Known vulnerabilities, legitimate package compromise, and name confusion attacks are expected to be among the top ten open source software risks by 2023, according to a report by Endor Labs.
The other top risks of open source software, according to the report, include unmaintained software, outdated software, untracked dependencies, license risk, immature software, unapproved changes, and undersized or oversized dependencies.
Almost 80% of the code in modern applications is code that is based on open source packages. While open source software is the foundation of modern software development, it is also the weakest link in the software supply chain, Endor Labs said in its report.
Since open source software comes as is, without warranties of any kind, any risk of using it rests solely with the users. This makes the selection, security, and maintenance of these open source dependencies crucial steps toward securing the software supply chain, according to the report.
The Endor Labs report covers security and operational issues associated with open source components that can compromise systems, enable data breaches, undermine compliance, and hinder availability. The report features contributions from 20 industry experts, including CISOs from HashiCorp, Adobe, Palo Alto Networks, and Discord.
The known vulnerability, according to the report, is the main risk associated with open source software. This risk occurs when a component version contains vulnerable code, accidentally introduced by its developers. If a threat actor exploits a known vulnerability, it could compromise the confidentiality, integrity or availability of the respective system or its data, according to the Endor Labs report.
CVE-2017-5638 in Apache Struts that caused the Equifax data leak and CVE-2021-44228 in Apache Log4j, also known as Log4Shell, are examples of known vulnerabilities.
To avoid the risk of known vulnerabilities, Endor Labs suggests that regular scanning of open source software be conducted and that organizations prioritize the findings to optimize resource allocation.
Legitimate package compromise is the second biggest risk that open source software contains. Attackers can compromise resources that are part of an existing legitimate project or distribution infrastructure to inject malicious code into a component. For example, hijacking the accounts of legitimate project maintainers or exploiting vulnerabilities in package repositories. The SolarWinds cyberattack was the result of a legitimate package compromise.
The third biggest risk of open source software is name confusion attacks, in which an attacker creates components whose names resemble legitimate open source or system component names (typosquatting), suggests trusted authors (brandjacking), or play with common name patterns in different languages or ecosystems. .
To avoid this risk, organizations should check code features before and after install links, check project features such as source code repository, maintainer accounts, release frequency, number of downstream users , etc., says the report. An example of this risk is the Colourama attack, which was a typo attack on the legitimate Python package called “Colorama” that redirected Bitcoin transfers to a wallet controlled by the attacker.
Along with the main security risks that open source software contains, the Endor Labs report also looked at the main operational risks that open source software can present.
Unmaintained software or when a component or component version is no longer actively developed, leading to unavailable patches for functional and security bugs is the number one operational risk posed by open source software, according to the report.
In this case, development of the patch will have to be done by downstream developers, which will result in higher efforts and longer resolution times. During that time, the system remains exposed.
Outdated software, not to be confused with unmaintained software, is another big risk for open source software. This refers to a project that may be using an old, outdated version of a component, even though newer versions exist.
If the version of a component used is far behind the latest versions of a dependency, it can make it difficult to perform timely updates in emergency situations. The older version of a component may not receive the same level of security evaluation as recent versions.
“If a new version is syntactically or semantically incompatible with the current version in use, application developers may require significant upgrade or migration efforts to resolve the incompatibility,” the report says.
The third biggest operational risk with open source software is untracked dependencies. This occurs when project developers are unaware of a component’s dependency, either because it is not part of the software BOM of a previous component, or because it is not detected by software component analysis (SCA) tools. or because the dependency is not set by a package manager.
Developers should evaluate and compare SCA tools for their ability to produce accurate BOMs, according to the report.
As the use of open source has increased over the years, other cybersecurity companies are also highlighting the risk it poses. At least one known open source vulnerability was found in 84% of all commercial and proprietary codebases examined by researchers at application security company Synopsys.
In addition, 48% of all codebases analyzed by Synopsys researchers contained high-risk vulnerabilities, which are those that have been actively exploited, already have documented proof-of-concept exploits, or are classified as remote code execution vulnerabilities. .
Copyright © 2023 IDG Communications, Inc.
Be First to Comment