{"id":6800,"date":"2020-08-26T09:00:00","date_gmt":"2020-08-26T07:00:00","guid":{"rendered":"https:\/\/www.codemotion.com\/magazine\/?p=6800"},"modified":"2022-06-09T18:04:19","modified_gmt":"2022-06-09T16:04:19","slug":"open-source-security","status":"publish","type":"post","link":"https:\/\/www.codemotion.com\/magazine\/cybersecurity\/open-source-security\/","title":{"rendered":"Does open source software have a security problem?"},"content":{"rendered":"\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\tTable Of Contents\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t
  1. Open source's community focus may also be its downfall<\/a>
  2. Common open source database security problems\u00a0<\/a>
  3. Don't forget to secure passwords!\u00a0<\/a>
  4. The importance of secure by design<\/a>
  5. Looking for Resources?<\/a><\/ol>\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\n\n\n

    You’d be hard-pressed to find a day where a cybersecurity incident doesn’t hit the news, whether it’s hackers accessing personal data, undertaking a DDoS attack or deploying ransomware. Over the years, security breaches have crippled industries, damaged businesses, shut people out of critical public and health databases, and caused chaos. You might think your company is protected as you use proprietary software. But it’s not so simple. Open source<\/a> components and libraries are the foundation of literally every application in every industry, and the need to identify, track, and manage open source software security is more important than ever. Many people will remember what is arguable the worst cyberattack of 2017, upon Equifax, where hackers stole the personal information of 147.7 million Americans from its servers. Hackers used an Apache Struts vulnerability,\u00a0a months-old issue that Equifax knew about but failed to fix.<\/a>\u00a0<\/p>\n\n\n\n

     Synopsys’<\/a> recently launched their 5th Open Source Security and Risk Analysis (OSSRA) report. The CyRC teams examined anonymized audit findings from over 1,250 commercial codebases in 17 industries, including Enterprise Software\/SaaS, Energy, and Healthcare. In 9 of 17 industries, 100% of the codebases contained open source.<\/p>\n\n\n\n

    The authors assert that “Whether you are a member of an IT, development, operations, or security team if you don’t have policies in place for identifying and patching known issues with the open source components you’re using, you’re not doing your job. The open source community usually issues small updates at a much faster pace than the average commercial software vendor. When these updates contain security updates, companies need to have a strategy to adopt them rapidly. But because open source updates need to be “pulled” by users, an alarming number of companies consuming open source components don’t apply the patches they need, opening their business to the risk of attack and applications to potential exploits.”<\/p>\n\n\n\n

    I recently spoke with Steve Hoffman, VP of Engineering at Percona,<\/a> who develop open source software projects for MySQL, MariaDB, PostgreSQL, MongoDB and RocksDB users. He notes the visibility of bad decisions: “Some companies can hide behind “security through obscurity”, but open source projects can’t take that approach, so implementations have to be well thought out in advance. We design and code with security at the top of the priority list, otherwise we’ll find ourselves dropping in popularity as we climb the CVE charts.<\/p>\n\n\n\n

    Open source’s community focus may also be its downfall<\/h2>\n\n\n\n

    Popular open source <\/a>projects typically are resources with healthy communities of people improving, updating, and patching vulnerability issues as they become known. However, many developers don’t bother to vet the health of a community before downloading an open source component. Even if a developer takes care to initially download components from robust open source communities, there’s no guarantee the community will remain active in maintaining that component or the specific version downloaded. <\/p>\n\n\n\n

    The OSSRA report shared that Black Duck Audits conducted in 2019 found that 91% of the codebases examined contained components that were more than four years out of date or had no development activity in the last two years. Besides adding to the security risk, the danger of getting too far behind in versioning is that the simple act of updating to the latest version can introduce unwanted functional changes, such as the disappearance of key features.<\/p>\n\n\n\n

    Engaging with the communities whose open source projects your organization relies on is one of the best ways to ensure those projects stay healthy, vital, and up to date.<\/p>\n\n\n\n

    Common open source database security problems <\/h2>\n\n\n\n

    Steve notes that there are some common issues around databases and security: <\/p>\n\n\n\n