You can also read and share this article in French, German and Spanish.

Cute Attacks With Acute Impact on Your Application Security Testing Effectiveness

Here we go again: Another attack with a cute name is about to make the news. More dangerous than a Ghost, a POODLE, a FREAK, a Heartbleed, a Shellshock or the other 6,000-plus attacks that show up each year, we know at least two things about it:

  1. It will probably attack through a vulnerable open source component.
  2. It is highly likely you’ll find the open source component in your apps.

Addressing the Open Source Challenge

Should you stop your developers from using open source? You can’t — at least if you want them to be productive. In fact, more and more software is reliant on open source components than ever before. The Forrester report titled “Secure Applications at the Speed of DevOps” states that “approximately 80 to 90 percent of the code in modern applications is from open source components.”

Clearly, open source is here to stay. To protect yourself, you must proactively test your code to assure that you don’t have vulnerable libraries. And since it’s extremely likely that your organization is vulnerable in some fashion, you should focus on two specific success factors.

Success Factor One: Integrate Open Source Testing Into DevOps

The single most important thing you can do is be aware of the open source packages that your developers use, and specifically which ones have vulnerabilities that can be exploited. It is critical that this review be performed as early in the development cycle as possible and that it be done continuously, since threats are constantly changing.

Forrester specifically recommended the following: “Insert a software composition analysis (SCA) tool as early in the SDLC as possible and continue to scan applications, including older applications with inconsistent or long release cycles, to ferret out newly discovered vulnerabilities.” The best way to do this is to integrate open source discovery directly into the application security testing that you are already doing — making it an essential part of your DevOps strategy.

IBM has made this process easy and transparent. With introduction of IBM Application Security Open Source Analyzer, part of IBM Application Security on Cloud, identifying open source components occurs automatically during static application security testing (SAST). These components are matched against a list of known vulnerabilities and results are returned. The results are not only actionable, but they also include specific remediation recommendations such as substituting more recent versions of the components. Results are directly integrated into reports that contain identification and remediation of vulnerabilities found in your custom code, creating a seamless adoption and use model that best enables your success.

Figure 2: Open source vulnerabilities (shown in purple) appear as Fix Groups within the scan report. For more on Application Security on Cloud Fix Groups, consult our IFA blog.

Figure 3: Clicking on the Fix Group shows vulnerability types (in this case, open source CVE), descriptions and links to recommended fixes.

Success Factor Two: Use the Most Reliable Source to Detect Open Source Vulnerabilities

Of course, no matter how seamless the integration is, it boils down to the quality of your testing results. Quality depends on a number of factors — most notably the completeness, breadth, depth and currency of known vulnerabilities and remediation recommendations.


IBM Application Security Open Source Analyzer is able to generate a comprehensive set of open source packages for evaluation by analyzing the file level during application code analysis. Those files are then compared with known open source vulnerabilities and vulnerable ones are identified, along with specific remediation advice.

The quality of IBM Application Security Open Source Analyzer data is differentiated in several important ways. The solution:

  • Supports a large number of languages: Open Source Analyzer does not merely work on a small set of languages like other solutions do. It supports a very large set, including Java, .NET, JavaScript, PHP, Node.JS, C/C++, Ruby, Python, ObjectiveC, SWIFT, Go, Scala, Clojure, Groovy, Android, Perl and Pascal.
  • Identifies a huge set of open source libraries: Across these languages, Open Source Analyzer understands more than 3.5 million binary components and nearly a half billion nonbinary source libraries.
  • Leverages a database of more than 230,000 vulnerabilities from public and private sources: IBM Application Security Open Source Analyzer has access to 12 different sources, in addition to the commonly used National Vulnerability Database (NVD). By comparison, it is estimated NVD includes fewer than 10,000 identified open source vulnerabilities. The Open Source Analyzer database is continually updated with thousands of newly discovered vulnerabilities added each month.
  • Provides actionable remediation recommendations: Our offering combines information from nearly a dozen authoritative sources, including research from the IBM X-Force team, links to patches, specific source files and newer versions that fix issues.

Peace of Mind With Application Security Testing

Embarking on a program to test your open source exposure level is the easiest and fastest way to increase your application security posture — not to mention keep your name out of the press the next time that a cute attack (or an acute attack) threatens to tarnish your organization’s good name.

Our advice is to access our complimentary trial of IBM Application Security on Cloud featuring Open Source Analyzer today, and see for yourself how easy it is to obtain the peace of mind you desire.

Start a Free Trial of Application Security on Cloud Now

More from Application Security

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Vulnerability management, its impact and threat modeling methodologies

7 min read - Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…