Managing Open Source Security Risks and Vulnerabilities

There are lots of great reasons to take advantage of open source software – such as the fact that it’s typically free of cost and easy to modify or extend. But one potential downside of open source software (OSS) is security. When businesses reuse open source software, they need a plan in place to manage the open source security risks that third-party source code may introduce into their IT estates.

This article unpacks the meaning of open source security and explains how to manage open source software security risks and vulnerabilities.

What is open source security?

Open source security is the process of managing the potential security risks introduced by open source software. This security process is critical because nine out of ten businesses routinely use open source code. Sometimes, they integrate open source code into applications they develop. For instance, developers may import open source packages or plugins into software they are writing in order to take advantage of functionality that the packages or plugins offer.

Other times, organizations deploy standalone open source components. For example, they may use an open source platform like Kubernetes to host applications. Or, they might use an open source development tool, like Jenkins, as part of their CI/CD pipeline.

In either case, any security risks or vulnerabilities that exist in the open source software used by companies can affect those companies, unless they are identified and remediated before attackers exploit them. An insecure Jenkins release could provide a backdoor into your business’s CI/CD pipeline, for instance, and a Python package with a known security vulnerability could be exploited to compromise an application that depends on the package.

To be clear, open source software is not inherently less secure than closed source software. Any software can – and typically does – contain security vulnerabilities, regardless of how it is licensed. But the fact that open source can be easily and freely reused means that open source security vulnerabilities can quickly spread across many businesses. That’s less of a problem in the case of closed source software, since closed source code is not frequently shared or reused.

Security risks of open source software

To add context to OSS security risks, let’s look at some of the specific security issues that can arise from the use of open source code.

Known vulnerabilities

The most serious open source security risk is open source code that is subject to a known security vulnerability. Known security vulnerabilities are reported in public databases, like MITRE CVE. The databases detail the specific versions of software that are vulnerable to attack and explain how the attacks can be carried out. While this information is useful to developers who want to fix security issues, it can also be used by attackers to exploit vulnerable software.

Thus, if open source modules, libraries or other components that a business uses are subject to known security vulnerabilities, attackers can easily exploit them.

Misconfigurations

Sometimes, open source software that businesses reuse is not configured in the most secure way possible. For example, businesses might deploy open source container images that run processes as root (which is not secure). Or, a complex open source platform like Kubernetes might ship with access control settings that are not excessively permissive based on a business’s specific needs.

In these cases, improperly configured software can make it easier for attackers to exploit vulnerabilities, or increase the scope of an attack.

Lack of visibility

In some cases, developers may borrow open source code without doing a good job of keeping track of where it originated or how it’s documented. As a result, it becomes difficult to ensure that they follow best practices for managing the code in a secure fashion. For instance, the code’s original developers may have documented how to configure the code securely, but it’s hard to adhere to those practices if the code is reused in a way that obscures where the code came from or which security practices its authors recommend.

How to identify and manage OSS security risks

In response to the open source security challenges described above, you could choose simply not to use open source code. But that’s not an ideal response because it would deprive your business of the many benefits that open source offers. Your developers would have to spend more time and effort implementing functionality that they could instead borrow from open source software.

A better approach is to ensure that you have the safeguards in place to identify and respond to open source security risks. A simple way of doing this is to deploy an open source vulnerability scanning tool that automatically identifies open source components that your organization uses, then alerts engineers to security risks associated with them.

By comprehensively scanning IT assets for open source security risks, scanning tools help to ensure that you can find and react to OSS security issues. And, because the scanners can peer deep inside codebases and application binaries, they are capable of detecting open source components even in cases where your developers or IT engineers didn’t do a good job of documenting where the components came from.

You should also, of course, strive to use open source software in a responsible way by borrowing code only from trustworthy projects and ensuring that you properly document your use of open source code. But because it’s impossible to protect against all potential open source security oversights, scanning tools provide an extra layer of assurance against accidental security problems that may arise from the use of open source code.