Custom and Open Source Code: A New Approach to Application Security Management
Software applications access many of the most important assets organizations manage, such as intellectual property, strategic plans and customer data. This makes them a very lucrative target for cybercriminals. Unfortunately, applications are often the weakest link in the enterprise IT security chain.
Recent IBM X-Force Threat Intelligence reports have shown that many disclosed security incidents in recent years are the result of application vulnerabilities. The reports indicate that many organizations lack understanding about how to secure their valuable application assets. One area of application security that is frequently overlooked has to do with the use of open-source software.
Explosive Growth of Open-Source Software
Use of open-source software is ubiquitous across the Web, cloud, containers, enterprise apps, mobile and the Internet of Things (IoT). Analysis from Black Duck, an IBM Security partner, showed that open-source code comprises about 30 percent of the average commercial software application; this figure can jump even higher for in-house applications. According to Gartner, open source will be included in mission-critical applications within 99 percent of Global 2000 enterprises by the end of 2016.
It’s easy to understand why open source is growing in popularity, even among organizations like the U.S. Department of Defense and proprietary software vendors. Free to use, open source provides critical functionality while lowering development costs and accelerating time to market.
Open source is not without risk, however. In 2014 alone, the National Institute of Standards and Technology (NIST) reported over 4,000 new vulnerabilities, including critical issues such as Heartbleed, Shellshock, Venom and Ghost. Moreover, thousands of open source-related vulnerabilities are likely to be present within existing applications in a typical large enterprise.
Unfortunately, most enterprises lack visibility into and control of their open source. You can’t control what you can’t see, and addressing this challenge is critical to the use of open source with trust and confidence.
The Role of Application Security Testing
Automated security testing has advanced dramatically over the last 10 years. In particular, static and dynamic analysis tools have helped organizations identify common coding mistakes that could result in application security vulnerabilities. As the technologies advance, more vulnerability types can be detected and quickly remediated.
There is, however, still a role for security researchers. Many classes of vulnerabilities remain undetectable by automated tools. Even among those classes of vulnerabilities that are detectable, some are simply too complex for today’s technology. These include the types of vulnerabilities being disclosed every day in open-source components.
Why Is Open Source Different?
Open-source software has benefited from the idea that enough people will review open-source code to find most security issues. While the validity of this theory is partially dependent on who is reviewing the code, it appears that the most common security bugs are often identified during the development process. That means the largest vulnerabilities are not present in the final product.
However, the reuse of open-source components complicates things. As new vulnerabilities are disclosed, developers must be diligent in checking to ensure they are using the most recent version of an open-source project and patching code whenever necessary.
While development teams are increasingly sophisticated about security and are incorporating best practices such as static and dynamic analysis, threat modeling and security requirements into the software development life cycle, the security challenges related to the reuse of components already in the developer’s workspace are often overlooked.
Security Is Not a Permanent State
Security issues in open source make it a particularly attractive target for attackers. The ubiquity of certain components provides a target-rich environment: The source code is available for manipulation, vulnerabilities are publicly available and there’s a lack of automatic updates. Those elements combine to make vulnerabilities in open source difficult for defenders.
Even when organizations are thorough about checking their open-source code prior to deployment, everything changes when a new vulnerability is disclosed. An application once believed to be secure becomes a prime target for even unsophisticated attackers.
A Simple Solution: Know All Your Code
The good news is that a solution exists. A new technology partnership between IBM and Black Duck extends IBM’s solution portfolio to include identification, remediation and control of risks in open-source software through an integrated approach to application security management.
Black Duck Hub integrates into the build cycle with IBM Security AppScan to automatically identify all the open-source code used in an application. The resulting inventory or bill of materials is matched to Black Duck’s KnowledgeBase of over 1.5 million open-source components to identify known security vulnerabilities and display the security information directly within IBM Security AppScan Enterprise. Additionally, Black Duck continues to monitor the threat space so that when new vulnerabilities are disclosed, users receive security alerts along with information telling them exactly which applications use the now-vulnerable component.
Working together, IBM and Black Duck help application security and development professionals take a comprehensive approach to identifying and remediating security issues in customized and open-source software.
To Learn More
To learn more about the importance of Open-Source Testing, read our blog “Taming the Open-Source Beast with an Effective Application Security Testing Program.” You can also test drive IBM Application Security on Cloud, by registering for a complimentary trial.