Open source has become nearly ubiquitous with Agile and DevOps. It offers development teams the ability to quickly and easily scale their software development life cycles (SDLC). At the same time, open-source software (OSS) components can introduce security vulnerabilities, licensing issues, and development workflow challenges. Open-source risks include both licensing challenges and cyber threats from poorly written code that leads to security gaps. With the number of Common Vulnerabilities and Exposures (CVE) growing rapidly, organizations must define actionable OSS policies, monitor OSS components, and institute continuous integration/continuous deployment (CI/CD) controls to improve OSS vulnerability remediation without slowing release cycles.
OSS Impact on Software Development
Due to the need for rapid development and innovation, developers are increasingly turning to open-source frameworks and libraries to accelerate software development life cycles (SDLC). Use of open-source code by developers grew 40% and is expected to expand 14% year on year through 2023.
Agile and DevOps enable development teams to release new features multiple times a day, making software development a competitive differentiator. The demand for new and innovative software is brisk—64% of organizations report an application development backlog (19% have more than 10 applications queued).
Beyond helping to accelerate development cycles, OSS enables organizations to lower costs and reduce time to market in many ways. Rather than writing custom code for large segments of applications, developers are turning to OSS frameworks and libraries. This reduces cost while enabling much greater agility and speed.
Unmanaged Use of Open Source Introduces Significant Risk
Despite all its benefits, OSS can present an array of risks with licensing limitations as well as security risks. Following is a quick look at some of these.
Navigating OSS licensing risk can be a chore
An area that organizations should not overlook in terms of risk is OSS licensing. Open source can be issued under a multitude of different licenses, or under no license at all. Not knowing the obligations that fall underneath each particular license (or not abiding by those obligations) can cause an organization to lose intellectual property or experience a monetary loss. While OSS is free, this does not mean it cannot be used without complying with other obligations. Indeed, there are over 1,400 open software licenses that software can fall under with a variety of stipulations restricting and permitting use.
With shift-left methodologies gaining traction, organizations are focused on finding and preventing vulnerabilities early in the software delivery process. However, open-source licensing issues will not show up at this stage unless software composition is analyzed. Waiting until right before release cycles to check on open-source licensing issues can incur significant development delays—time spent reworking code and checking it for vulnerabilities and bugs. Additionally, as development teams are measured on the speed and frequency of releases, these delays can be particularly onerous.
Flying blind with open source leads to security risks
With the use of OSS, there is a possibility to introduce an array of vulnerabilities into the source code. The reality is that developers are under increasing pressure to write feature-rich applications within demanding release windows. When the responsibility of managing application security workflows and vulnerability management is added, including analysis of OSS frameworks and libraries, it becomes increasingly difficult for them to efficiently and effectively ensure security remains top of mind. In addition, for legacy application security models, code scanning as well as triage, diagnosis, and remediation of vulnerabilities requires specialized skill sets that developers are not commonly trained on.
A critical part of the problem is that legacy application security uses an outside-in model where security sits outside of the software and SDLC. However, research shows that security must be built into development processes from the very start—and this includes the use of open-source frameworks and libraries.
Since OSS is publicly available, there is no central authority to ensure quality and maintenance. This makes it difficult to know what types of OSS are most widely in use. In addition, OSS has numerous versions, and thus older versions may contain vulnerabilities that were fixed in subsequent updates. Indeed, according to the Open Web Application Security Project (OWASP), using old versions of open-source components with known is one of the most critical web application security risks. Since security researchers can manually review code to identify vulnerabilities, each year thousands of new vulnerabilities are discovered and disclosed publicly, often with exploits used to prove the vulnerability exists.
But Common Vulnerabilities and Exposures (CVEs) are just a tip of the iceberg. Open source contains a plethora of unknown or unreported vulnerabilities. These can pose an even greater risk to organizations. Due to its rapid adoption and use, open source has become a key target for cyber criminals.
Elements of a Modern OSS Security Strategy
To effectively realize the many OSS benefits, development teams must implement the right application security strategies. It all starts with setting up the right policies.
OSS management requires the right guidance
Organizations use policy and procedures to provide guidance for proper usage of OSS components. This includes which types of OSS licensing are permitted, which type of components to use, when to patch vulnerabilities, and how to prioritize them.
To minimize the risk associated with licensing, organizations need to know which licenses are acceptable by use case and environment. And when it comes to security, application security teams need policies to help disclose vulnerabilities. For example, a component with a “high” severity vulnerability may be acceptable in an application that manages data that is neither critical nor sensitive and that has a limited attack surface. However, according to a documented policy, that same vulnerability is unacceptable in a public-facing application that manages credit card data and should be remediated immediately.
A software bill of materials provides comprehensive visibility
According to Gartner, one of the first steps to improving software security is to ensure that a software bill of materials (SBoM) exists for every software application. An SBoM is a definitive list of all serviceable parts (including OSS) needed to maintain an application. Since software is usually built by combining components—with development frameworks, libraries, and operating system features—it has a “bill of materials” that describes the bits that comprise it, just as much as hardware does.
A critical aspect of maintaining an effective software inventory is to ensure that it accurately and dynamically represents the relationships between components, applications, and servers—so that development teams always know what is deployed, where each component resides, and exactly what needs to be secured. Once an SBoM is built, it needs to map to a reliable base of license, quality, and security data.
Instrumentation protects against attacks in real time
Since cyber criminals often launch attacks on newly exposed vulnerabilities in hours or days, an application security solution is needed to immediately protect against exploitation of open-source vulnerabilities. Security instrumentation embeds sensors within applications so they can protect themselves from the most sophisticated attacks in real time. This enables an effective open-source risk management program—the ability to deliver the quickest possible turnaround for resolving issues once they emerge. This includes providing insight into which libraries are in use by the application, which helps development teams to prioritize the fixes that pose the greatest likelihood of exploitation. Security teams can also leverage this functionality to foster goodwill with developers; too often, developers are overwhelmed by the sheer volume of findings presented by legacy software composition analysis (SCA) tools.
It is no surprise that automating some application security processes improves an organization’s ability to analyze and prioritize threats and vulnerabilities. Last year’s “Cost of a Data Breach Report” from Ponemon Institute and IBM Security finds that organizations without security automation experience breach costs that are 95% higher than breaches at organizations that have fully deployed automation.
Automated controls by pipeline provide timely and accurate feedback
Another approach in securing the use of OSS in DevOps environments is to embed automated controls in continuous integration/continuous deployment (CI/CD) processes. OSS elements often do not pass the same quality and standards checks as proprietary code. Unless each open-source component is evaluated before implementation, it is easy to incorporate code containing vulnerabilities.
When properly operationalized, an open-source management solution can automatically analyze all dependencies in a project. If vulnerable components are detected in an application build, an automated policy check should trigger a post-build action failing or mark the build as unstable based on set parameters. Regardless of the specific process and tooling an organization has in place, the goal should always be to deliver immediate and accurate feedback to developers so that they can take direct action to keep the application secure and functional.
Minimize OSS Risks with Automated AppSec Processes
The many advantages of using open-source components in applications come with a cost—risk exposures in both licensing and cybersecurity. As a favorite target of cyber criminals, open-source code vulnerabilities can become a moving target requiring constant vigilance to prevent bad actors from taking advantage. Successfully managing OSS increasingly depends on automated application security processes. Automation helps organizations track all the open-source components in use, identify any associated risks, and enable effective mitigation actions so that teams can safely use open source without inhibiting development and delivery.
For more information on what organizations need to seek when securing open source, read the eBook, “The DevSecOps Guide to Managing Open-Source Risk.”
