Open-source software: Why is it especially insecure today and how to protect yourself?

The number of cyberattacks targeting governmental and commercial organizations is growing every day. One of the serious threat vectors are open-source applications and libraries which modern development is hardly possible without. Since open-source projects are developed by enthusiasts and participating users, major vulnerabilities are often propagated in open-source libraries.

Dan Chernov, CTO of DerSecur, explained what pitfalls are inherent in open source and what developers and IS specialists should do to minimize cyber risks resulting from its use.

What is Open Source?

Open Source is software with source code that anyone can distribute and modify. This includes various custom programs, components, and libraries that developers use to create their projects.

Such software is released as public domain or under free licenses such as the GNU General Public License, BSD License, etc. Open-source solutions are often used even in the corporate world as a substitute for expensive commercial products. Open-source components can also be elements of other applications and information systems.

Zero Trust Open Source

In such cases, vulnerabilities are usually unintentional. However, in today’s world, free software with vulnerabilities can be distributed intentionally. Open-source projects are developed by enthusiasts and participating users, and no one guarantees the security of such software. Developers form communities, make edits, add new features, and fix bugs in the code. Under the guise of improving a library, attackers can themselves add a piece of code with a vulnerability to it. It is fairly easy to find out which companies and which popular applications use a particular open-source component. Developers share their experience on forums, in articles, in interviews, etc. As a result, attackers who embedded malicious code in free software know exactly who and how to attack. Risks that seemed unlikely yesterday are now becoming extremely high.

Further actions of the attackers depend on the pursued goals, such as theft of sensitive data or embedding encryption ransomware. In recent weeks, the number of cyberattacks has increased dramatically. Attackers hack into web resources and applications to post various appeals, spread fake news, etc. Cybercriminals can also add fragments of malicious code to open-source solutions to make media or government websites unavailable by means of DDoS attacks.

How can we protect ourselves?

Source code analysis for vulnerabilities as one of the elements of improving IT infrastructure security became important some time ago. Today, in an environment where open-source solutions can be very dangerous, scanning freely distributed libraries and applications is becoming a must.

The best option for companies that develop in-house software is to implement secure development processes. The central element of these processes must be an advanced code analyzer that supports a large number of programming languages and uses sophisticated and efficient algorithms to search for vulnerabilities and backdoors.

If your company uses open-source software or software with open-source components, it is important to check it with a reliable scanner on a regular basis. Ideally, it is a tool with an intuitive interface that does not require the user to have experience in software development. Most likely, the analyzer will be used not by a programmer but by a security team specialist, who needs comprehensive information on the threat level and recommendations on how to fix the vulnerabilities based on the results of scanning.

In both cases, it is important to minimize the number of false positives. If they are frequent, the use of the analysis tool will put a strain on both developers and information security specialists. The DerScanner static code analyzer uses the vendor’s patented Fuzzy Logic Engine technology to minimize false positives and missed vulnerabilities. It minimizes the number of false positives by using the mathematical apparatus of fuzzy logic and is technological know-how.

A streamlined process of obtaining up-to-date information about cyber threats from various sources makes it possible to respond to new vulnerabilities in a timely manner and promptly add new search rules to the code analysis tool.

Just as it is impossible to imagine the modern world without digital tools, so it is impossible to imagine the modern development of these tools without extensive use of Open Source. The key point is to consider the increased risks associated with freeware and free libraries and to use advanced software security solutions to find and fix vulnerabilities.