Beware of security vulnerabilities: What you don't know can come back to haunt you

No readers like this yet.
A software pirate

Opensource.com

With all the benefits of open source, improper management of its use may result in substantial legal, business, and technical risks. Most research and design managers know that they have to manage open source licenses, but not many are monitoring for security vulnerabilities and other bugs in open source libraries they use.

Do you know the importance of monitoring open source for vulnerabilities before, during, and after using it?

Open source is code like any other, and according to a study by Coverity likely contains defects at a rate similar to other software (~1 defect per 1000 lines of code). According to the Veracode’s State of Software Security report, 70% of applications fail to comply with basic enterprise security policies, such as OWASP Top 10 and CWE/SANS Top 25. However, while software developers test their own code regularly and rigorously, and would immediately tend to fix security vulnerabilities, most are paying little attention to the open source libraries that ship with their products.

Popular open source projects are of course being scrutinized by many users, which often discover defects more quickly than otherwise. These are also well documented. As we speak, the Common Vulnerabilities and Exposures (CVE) database shows hundreds of security vulnerabilities that are directly related to open source libraries. Even better, open source communities are often quicker to fix and otherwise upgrade their code (sometimes in excess of five times a year). Unfortunately, developers that do not monitor for these discoveries and updates would not know of the vulnerabilities, and would clearly not upgrade the version of the library they use.

According to White Source research, 85% of software projects use outdated libraries.

When you choose to use an open source solution, you usually select the latest version of a given library. And, you know that from that point on you must continuously monitor the various repositories for newly discovered vulnerabilities. You might also know that there are open source management systems that can proactively alert you when security vulnerabilities are being discovered in specific libraries that you are using (as well as to when a new version is being put out that fixes these and other defects!)

Remember: your product ships not only with your code, but also with that of the open source libraries you use. The quality of your own product and the security of your customers are directly related.

 

User profile image.
Rami Sass is CEO and co-Founder of White Source. He is an experienced entrepreneur with vast experience in R&D and product management. At Eurekify. and later CA, Rami became an expert in designing and implementing complex management and compliance software systems, and in delivering them to the market.

3 Comments

"You might also know that there are open source management systems that can proactively alert you when security vulnerabilities are being discovered in specific libraries that you are using (as well as to when a new version is being put out that fixes these and other defects!)"

It'd be really nice to know what those management systems are.

Most of the open source software packages/libraries we use come from the distro (CentOS, Ubuntu, Debian) so we rely on the distro maintainers to provide security updates and bug fixes.

What we get from elsewhere is managed by simply following some mailing lists or rss feeds. It's not a lot of work, but having an automated system that alerts me or my team would be better.

Thanks!

Hi Ricardo,

Solutions, such as White Source Software, are available that enable you to automate the management of "What we get from elsewhere".

Regards,
Avi

Protecode is another option for automating open source management in real-time.

Creative Commons LicenseThis work is licensed under a Creative Commons Attribution-Share Alike 3.0 Unported License.