Software applications access many of the most important assets organizations manage, such as intellectual property, strategic plans and customer data. This makes them a very lucrative target for cybercriminals. Unfortunately, applications are often the weakest link in the enterprise IT security chain.

Recent IBM X-Force Threat Intelligence reports have shown that many disclosed security incidents in recent years are the result of application vulnerabilities. The reports indicate that many organizations lack understanding about how to secure their valuable application assets. One area of application security that is frequently overlooked has to do with the use of open-source software.

Explosive Growth of Open-Source Software

Use of open-source software is ubiquitous across the Web, cloud, containers, enterprise apps, mobile and the Internet of Things (IoT). Analysis from Black Duck, an IBM Security partner, showed that open-source code comprises about 30 percent of the average commercial software application; this figure can jump even higher for in-house applications. According to Gartner, open source will be included in mission-critical applications within 99 percent of Global 2000 enterprises by the end of 2016.

It’s easy to understand why open source is growing in popularity, even among organizations like the U.S. Department of Defense and proprietary software vendors. Free to use, open source provides critical functionality while lowering development costs and accelerating time to market.

Open source is not without risk, however. In 2014 alone, the National Institute of Standards and Technology (NIST) reported over 4,000 new vulnerabilities, including critical issues such as Heartbleed, Shellshock, Venom and Ghost. Moreover, thousands of open source-related vulnerabilities are likely to be present within existing applications in a typical large enterprise.

Unfortunately, most enterprises lack visibility into and control of their open source. You can’t control what you can’t see, and addressing this challenge is critical to the use of open source with trust and confidence.

Start a Free Trial of Application Security on Cloud Now

The Role of Application Security Testing

Automated security testing has advanced dramatically over the last 10 years. In particular, static and dynamic analysis tools have helped organizations identify common coding mistakes that could result in application security vulnerabilities. As the technologies advance, more vulnerability types can be detected and quickly remediated.

There is, however, still a role for security researchers. Many classes of vulnerabilities remain undetectable by automated tools. Even among those classes of vulnerabilities that are detectable, some are simply too complex for today’s technology. These include the types of vulnerabilities being disclosed every day in open-source components.

Why Is Open Source Different?

Open-source software has benefited from the idea that enough people will review open-source code to find most security issues. While the validity of this theory is partially dependent on who is reviewing the code, it appears that the most common security bugs are often identified during the development process. That means the largest vulnerabilities are not present in the final product.

However, the reuse of open-source components complicates things. As new vulnerabilities are disclosed, developers must be diligent in checking to ensure they are using the most recent version of an open-source project and patching code whenever necessary.

While development teams are increasingly sophisticated about security and are incorporating best practices such as static and dynamic analysis, threat modeling and security requirements into the software development life cycle, the security challenges related to the reuse of components already in the developer’s workspace are often overlooked.

Security Is Not a Permanent State

Security issues in open source make it a particularly attractive target for attackers. The ubiquity of certain components provides a target-rich environment: The source code is available for manipulation, vulnerabilities are publicly available and there’s a lack of automatic updates. Those elements combine to make vulnerabilities in open source difficult for defenders.

Even when organizations are thorough about checking their open-source code prior to deployment, everything changes when a new vulnerability is disclosed. An application once believed to be secure becomes a prime target for even unsophisticated attackers.

A Simple Solution: Know All Your Code

The good news is that a solution exists. A new technology partnership between IBM and Black Duck extends IBM’s solution portfolio to include identification, remediation and control of risks in open-source software through an integrated approach to application security management.

Black Duck Hub integrates into the build cycle with IBM Security AppScan to automatically identify all the open-source code used in an application. The resulting inventory or bill of materials is matched to Black Duck’s KnowledgeBase of over 1.5 million open-source components to identify known security vulnerabilities and display the security information directly within IBM Security AppScan Enterprise. Additionally, Black Duck continues to monitor the threat space so that when new vulnerabilities are disclosed, users receive security alerts along with information telling them exactly which applications use the now-vulnerable component.

Working together, IBM and Black Duck help application security and development professionals take a comprehensive approach to identifying and remediating security issues in customized and open-source software.

To Learn More

To learn more about the importance of Open-Source Testing, read our blog “Taming the Open-Source Beast with an Effective Application Security Testing Program.” You can also test drive IBM Application Security on Cloud, by registering for a complimentary trial.

More from Software Vulnerabilities

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

8 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read

Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”

10 min read - September’s Patch Tuesday unveiled a critical remote vulnerability in tcpip.sys, CVE-2022-34718. The advisory from Microsoft reads: “An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPsec is enabled, which could enable a remote code execution exploitation on that machine.” Pure remote vulnerabilities usually yield a lot of interest, but even over a month after the patch, no additional information outside of Microsoft’s advisory had been publicly published. From my side, it had been a…

10 min read