Companies often have little clue about the extent of third-party code in the enterprise or the risks it poses, security experts say.
The data breaches disclosed earlier this month at Park ‘N Fly and OneStopParking.com, two major airport parking services, highlight the continuing risk that enterprises face from using open-source software in their environments without a plan for managing it.
Both Park ‘n Fly and OneStopParking,con were victimized by a security vulnerability in the Joomla open-source content management platform for which a patch had been issued last September, but which neither company had apparently installed. As if last year’s Heartbleed, Shellshock, and POODLE flaws weren’t enough of a wake-up call already, the breaches were another reminder of how flaws in third-party software can sometimes cause major headaches for companies that are not prepared for them.
A lot of companies these days use open-source code in internal software development projects, says Bill Ledingham, chief technology officer at Black Duck Software Inc., a company that helps enterprises keep tabs on third-party code use in their software environments.
Often, large internally developed enterprise applications can include dozens of open-source software components. And some companies can have hundreds, and even thousands of applications running open-source code, he says. “There’s a tremendous change in how open source is being used these days,” by enterprise software development groups, Ledingham says.
He estimates that close to a third of all software used in enterprises, including Fortune 500 firms, is derived from open source. In some cases, like mobile, cloud, and big data applications, open source accounts for 60 to 80 percent of the total code, he says. As open source use has increased enterprise concerns have shifted dramatically from IP and licensing issues to the potential security risks caused by the trend.
Ledingham, whose firm tracks close to 1 million open source projects worldwide, says there is nothing about the code that makes it less secure than commercial software products. In fact, the communities that support some of the better-managed projects are more responsive to security threats than commercial vendors.
Even so, open-source software too has it shares of vulnerabilities that developers need to pay attention to and fix promptly to mitigate risks, he said. Of the nearly 8,000 security vulnerabilities disclosed in the national vulnerability database last year, nearly 40 percent were in open-source software, he said.
The real problem stems from the manner in which third-party code is consumed and deployed within the enterprise, he said. Companies that use open source heavily often have few measures for vetting software quality or for tracking how and where the software is used. Many install code with previously disclosed vulnerabilities in them or remain dangerously oblivious to vulnerability disclosures impacting their software.
Some large companies do have well-managed and tightly controlled processes for integrating open source software into their software development projects. For example, some have a central group of developers responsible for finding and vetting open-source code and putting it in a catalog of approved code for their organizations. But many don’t, Ledighman says.
Wayne Jackson, CEO of Sonatype Inc., likens the attitude towards open source among some companies to automakers letting assembly line workers choosing their own components for assembly. “You can imagine what a Frankenstein vehicle that would make,” says Jackson, whose company, like Black Duck, helps firms manage and secure open-source code in their software.
“The best companies have protocols for understanding what is being used. They know what is being integrated into a given piece of software and they monitor for critical vulnerability disclosures,” Jackson says.
Enterprises that do not have these processes are the ones that are most unprepared to deal with threats like those posed by Heartbleed, Shellshock, and POODLE, Jackson said.
Jackson, whose company maintains a sort of GitHub for open-source binaries, says a staggering 17.2 billion open-source components, including everything from web application and wireless frameworks, to small logging utilities, were downloaded last year around the world. That included about 82,000 organizations.
It is impossible to know how much of that software actually has found its way into enterprise projects. But it is a safe bet to assume almost all software used by companies these days has an open-source underpinning, Jackson said.
Concerns over the extent of open source use in software these days prompted lawmakers to introduce the Cyber Supply Chain Management and Transparency Act of 2014 in December. The bill would require companies supplying software products and services to the government to certify the extent of open source use and guarantee there are no known vulnerabilities in the software.
The takeaway for companies is straightforward, Jackson said. The key to using this software safely begins with just knowing what you have. “There is no magic” he says. “Just know what you are using and define, as an organization the attributes that would make a piece of open source acceptable or not acceptable,” he said.