Organisations requiring their in-house applications to tap into open source codes are no less secured. Still, enterprises will need to navigate the complexities of managing such volatile environments with automation tools that help them respond to new vulnerabilities quickly and effectively. According to Phillip Ivancic, Asia-Pacific head of solutions strategy at Synopsys Software Integrity Group, nearly all internally developed software developed today contains some form of open source codes or the other.
According to a report discussing the security vendor’s 2022 Open Source Security and Risk Analysis, 97% of commercial codebases have been marled to contain some form of open source codes. Of these, an average of 78% of code in the codebases was open source. The report is the product of a study which analyzed 2,409 commercial codebases across 17 industries, released in May.
In today’s world, most organisations are comfortable utilizing codes from open sources rather than building everything from scratch when developing their own software, said Liu Yang, co-founder and CEO of Scantist, an application security vendor that in 2016 spun off from a research lab in Singapore’s Nanyang Technological University (NTU). In an interview, Liu disclosed that organisations can tap and build upon open source software (OSS) that exists from codebases and well-established libraries around. Andrew Martin, Databricks’ South Asia head, concurred with this argument, adding that open source allows these organisations to innovate faster because they depend and leverage on codes that are readily available, instead of spending resources building in-house software and don’t know what to expect.
However, Martin added that open source technology offers the advantage of ensuring full transparency and visibility into source code, thereby providing data teams with a connection to the wider open source community. However, Liu explains that the disadvantage of tapping open source codes would be that any vulnerability detected in the codes is automatically inherited by the host enterprise application Therefore he cautioned that open source vulnerabilities should be addressed first, failure to do so could lead to more serious security risks for businesses that remain unaware of such vulnerabilities through updating their software.
The Synopsys study further revealed that about 81% of software codes contained at least one known open source vulnerability or the other. This highlights a decrease of about a 3% drop from figures generated the previous year. While tapping open source in no way implies that in-house software is less secure, doing so brought in key considerations that should be addressed and managed. Companies should ensure they spend time knowing all OSS components including the actual versions that were used in their projects’ codebase. The reason is so they could determine if the application would be impacted when new high-risk vulnerabilities were discovered.
Another method while tapping into the open source codebase is using the Software Bill of Materials (SBOM), this central repository would ensure companies were able to quickly respond when new vulnerabilities were uncovered, such as last year’s high-profile zero-day flaw Log4j. With an SBOM, they would be able to identify applications that were vulnerable and deploy the necessary remediation actions. The Log4j zero-day flaw, in particular, was likely to spawn more vulnerabilities in coming years due to the increasing use of OSS, said Liu.
Furthermore, Liu explains that a fundamental framework used by half of Java applications is the Java library for using the library that potentially had severe vulnerabilities. Hackers could take advantage of the Log4j flaw to carry out remote attacks and use a company’s OSS library to control its systems. Such vulnerabilities are tough to deal with due to the layered nature of OSS development. “If you’re using an OSS library for one application, that library likely is using a second library and that, in turn, is using a third library,” Liu explained. “If the third library has a critical vulnerability and you’re using the first library, there is an intrinsic vulnerability in this dependency chain. It can present security risks for you, even if you’re not using the third library, ” says Liu.
Liu further disclosed that identifying all passive and indirect interdependencies may not be so easy, as it could be difficult for companies could find it difficult accessing security experts capable of carrying out such works. Ivancic, on the other hand, stresses the need for organisations to input effort into getting adequate knowledge of the operational and licensing risks involved in the use of open source codes. He also noted that OSS codebases that did not have an active community of contributors could pose huge risks, especially because new vulnerabilities might not be uncovered and patched in a timely fashion.
Moving on, the Synopsys study identified that 88% of codebases used components that are not the latest version, while 84% had open source codes that were no longer significant and more than four years out-of-date. In addition, 53% of audited codebases had licensing conflicts and 20% contained open source which had no license or custom license. Ivancic further noted that open source projects had various licensing provisions that ranged from very permissive to those that might require users to publish derivative works under the same licensing terms. An SBOM then would better able organisations to track the different licensing conditions, he said. “If organisations aren’t proactive about maintaining and reviewing their vulnerability updates, they run the risk of becoming an easy target for attackers,” he noted. “Additionally, if they fail to comply with open source licenses, they can put their business at risk of litigation and open themselves to threats to their intellectual property.”
Like Liu, Ivancic underscored the importance of mitigating risks based on internal security policies by building automation into the development pipelines. Ivancic explains that “OSS is not insecure per se…the challenge is with all the versions and components that may make up a software project, It is impossible to keep up without automation and prioritisation.” He noted that the OSS community was responsive in addressing security issues and deploying fixes, but organisations tapping OSS would have to navigate the complexity of ensuring their software had the correct, up-to-date codebase. This was further compounded by the fact that most organisations would have to manage many projects concurrently, he said, stressing the importance of establishing a holistic software security strategy.
Ivancic pointed out that the US National Institute of Standards and Technology (NIST) offered a software supply chain framework organisations can take advantage of in planning their OSS security response. When asked if regulations had a vital role to play in the drive for better security practices, Liu shared that, most organisations consider investing in cybersecurity as expensive and wouldn’t want to address it actively in the absence of any incentive. Hence, some corresponding governance or regulatory policies would go a long way in improving the overall security of open source software, he said.
He further explained that developers have discussed the risks of backdoor exploits and malicious codes, and have concluded that there is a need for better governance in terms of security and responsibility. Liu also added that his research team at NTU are making moves to propose a set of mechanisms and rules to address OSS security. However, regulation can’t possibly resolve everything alone, Organisations still need to invest in strategies that constantly deliver improved security in a cost-effective way. That said, Liu thinks this is where the wider ecosystem could collaborate and collectively achieve set goals. He added that recently Scantist, a company offering a software composition analysis tool, called Thompson rolled out a bug bounty programme that gave participants the opportunity to use software composition analysis to find and fix vulnerabilities. The objectives here were simple, to promote OSS security as well as push greater awareness amongst small and midsize businesses. The Thompson software is said to help enterprises manage the security and compliance risks of their open source libraries.
According to Singapore’s Cyber Security Agency (CSA), when asked about its stand on security regulations for organisations in Singapore, a CSA spokesperson told ZDNet that the agency currently had no plans to impose security regulations related to the use of open source software. Instead, the government agency is advocating for all Singapore organisations to adopt the zero trust principles and build their cyber defences based on this framework. The CSA spokesperson further disclosed that OSS security should be assessed as part of a company’s efforts to reduce risks from their supply chain partners. In a bid to help these enterprises do so, CSA introduced several measures including programmes for CII (critical information infrastructure) sectors and smart consumer devices. The CII Supply Chain programme particularly was introduced in the year 2021 with the aim to outline processes and best practices that aided CII operators and their vendors manage supply chain risks while also beefing up their supply chain cybersecurity posture.
CSA spokesperson also revealed that earlier in the year, the agency also introduced Cyber Essentials and Cyber Trust certification marks that certified cybersecurity measures organisations adopted for their products and services. This initiative was created with the aim to provide “visible indicators” of businesses that prioritised cybersecurity as well as elevate their level of trust and confidence amongst organisations that transacted with certified players. He added that the Cybersecurity Labelling Scheme, which rated smart devices according to their levels of cybersecurity provisions, with levels 3 and 4 the highest two categories. He noted that products certified under the Singapore Common Criteria Scheme would have gone through binary analysis to identify known vulnerabilities in OSS.
According to the Synopsys study, the Internet of Things (IoT) industry is one of the few industries that have the highest user of open source, as 100 per cent of codebases within this sector contain open source codes. However, 64% of IoT codebases have been identified to contain vulnerabilities.
Martin noted that open source was never meant to compete with traditional proprietary code. “Today, many software developers and entities are looking to integrate open source with existing operating systems and applications. This is different from incompatibilities that can occur due to differences in elements such as data formats. Ultimately, open source integration can happen so long as the development is there.” He added that even the most regulated industries, such as the public sector and financial institutions, are now adopting the concept that open source was the best way to foster innovation, recruit, and retain the best talent, and future-proof a technology platform.