Taming the Open Source Beast With an Effective Application Security Testing Program

May 4, 2017
| |
4 min read

You can also read and share this article in French, German and Spanish.

Cute Attacks With Acute Impact on Your Application Security Testing Effectiveness

Here we go again: Another attack with a cute name is about to make the news. More dangerous than a Ghost, a POODLE, a FREAK, a Heartbleed, a Shellshock or the other 6,000-plus attacks that show up each year, we know at least two things about it:

  1. It will probably attack through a vulnerable open source component.
  2. It is highly likely you’ll find the open source component in your apps.

Addressing the Open Source Challenge

Should you stop your developers from using open source? You can’t — at least if you want them to be productive. In fact, more and more software is reliant on open source components than ever before. The Forrester report titled “Secure Applications at the Speed of DevOps” states that “approximately 80 to 90 percent of the code in modern applications is from open source components.”

Clearly, open source is here to stay. To protect yourself, you must proactively test your code to assure that you don’t have vulnerable libraries. And since it’s extremely likely that your organization is vulnerable in some fashion, you should focus on two specific success factors.

Success Factor One: Integrate Open Source Testing Into DevOps

The single most important thing you can do is be aware of the open source packages that your developers use, and specifically which ones have vulnerabilities that can be exploited. It is critical that this review be performed as early in the development cycle as possible and that it be done continuously, since threats are constantly changing.

Forrester specifically recommended the following: “Insert a software composition analysis (SCA) tool as early in the SDLC as possible and continue to scan applications, including older applications with inconsistent or long release cycles, to ferret out newly discovered vulnerabilities.” The best way to do this is to integrate open source discovery directly into the application security testing that you are already doing — making it an essential part of your DevOps strategy.

IBM has made this process easy and transparent. With introduction of IBM Application Security Open Source Analyzer, part of IBM Application Security on Cloud, identifying open source components occurs automatically during static application security testing (SAST). These components are matched against a list of known vulnerabilities and results are returned. The results are not only actionable, but they also include specific remediation recommendations such as substituting more recent versions of the components. Results are directly integrated into reports that contain identification and remediation of vulnerabilities found in your custom code, creating a seamless adoption and use model that best enables your success.


Figure 2: Open source vulnerabilities (shown in purple) appear as Fix Groups within the scan report. For more on Application Security on Cloud Fix Groups, consult our IFA blog.


Figure 3: Clicking on the Fix Group shows vulnerability types (in this case, open source CVE), descriptions and links to recommended fixes.

Success Factor Two: Use the Most Reliable Source to Detect Open Source Vulnerabilities

Of course, no matter how seamless the integration is, it boils down to the quality of your testing results. Quality depends on a number of factors — most notably the completeness, breadth, depth and currency of known vulnerabilities and remediation recommendations.

IBM Application Security Open Source Analyzer is able to generate a comprehensive set of open source packages for evaluation by analyzing the file level during application code analysis. Those files are then compared with known open source vulnerabilities and vulnerable ones are identified, along with specific remediation advice.

The quality of IBM Application Security Open Source Analyzer data is differentiated in several important ways. The solution:

  • Supports a large number of languages: Open Source Analyzer does not merely work on a small set of languages like other solutions do. It supports a very large set, including Java, .NET, JavaScript, PHP, Node.JS, C/C++, Ruby, Python, ObjectiveC, SWIFT, Go, Scala, Clojure, Groovy, Android, Perl and Pascal.
  • Identifies a huge set of open source libraries: Across these languages, Open Source Analyzer understands more than 3.5 million binary components and nearly a half billion nonbinary source libraries.
  • Leverages a database of more than 230,000 vulnerabilities from public and private sources: IBM Application Security Open Source Analyzer has access to 12 different sources, in addition to the commonly used National Vulnerability Database (NVD). By comparison, it is estimated NVD includes fewer than 10,000 identified open source vulnerabilities. The Open Source Analyzer database is continually updated with thousands of newly discovered vulnerabilities added each month.
  • Provides actionable remediation recommendations: Our offering combines information from nearly a dozen authoritative sources, including research from the IBM X-Force team, links to patches, specific source files and newer versions that fix issues.

Peace of Mind With Application Security Testing

Embarking on a program to test your open source exposure level is the easiest and fastest way to increase your application security posture — not to mention keep your name out of the press the next time that a cute attack (or an acute attack) threatens to tarnish your organization’s good name.

Our advice is to access our complimentary trial of IBM Application Security on Cloud featuring Open Source Analyzer today, and see for yourself how easy it is to obtain the peace of mind you desire.

Start a Free Trial of Application Security on Cloud Now

David Marshak
Senior Offering Manager, IBM

David Marshak focuses on IBM’s Application Security portfolio, including the AppScan product line, cloud offerings and partnerships with companies such as ...
read more