With more than 16,500 known security vulnerabilities being catalogued, 2018 set a new record over last year’s previous record of 14,714. CEOs and security teams of all businesses should take note of this issue, given the recent enforcement of the General Data Protection Regulation (GDPR), which penalizes corporate data/privacy breaches of EU citizens with staggering fines. Organizations can be fined up to 4 percent of annual global turnover or €20 million. That’s for each offense.
The only well-documented breach of EU citizen data since the enforcement of the GDPR enforcement is Facebook’s loss of data from over 29 million user accounts, three million of which belong to EU residents. It’s clear that Facebook will go to court to try and circumvent having to pay what will possibly be record fines for data loss.
A Glimpse at the Scope of Open Source Vulnerabilities
Despite its already staggering adoption rate, more open source code is being developed and shared than ever before. More than 90% of the software being written and used today – across a spectrum of consumer, corporate, industrial and governmental systems and devices – leverages open source. But there’s a caveat – accompanying this increase in the number of developed and shared lines of code is also the increase in the number of reported vulnerabilities.
Hackers Love Known Software Vulnerabilities
When searching for weaknesses in applications, middleware and operating systems, hackers first target known security vulnerabilities.
These vulnerabilities are well-documented, providing a “roadmap” for hackers to follow. Whether software code is proprietary or open source, it harbors security vulnerabilities. Advocates of open source argue that the accessibility and transparency of the code allow the “good guys” – corporate quality assurance teams, white hat hackers and open source project groups – to find bugs faster.
Conversely, critics of open source contend that more attackers than defenders examine the code, resulting in a net effect of higher incidents of vulnerability exploits. Whichever is the case, the open source community is good at addressing vulnerability issues. Once security risks are discovered, the community will quickly catalogue and provide patches for these vulnerabilities.
The Number of Reported Vulnerabilities is Increasing
The number of reported vulnerabilities is on the rise. The U.S. government has been tracking this issue as well, through their sponsorship of the Common Vulnerability and Exposure (CVE) list and the National Vulnerability Database (NVD). In 2018, this public database published 14,760 known security vulnerabilities – more than twice as many as were reported in 2016.
Further complicating matters is the fact that “good” open source code can be used in many different ways – across a spectrum of applications. When a heavily leveraged piece of open source code contains a security flaw, it may render vulnerable a potentially large number of software applications that have integrated this code.
So how are these known vulnerabilities able to lurk in applications, platforms and devices that leverage open source?
While updated versions of open source components, modules and libraries are available without security vulnerabilities, in-house software development teams and third-party developers are hard-pressed to effectively track all open source software components in their internally developed and externally sourced code.
These challenges are partly due to the software development and procurement model, whereby development teams often receive third-party software in binary format.
Know What’s in Your Code
Development, security and software provisioning teams can leverage binary code scanners that use code fingerprinting. These tools extract “fingerprints” from a binary to be examined, and then compare them to the fingerprints collected from open source components hosted in well-known open source repositories. Once a component and its version are identified through this fingerprint matching, development and security teams can easily find the known security vulnerabilities associated with the component from vulnerability databases, like the NVD.
Make Time to Address the Vulnerabilities
As engineering teams develop new versions of software, they are alerted to potential security vulnerabilities that must be fixed. Unfortunately, the software development industry has demonstrated a tendency to give vulnerability remediation low priority. This lack of urgency may delay the updating to a later version of the software, extending the window of opportunity during which malicious actors can exploit the unaddressed vulnerabilities. This model results in known security vulnerabilities going unaddressed for significant periods of time, further exacerbating a company’s vulnerability.
Open source adoption has and will continue to generate amazing innovations. However, the growing number of security vulnerabilities in the code are also generating potential data and privacy loss that have very real financial consequences. Software developers, distributors and users can neutralize the threats posed by these vulnerabilities by understanding their code, finding the flaws and proactively taking steps to address them.