Is open source software secure? Ask someone in the industry and they may well scoff and ask you “how long is a piece of string?” As with proprietary software (which is certainly not all secure), not all open source was created equal. Yet with Sonatype’s fifth annual State of the Software Supply Chain Report revealing that UK enterprises downloaded over 21,000 software components with a known vulnerability in the last year alone, the question – sweeping though it is – should not be shrugged off.
The report from Sonatype – a Maryland, US-based enterprise software company – is a substantial one: its findings stem from analysis of 36,000 open source project teams, 3.7 million open source releases, 12,000 commercial engineering teams and two surveys of 6,200 development professionals. Of these vulnerabilities cited, a huge 30 percent (or some 6,300) are deemed to be critical, posing a significant risk to enterprise security.
Too Many Holes? Report Cites a 71% Rise in Open Source Breaches
Some further sobering statistics: a 71 percent increase in open source related breaches over the past five years, and 15 events highlighting a new attack pattern for malicious code injection within open source software supply chains.
These come amid a surge in the use of open source software (OSS) with demand for OSS components at an all-time high: there were 146 billion download requests of Java components alone in 2018, for example (year-on-year growth of 68 percent), with – more broadly – 21,448 new open source releases available to developers each day.
Is Open Source Software Secure? Check the Vendor – (and is it a Project, or Product?)
Computer Business Review put the security question to some leading figures in the OSS security world. Mike Bursell, Chief Security Architect at Red Hat, told us: “Those who are using OSS should choose what they use carefully. If they need something which is not maintained by a trusted enterprise open source software vendor, then they need to look at how well the project is maintained, who maintains it, and what processes there are for reports of issues.”
“It’s vital to understand the difference between a project and a product – the latter is something you might consider building your business on, whereas the former needs controls and resources (yours or somebody else’s) to turn it into a product before it becomes a plausible part of your infrastructure.”
“The more awareness there is of this, the better, and the more security experts who spend their time looking at these issues, also the better. At least within the open source community there is transparency and you can get things fixed: options which are sometimes sadly lacking in the proprietary software market.”
Mirror Sites Getting Seeded with Malicious Code
Dave Klein, VP of engineering at Tel Aviv’s cloud security specialist Guardicore said: “What is happening [with regard to security] is a few things.”
“Firstly: open source code comes from maintained and heavily controlled distribution locations (distros). They are supported by secondary mirror sites. There have been many examples of secondary mirror sites seeded with malicious code. While rarer – there have been main distribution sites that have been manipulated.”
He added: “Secondly: just like automakers using the same parts across multiple vehicles leading to wide-scale recalls – when open source apps have vulnerabilities (nginx’s most recent one comes to mine) it affects millions of of instances world wide. Using software defined segmentation solutions that allow you to identify vulnerable versions of apps/processes open source code and to quickly ring fence and protect them is essential. It becomes a method of virtual patching until you update accordingly.”
Open Source = Less Risk of Intentional Backdoors
Of those we spoke to, most agreed that Linus’s Law (“given enough eyeballs, all bugs are shallow”) holds firm.
Ray Walsh of Pro Privacy told us: “The nature of open source code also massively reduces the possibility of there being purposefully engineered backdoors within the source code for any program, because these can be discovered at any point by anybody auditing the software.”
“Again, this is only of use if and when the code is properly audited. It is worth remembering that Sonatype was only able to find the vulnerabilities contained in the code it analyzed because that code was open source in the first place, thus this can be seen as a positive rather than a negative. Sure, open source has its limitations but it also the best system we have.”
“We have long advised business that they should rely on the fewest open source components suppliers with the best track records in order to develop the highest quality and lowest risk software,” said Wayne Jackson, CEO of Sonatype in the report.
“For organisations who tame their software supply chains through better supplier choices, component selection, and use of automation, the rewards revealed in this year’s report are impressive. Use of known vulnerable component releases were reduced by 55 percent.”
Basic security hygiene was also flagged: unsurprising, developers using the most current versions of open source component dependencies will dramatically reduce their cybersecurity risk, the report highlights.
It identified 295 open source projects as having the best secure coding practices, with 3.4 times faster remediation of known vulnerabilities for exemplar open source project teams like Elasticsearch, Mulesoft, and SonarSource.