Software applications access many of the most important assets organizations manage, such as intellectual property, strategic plans and customer data. This makes them a very lucrative target for cybercriminals. Unfortunately, applications are often the weakest link in the enterprise IT security chain.

Recent IBM X-Force Threat Intelligence reports have shown that many disclosed security incidents in recent years are the result of application vulnerabilities. The reports indicate that many organizations lack understanding about how to secure their valuable application assets. One area of application security that is frequently overlooked has to do with the use of open-source software.

Explosive Growth of Open-Source Software

Use of open-source software is ubiquitous across the Web, cloud, containers, enterprise apps, mobile and the Internet of Things (IoT). Analysis from Black Duck, an IBM Security partner, showed that open-source code comprises about 30 percent of the average commercial software application; this figure can jump even higher for in-house applications. According to Gartner, open source will be included in mission-critical applications within 99 percent of Global 2000 enterprises by the end of 2016.

It’s easy to understand why open source is growing in popularity, even among organizations like the U.S. Department of Defense and proprietary software vendors. Free to use, open source provides critical functionality while lowering development costs and accelerating time to market.

Open source is not without risk, however. In 2014 alone, the National Institute of Standards and Technology (NIST) reported over 4,000 new vulnerabilities, including critical issues such as Heartbleed, Shellshock, Venom and Ghost. Moreover, thousands of open source-related vulnerabilities are likely to be present within existing applications in a typical large enterprise.

Unfortunately, most enterprises lack visibility into and control of their open source. You can’t control what you can’t see, and addressing this challenge is critical to the use of open source with trust and confidence.

Start a Free Trial of Application Security on Cloud Now

The Role of Application Security Testing

Automated security testing has advanced dramatically over the last 10 years. In particular, static and dynamic analysis tools have helped organizations identify common coding mistakes that could result in application security vulnerabilities. As the technologies advance, more vulnerability types can be detected and quickly remediated.

There is, however, still a role for security researchers. Many classes of vulnerabilities remain undetectable by automated tools. Even among those classes of vulnerabilities that are detectable, some are simply too complex for today’s technology. These include the types of vulnerabilities being disclosed every day in open-source components.

Why Is Open Source Different?

Open-source software has benefited from the idea that enough people will review open-source code to find most security issues. While the validity of this theory is partially dependent on who is reviewing the code, it appears that the most common security bugs are often identified during the development process. That means the largest vulnerabilities are not present in the final product.

However, the reuse of open-source components complicates things. As new vulnerabilities are disclosed, developers must be diligent in checking to ensure they are using the most recent version of an open-source project and patching code whenever necessary.

While development teams are increasingly sophisticated about security and are incorporating best practices such as static and dynamic analysis, threat modeling and security requirements into the software development life cycle, the security challenges related to the reuse of components already in the developer’s workspace are often overlooked.

Security Is Not a Permanent State

Security issues in open source make it a particularly attractive target for attackers. The ubiquity of certain components provides a target-rich environment: The source code is available for manipulation, vulnerabilities are publicly available and there’s a lack of automatic updates. Those elements combine to make vulnerabilities in open source difficult for defenders.

Even when organizations are thorough about checking their open-source code prior to deployment, everything changes when a new vulnerability is disclosed. An application once believed to be secure becomes a prime target for even unsophisticated attackers.

A Simple Solution: Know All Your Code

The good news is that a solution exists. A new technology partnership between IBM and Black Duck extends IBM’s solution portfolio to include identification, remediation and control of risks in open-source software through an integrated approach to application security management.

Black Duck Hub integrates into the build cycle with IBM Security AppScan to automatically identify all the open-source code used in an application. The resulting inventory or bill of materials is matched to Black Duck’s KnowledgeBase of over 1.5 million open-source components to identify known security vulnerabilities and display the security information directly within IBM Security AppScan Enterprise. Additionally, Black Duck continues to monitor the threat space so that when new vulnerabilities are disclosed, users receive security alerts along with information telling them exactly which applications use the now-vulnerable component.

Working together, IBM and Black Duck help application security and development professionals take a comprehensive approach to identifying and remediating security issues in customized and open-source software.

To Learn More

To learn more about the importance of Open-Source Testing, read our blog “Taming the Open-Source Beast with an Effective Application Security Testing Program.” You can also test drive IBM Application Security on Cloud, by registering for a complimentary trial.

More from Software Vulnerabilities

Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”

September’s Patch Tuesday unveiled a critical remote vulnerability in tcpip.sys, CVE-2022-34718. The advisory from Microsoft reads: “An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPsec is enabled, which could enable a remote code execution exploitation on that machine.” Pure remote vulnerabilities usually yield a lot of interest, but even over a month after the patch, no additional information outside of Microsoft’s advisory had been publicly published. From my side, it had been a…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

Critical Remote Code Execution Vulnerability in SPNEGO Extended Negotiation Security Mechanism

In September 2022, Microsoft patched an information disclosure vulnerability in SPNEGO NEGOEX (CVE-2022-37958). On December 13, Microsoft reclassified the vulnerability as “Critical” severity after IBM Security X-Force Red Security Researcher Valentina Palmiotti discovered the vulnerability could allow attackers to remotely execute code. The vulnerability is in the SPNEGO Extended Negotiation (NEGOEX) Security Mechanism, which allows a client and server to negotiate the choice of security mechanism to use. This vulnerability is a pre-authentication remote code execution vulnerability impacting a wide…

Containers, Security, and Risks within Containerized Environments

Applications have historically been deployed and created in a manner reminiscent of classic shopping malls. First, a developer builds the mall, then creates the various stores inside. The stores conform to the dimensions of the mall and operate within its floor plan. In older approaches to application development, a developer would have a targeted system or set of systems for which they intend to create an application. This targeted system would be the mall. Then, when building the application, they would…