Software applications access many of the most important assets organizations manage, such as intellectual property, strategic plans and customer data. This makes them a very lucrative target for cybercriminals. Unfortunately, applications are often the weakest link in the enterprise IT security chain.

Recent IBM X-Force Threat Intelligence reports have shown that many disclosed security incidents in recent years are the result of application vulnerabilities. The reports indicate that many organizations lack understanding about how to secure their valuable application assets. One area of application security that is frequently overlooked has to do with the use of open-source software.

Explosive Growth of Open-Source Software

Use of open-source software is ubiquitous across the Web, cloud, containers, enterprise apps, mobile and the Internet of Things (IoT). Analysis from Black Duck, an IBM Security partner, showed that open-source code comprises about 30 percent of the average commercial software application; this figure can jump even higher for in-house applications. According to Gartner, open source will be included in mission-critical applications within 99 percent of Global 2000 enterprises by the end of 2016.

It’s easy to understand why open source is growing in popularity, even among organizations like the U.S. Department of Defense and proprietary software vendors. Free to use, open source provides critical functionality while lowering development costs and accelerating time to market.

Open source is not without risk, however. In 2014 alone, the National Institute of Standards and Technology (NIST) reported over 4,000 new vulnerabilities, including critical issues such as Heartbleed, Shellshock, Venom and Ghost. Moreover, thousands of open source-related vulnerabilities are likely to be present within existing applications in a typical large enterprise.

Unfortunately, most enterprises lack visibility into and control of their open source. You can’t control what you can’t see, and addressing this challenge is critical to the use of open source with trust and confidence.

Start a Free Trial of Application Security on Cloud Now

The Role of Application Security Testing

Automated security testing has advanced dramatically over the last 10 years. In particular, static and dynamic analysis tools have helped organizations identify common coding mistakes that could result in application security vulnerabilities. As the technologies advance, more vulnerability types can be detected and quickly remediated.

There is, however, still a role for security researchers. Many classes of vulnerabilities remain undetectable by automated tools. Even among those classes of vulnerabilities that are detectable, some are simply too complex for today’s technology. These include the types of vulnerabilities being disclosed every day in open-source components.

Why Is Open Source Different?

Open-source software has benefited from the idea that enough people will review open-source code to find most security issues. While the validity of this theory is partially dependent on who is reviewing the code, it appears that the most common security bugs are often identified during the development process. That means the largest vulnerabilities are not present in the final product.

However, the reuse of open-source components complicates things. As new vulnerabilities are disclosed, developers must be diligent in checking to ensure they are using the most recent version of an open-source project and patching code whenever necessary.

While development teams are increasingly sophisticated about security and are incorporating best practices such as static and dynamic analysis, threat modeling and security requirements into the software development life cycle, the security challenges related to the reuse of components already in the developer’s workspace are often overlooked.

Security Is Not a Permanent State

Security issues in open source make it a particularly attractive target for attackers. The ubiquity of certain components provides a target-rich environment: The source code is available for manipulation, vulnerabilities are publicly available and there’s a lack of automatic updates. Those elements combine to make vulnerabilities in open source difficult for defenders.

Even when organizations are thorough about checking their open-source code prior to deployment, everything changes when a new vulnerability is disclosed. An application once believed to be secure becomes a prime target for even unsophisticated attackers.

A Simple Solution: Know All Your Code

The good news is that a solution exists. A new technology partnership between IBM and Black Duck extends IBM’s solution portfolio to include identification, remediation and control of risks in open-source software through an integrated approach to application security management.

Black Duck Hub integrates into the build cycle with IBM Security AppScan to automatically identify all the open-source code used in an application. The resulting inventory or bill of materials is matched to Black Duck’s KnowledgeBase of over 1.5 million open-source components to identify known security vulnerabilities and display the security information directly within IBM Security AppScan Enterprise. Additionally, Black Duck continues to monitor the threat space so that when new vulnerabilities are disclosed, users receive security alerts along with information telling them exactly which applications use the now-vulnerable component.

Working together, IBM and Black Duck help application security and development professionals take a comprehensive approach to identifying and remediating security issues in customized and open-source software.

To Learn More

To learn more about the importance of Open-Source Testing, read our blog “Taming the Open-Source Beast with an Effective Application Security Testing Program.” You can also test drive IBM Application Security on Cloud, by registering for a complimentary trial.

More from Software Vulnerabilities

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

MSMQ QueueJumper (RCE Vulnerability): An in-depth technical analysis

13 min read - The security updates released by Microsoft on April 11, 2023, addressed over 90 individual vulnerabilities. Of particular note was CVE-2023-21554, dubbed QueueJumper, a remote code execution vulnerability affecting the Microsoft Message Queueing (MSMQ) service. MSMQ is an optional Windows component that enables applications to exchange messages via message queues that are reachable both locally and remotely. This analysis was performed in collaboration with the Randori and X-Force Adversary Services teams, by Valentina Palmiotti, Fabius Watson, and Aaron Portnoy. Research motivations…

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today