratch to perform the same function.

The adoption of open source code has increased significantly in recent years. It has been estimated that 98% of businesses have used open source software components in projects and applications, and upwards of 80% of the code used in applications is open source.

Open Source Security Risks

There is a commonly held view that open source code is more secure than proprietary code that is kept private. This is because, when code is put in the public domain, it can be scrutinized by anyone. The more eyes that look at the code, the more likely it is that security vulnerabilities will be identified. While that is generally true, simply putting code in the public domain does not mean anyone is actually checking the code. Nor does it mean that the people who check the code are sufficiently skilled to be able to identify vulnerabilities.

When vulnerabilities are identified, it is important to fix them as soon as possible before they can be found and exploited by threat actors. Vulnerabilities in open source code tend to be found and addressed quickly; however, the vulnerabilities are made public by contributors to open source projects which means it is even more important to patch promptly. With proprietary software, bugs are usually not made public until after patches have been released.

An interesting study was conducted by Veracode to determine whether open source code was being updated. 13 million scans were conducted on 86,000 repositories that contained 301,000 unique libraries. Veracode found the majority had at least one unaddressed open source security issue. Worryingly, after incorporating open source libraries, 79% of the time developers did not update the code.

Open Source Security Management

The benefits of incorporating open source code far outweigh the risks in most cases, and it is possible to manage open source security risks and reduce them to a low and acceptable level by implementing an open source security management program.

Open source security management should start before any approval is given to include open source code in projects. When developers suggest the inclusion of free and open source code, that code must be fully evaluated to identify if there are already any publicly known common vulnerabilities and exposures (CVEs). This may seem obvious, but since 2013, the version of Apache Struts that has the CVE-2013-2251 vulnerability has been downloaded more than 179,000 times! The vulnerability has a CVSS severity score of 9.3 out of 10.

A fundamental element of an open source security management program is to maintain an accurate inventory of all open source code used in your projects. You should also maintain a list of all open source code that has been approved for use and make this available to your developers.

It is possible – and likely – that open source code has already been included in existing projects, so open source security management processes must be developed and implemented to scan projects in order to identify where open source code has been used and retrospectively identify any known vulnerabilities. There are several free and open source software (FOSS) scanners available, and at least one of those should be used.

You should evaluate FOSS scanners to determine which is the most effective. Once you have chosen a FOSS scanner, you should conduct regular scans to identify vulnerabilities – ideally every day but at least once a week. These solutions can provide insights into vulnerabilities and – as they provide context such as the exploitability of vulnerabilities – can assist security teams with the prioritization of remediation efforts. This ensures the most serious and most likely to be exploited vulnerabilities are addressed first – especially vulnerabilities where exploits are in the public domain.

Some open source security management systems continuously scan for vulnerabilities and have auto-remediation capabilities. These minimize the effort that needs to be put into securing applications against known vulnerabilities. If you have extensively used open source code in your projects, these solutions are well worth the investment. Most will more than pay for themselves over time in terms of the time saved remediating vulnerabilities and by preventing the exploitation of vulnerabilities.