The 2017 Equifax breach served as a major PSA of the growing size and scope of security vulnerabilities in open source — software components and applications. Despite many of them being “known,” these security flaws pose a potentially debilitating risk to enterprise security.
Due to its incredible value as an engine of innovation, open source has become an irreversible trend. More than 90% of all software either contains open source components or is comprised completely of open source. It exists in operating systems, productivity software, and administration and development tools — and in code libraries that companies and third-party software vendors use to build their software. Today, it would be a challenge to find commercial or off-the-shelf software without open source components.
Open source in IoT
The continuously expanding IoT space is no exception to the widespread open source integration. In fact, Embedded Linux is the number one IoT operating system. Linux and adjacent open source components are used in operating systems, network platforms, applications and IoT firmware. This trend will only continue to grow because by using open source, developers in this segment and beyond can lower assembly costs and quickly add innovations — saving months or years of originally required development time.
Whether software code is proprietary or open source, it harbors security vulnerabilities. Supporters of open source argue that the accessibility and transparency of the code allow the “good guys” — corporate quality assurance teams, white hat hackers and open source project groups — to find bugs faster.
On the other hand, critics contend that more attackers than defenders examine the code, resulting in a net effect of higher incidents of vulnerability exploits. Whichever the case, the open source community is very good at addressing vulnerability issues. Once security risks are discovered, the community will quickly catalogue and provide patches for these vulnerabilities.
Growth of number and scope of open source software vulnerabilities
Despite its already staggering adoption rate, more open source code is being developed and shared than ever before. The Linux Foundation estimates that more than 31 billion lines of code have been committed to open source repositories. But accompanying this increase in the number of developed and shared lines of code is the increase in the number of reported vulnerabilities.
Three ways vulnerabilities are expanding dynamically
The number of vulnerabilities reported is on the rise. More code development inherently means more inadvertently created security vulnerabilities. The U.S. government has been tracking this issue as well, through its sponsorship of the Common Vulnerability and Exposure (CVE) list and the National Vulnerability Database (NVD). In 2017, the CVE list reported more than 8,000 newly added vulnerabilities. This was a new record.
Further complicating matters is the fact that good open source code can be used in many different ways — across a spectrum of different kinds of applications. However, when a “good” piece of open source code contains a security flaw, the potentially large number of platforms and software applications that have integrated the code become vulnerable to hacking.
Compounding this issue is the likelihood that known security vulnerabilities will hide in the code. Consequently, users are unaware that within their code rest security threats awaiting hacker attacks. So, how are these known vulnerabilities able to hide in and pervade applications, platforms and devices that use open source?
While updated versions of open source components are available without security vulnerabilities, in-house software development teams and third-party developers will be hard-pressed to effectively track all open source software components in their internally developed and externally sourced code.
These challenges are partly due to the software development and procurement model, whereby development teams often receive third-party software in binary format.
Understand your code
Development, security and software provisioning teams can use binary code scanners that utilize code fingerprinting. These tools extract “fingerprints” from a binary to be examined and then compare them to the fingerprints collected from open source components hosted in well-known, open source repositories. Once a component and its version are identified through this fingerprint matching, development and security teams can easily find known security vulnerabilities associated with the component from vulnerability databases, like the NVD.
Make the time to address the vulnerabilities
As engineering teams develop new versions of software, they are alerted to potential security vulnerabilities that need to be patched. Unfortunately, the software development industry has demonstrated a tendency to give vulnerability patching a very low priority. This lack of urgency may push patches to a later software version, with very infrequent real-time patch administration. This model results in known security vulnerabilities going unpatched for significant periods of time, further exacerbating a company’s vulnerability.
Open source adoption has and will continue to generate amazing innovations. However, the growing number of security vulnerabilities in the code could impede its rate of adoption and innovation. Software developers, distributors and users can neutralize the threats posed by these vulnerabilities by understanding their code, finding the flaws and proactively taking the steps to address them.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.