Microsoft’s announcement Monday that it is acquiring massive open source platform GitHub for $7.5 billion is expected to have little impact on reducing the sharp rise in open source vulnerabilities and improving their time to discovery. That’s not good news for governments as they increasingly embrace open source.
The open source community may not be taking rigorous ownership of its own security, an issue governments need to consider as they pass policies to allow the use of open source technology in their programs, applications and on their websites.
For example, 44 percent of open source maintainers surveyed acknowledged they never have conducted a security audit of their code, according to a 2017 State of Open Source Security report by Snyk. The report is based on interviews with more than 500 open source maintainers and data Snyk collected from 40,000 open source projects and scanning millions of GitHub repositories and packages on registries.
Meanwhile, state and local governments are jumping onto open source for its ability to save software development time and overall costs, as well as potentially increase the capabilities and scope of the projects they may want to tackle.
In 2010, California officially permitted the use of Open Source Software (OSS) for application or software development, according to Manveer Bola, statewide technology policy chief for the California Department of Technology. California's Department of Technology has since announced policies on open source and code reuse.
How Bad is Bad?
Open source vulnerabilities in application libraries have risen sharply since 2012, soaring from less than 100,000 published vulnerabilities to approximately 900,000 in 2017. In Snyk’s test of over 430,000 sites, 77 percent were running at least one library with a known vulnerability, according to the report.
The median time between introducing a vulnerability into an application library and when it is publicly disclosed is 2.53 years, according to the report.
During that time, cyberattackers can take advantage of the situation and embed their malicious code into the library, gaining entry if a government agency imports that library into the development of an application. For attackers, being baked into the development of an application may be easier access than trying to bust into an application after it has already been created, say security experts.
“We believe hackers will continue to target vulnerable open source components as it requires less effort and results in more reward for them,” said Rami Sass, CEO of security firm WhiteSource. “This is true for all verticals, including government agencies who are becoming heavily reliant on open source projects. Vulnerabilities found in popular open source projects are a prime suspect as they can 'produce' the highest number of targets.”
Governments Weigh-In on Open Source Security Protections
The state of California has not discovered malicious code purposely built into open source code at its own department level, according to Bola.
Each department is responsible for ensuring the open source software they use is compliant with software management licensing and security practices listed in the State Administrative Manual and Statewide Information Management Manual, which calls for system development life cycle and system developer testing, both of which touch on secure coding practices, he added.
“We also know that several departments have additional departmentwide policies which cover secure code development,” said Bola. “As such, since it is state policy, we are hoping all entities are ensuring that open source code acquired from any library is tested and approved prior to incorporating into their applications.”
Getting The Word Out
Although cyberattackers have always exploited open source vulnerabilities, in the past 18 months they have ramped up the speed in reacting to public information on open source vulnerabilities, according to Sass.
Government agencies can take three steps to improve their open source security posture. One is to automate the open source management process, as well as listen to the open source community when it shares information to quickly remediate the vulnerability, he said.
However, “the problem is that most software teams are not able to learn from issues reported and fixed by the community as the information is spread across many repositories and websites across the Web, and most sources are not indexed properly,” explained Sass.
Sass suggests using software composition analysis tools for real-time security notifications and quality issues. And lastly, he advises raising the awareness of software engineers that they are the ones who will need to weigh the risks of using open source software before porting it over.
This story was originally published by Techwire's sister publication, Government Technology.