Keeping Open-Source Safe
July 28, 2014 No CommentsFeatured article by Maty Siman, Founder and CTO, Checkmarx
With the recent spate of vulnerabilities found in OpenSSL, the security of open-source software has been put under the magnifying glass, with industry experts and software developers weighing the merits of using an open-source versus a proprietary code base. There are valid arguments for both, but ultimately the risk of a vulnerability can be the same whether rooted in proprietary or open source code. An SQL injection vulnerability, for example, is no less impactful in installing malware or potentially leading to the theft of customer data based on whether an application is open or closed. Both types of code base are equally susceptible to attack, and both need to be protected.
That said, the differences come into play when considering the likelihood of finding a vulnerability and the impact that flaw might have. The likelihood of finding a vulnerability in open-source code is far greater than in proprietary code as the code is open for all (as opposed to proprietary code which is not exposed and thus requires a greater investment to uncover a flaw). Earlier this year the discovery of the Heartbleed bug in Open SSL was not made by the team of mostly volunteers dedicated to monitoring the code, but by third-party researchers who were able to freely examine the code due to its public availability. Had the Heartbleed bug been inserted into proprietary code instead, it’s less likely that it would have been discovered as quickly, if ever.
More so, each flaw in open-source code has a much greater prevalence than one present in a piece of proprietary code that has a much more limited reach, making its potential impact much greater. The same open-source code is used in millions of apps, devices, and websites globally, making a single flaw embedded in that code a potentially major security breach. When Heartbleed was discovered, security professionals and the public panicked because it affected many websites and applications containing sensitive information that are used daily. A similar vulnerability found in proprietary code may have been damaging, but not in the same universally catastrophic way.
Advanced Attacks on Open-Source
As hackers continue to take advantage of the widespread damage that vulnerabilities in open-source code can cause, the cyber-security industry has innovated solutions to combat them. But those intent on exploiting flaws in open-source code will find ways to outsmart or avoid security measures, quite possibly by actively participating in the very development of the open-source components they plan on attacking. A hacker can join a software development community and contribute for an extended period of time, gaining other members’ trust and respect. This way when the time comes for the hacker to install the malicious code into the software, the move will not raise any suspicion.
Currently industries worldwide are seeing a trend of sophisticated targeted attacks that indicate an a high level investment of time and effort to carry out, making the above scenario a likely one in the near future. In fact a similar tactic was used by attackers in last year’s “waterhole” attack against Apple and other major corporations. In that situation, hackers utilized a popular website for iPhone developers to infect developers’ devices and web browsers with malware that was able to exfiltrate the developer’s code.The site was an attractive one for developers from high-profile companies such as Apple, Facebook and Twitter, all of whom reported suffering from the same breach.
How to Stop it:
Confronted with the likelihood that tactics to hack open-source code will only grow more advanced, the cybersecurity industry must work to mitigate the frequency and impact of such attacks to prevent widespread damage and alarm to consumers and corporations. The open-source community should implement the same security procedures as developers do for proprietary code, including scanning the platform, frameworks, and modules. Developers who integrate open-source code into their own code must be vigilant in securing it before they release their product to market, by integrating open-source modules within their Secure Development Life Cycle practices. By instituting similarly stringent security procedures for open-source code and proprietary code, developers can ensure the safety of company and consumer data and make the internet a safe tool for everyone.
Maty Siman is the Founder & CTO of Checkmarx a leading developer of software solutions allowing organizations to introduce security into their Software Development Lifecycle (SDLC). The company’s 400+ customers include 4 of the world’s top 10 software vendors and many Fortune 500 and government organizations, including Coca Cola, Salesforce and the US Army.