For a deep dive on the security risks of OSS, listen to Contract CPO Steve Wilson’s conversation with Secure Talk.
How secure is your online banking app? Don’t know? Join the club.
Web applications are built on the code equivalent of tangled spaghetti, including open-source software (OSS) with funny, obscure names: say, Apache, Struts or Log4j — software that can introduce security issues related to newly discovered vulnerabilities.
One excruciating example was Log4j, a simple logging tool. In December 2021, it was discovered to have a major security flaw that was exploited within hours of its discovery having gone public.
It’s not that OSS is more vulnerable to security flaws than proprietary software, mind you. No, the problem is that these open-source components are extremely pervasive. If somebody finds a vulnerability in one of them, they can use that flaw to exploit thousands — or even millions — of applications.
There are a slew of tools to scan code. But these scanners aren’t suited for modern software development. They bleat out so many false positives, the alerts wind up getting ignored.
Fortunately, modern tools use an approach better suited to modern software application development. Called Software Composition Analysis (SCA), these tools compare your open-source libraries against the MITRE vulnerabilities database. One such is CodeSec: a free tool from Contrast that you can run against your application’s libraries to sniff out known vulnerabilities.
But SCA won’t protect you from zero-day vulnerabilities such as Log4j and Spring4Shell. For that, you need runtime defense built into your applications. In the case of Log4j, if you were running Runtime Application Self-Protection (RASP), you didn’t need to know about the Log4j library’s flaw. Rather, RASP would have detected application behavior associated with common web application vulnerabilities, such as the injection attack enabled by the Log4j vulnerability.
When customers using our Contrast Protect RASP tool tested for Log4j, their apps weren’t exploitable. What that means: Their developers got to go home for the weekend instead of hunting for Log4j and patching.
Don’t fear OSS. Just make sure that you’ve got the right tools to ensure it’s a polite guest inside your application — one that lets your devs relax on the weekend.
For a deep dive on the security risks of OSS, listen to Contract CPO Steve Wilson’s conversation with Secure Talk.
