The use of open source software—a publicly accessible software in which anyone can inspect, change, and enhance the original source code—is booming. Organizations and individuals around the world rely on open source software because of its cost-effectiveness, flexibility and agility, abundant support, and many other benefits. In fact, it’s approximated that open source code components constitute about 60% to 80% of modern web applications.
Despite the widespread dependence on open source in powering mission-critical IT solutions, most users are generally lax when it comes to ensuring that these assets meet the necessary security standards. Gartner reports that without establishing effective governance processes, open source software can maximize risks and minimize ROI in your organization.
#1 Open Source Software Security Risks
Open source software is usually considered to be more secure than proprietary software. Because the code is open for review by the community, and many eyes are looking at it, finding and fixing open source code problems is much easier than in commercial software. Furthermore, community-driven software projects release patches and new versions much faster.
On the flip side, the publicity of open source exploits provides a lucrative opportunity to attackers. After the security research community identifies open source vulnerabilities, they are reported to the project managers, who are formally responsible for the code and its bugs. The project managers are given time to fix the issues before the information is publicized.
Eventually, the flagged potential exploits are published on public databases, like the National Vulnerability Database (NVD), for everyone to see. The published details include the versions affected and how the exploit can be carried out.
Therefore, the primary security risk in open source software does not lie on unknown vulnerabilities, but on known vulnerabilities listed on public databases. No wonder a Gartner survey of IT practitioners revealed that 57% of the respondents regard security as a significant challenge when using open source code to build applications.
The publicity of open source exploits allows hackers to strike oil with less effort. They do not need to do a lot of groundwork to find their own way into your backend and cause havoc to your application. Hackers can use the publicly available information to target organizations that have not yet implemented a patch. That’s why it’s important to discover the flaws in your code before hackers do.
An infamous example is the Equifax data breach in 2017. The popular consumer credit reporting company neglected to patch an already publicized vulnerability in one of its open source components. Unfortunately, this led to the exposure of the sensitive personal information of millions of users. Worse still, Equifax was required to pay up to $425 million to assist people who were affected by the incident.
#2 Open Source Software Licensing Compliance Risks
A license governs the use of open source software. These licenses define the legal terms and conditions for consuming and distributing the software’s source code. With about 110 licenses approved by the OSI (Open Source Initiative) and several others floating around the murky open source waters, learning the ropes could be daunting.
If you’re not compliant with the open source license you’re consuming, you could face legal action, affecting your operations and financial stability. For example, CoKinetic Systems Corporation, globally known for innovating in-flight entertainment (IFE) software and services, sued Panasonic Avionics Corporation in a $100 million court case for an open source license violation.
There is also the issue of open source license conflicts. Every license comes with its own unique permissions and limitations. If two or more licenses have compatible conditions, you can combine them with each other without any worries. If the conditions are incompatible, however, you could be playing with fire. For example, the Apache 2.0 license is incompatible with the GPL v2 license; so, using them together in a project is risky.
The complexity of open source licensing makes it tremendously challenging to abide by all the legal requirements. Since most open source components usually have multiple direct and transitive dependencies, manually tracking the licensing could be difficult.
#3 Open Source Software Quality Risks
Quality defects are another risk facing the open source software development model. While organizations spend a lot of resources ensuring the quality of proprietary code, it seems that the quality of open source components is often brushed off. According to a WhiteSource survey, while 53% of the respondents said they are concerned about open source security vulnerabilities, and 38% about licensing, a mere 8% admitted to worrying about quality.
The low concern about quality is troubling. Most developers are less concerned about quality issues because of the lack of agreed-upon standards for assessing the quality of open source code. Since open source relies on the community to develop and maintain the software, the varying levels of contributors’ skills and extent of involvement complicate establishing one-size-fits-all security standards. This makes achieving quality assurance a challenge.
You could jeopardize your application’s quality if you incorporate outdated, inconsistent, and unstable open source components.
How To Overcome Open Source Risks
Let’s now discuss some techniques you can use to beat the open source usage risks and take your application security to the next level.
Implement automatic vulnerability scanning
An open source vulnerability scanner allows you to automatically probe the open source components in your project and discover known weaknesses. It works by running through a list of checks to determine if your code has vulnerabilities published on public databases, security advisories, and other sources.
A good vulnerability scanner can bring to the fore the security, licensing, and code quality issues that may prevent you from making the most of open source software. Manually scanning through your code to identify weaknesses is demanding and prone to mistakes. With a scanning tool, you can automatically peruse your code and get recommendations on possible fixes.
A scanner lets you gain visibility into your project and mitigate the security risks of consuming open source software. You can use it to track your licenses and find out if they are compatible with one another, are compliant with your organization’s policies, and meet the stipulated attribution requirements. The tool can also help you expose outdated open source libraries that could ruin the quality of your codebase.
Embrace a security-first culture
In any development project, bugs are inevitable. By embracing a security-fist culture, you can discover weaknesses in your code early and maintain your project’s security. With shift left strategies, you can find defects earlier in the development process when it is easier and cheaper to address them.
A security-first culture ensures that everyone in your organization is involved in minimizing open source risks. When development and security teams work together, security is prioritized throughout the project lifecycle, and it is not an after-thought.
Each open source component should be evaluated based on the number of commits (to establish its level of activity), the number of bugs fixed in each specific version, and the severity of open bugs for each specific version. Those factors help in determining the quality of open source components.
How WhiteSource Bolt Can Assist
WhiteSource Bolt is a free vulnerability scanning tool that can help you overcome the security risks of using open source software. It’s available as a free app on GitHub or as a free extension on Azure DevOps Services.
With Bolt, you can automatically scan your projects and match the open source components against the known vulnerabilities, security risks, code fixes, and updates. It assists you ensure you’re using high-quality open source components as well as licenses that fit your desired business model.
Bolt retrieves vulnerabilities distributed among several different sources. This comprehensive coverage lets you get accurate reports on the current vulnerabilities and their recommended fixes. The tool also integrates with your preferred development environment, allowing you to implement shift left strategies with ease.
Bolt helps you keep a constant eye on your open source consumption and maintain a robust risk-free posture with your open source software. It’s the tool you need to ensure your open source components are providing value to the project, are performant, and are secure.